tag:blogger.com,1999:blog-291736772024-03-07T16:49:07.791-08:00Conor's Web Log of EsotericaHey, I just happen to have an opinion or two...Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.comBlogger268125tag:blogger.com,1999:blog-29173677.post-5766616731707661452010-06-12T06:03:00.000-07:002010-06-12T06:43:49.628-07:00Rethinking analysis of Google's AP data capture<p>In "<a href="http://www.identityblog.com/?p=1121"><span style="font-style:italic;">Rethink things in light of Google's Gstumbler report</span></a>," <a href="http://www.identityblog.com/">Kim Cameron</a> asks that we rethink our analysis of <a href="http://www.google.com">Google</a>'s wireless data capture in light of the <a href="http://static.googleusercontent.com/external_content/untrusted_dlcp/www.google.com/en/us/googleblogs/pdfs/friedberg_sourcecode_analysis_060910.pdf">third-party analysis of the gstumbler data capture software</a>. In particular he seems to have a particular fondness for the phrase "wrong," "completely wrong," and "wishful thinking" when referring to my comments on the topic. In my defense, I will say that there was no "wishful thinking" going on in my mind. I was just examining the published information rather than jumping to conclusions -- something that I will <span style="font-weight:bold;">always</span> advocate. In this case, after examining the published report, it does appear that those who jumped to conclusions happened to be closer to the mark, but I still think they were wrong to jump to those conclusions until the actual facts had been published.</p>
<p>I read through the entire report and have to say that the information in the report is quite different than the information that had been published at the time I expressed my opinions on the events at hand. The differences include:</p>
<ol>
<li>We had been led to believe that Google had only captured data on open wireless networks (networks that broadcast their SSIDs and/or were unencrypted). The analysis of the software shows that to be incorrect -- Google captured data on every network regardless of the state of openness. So no matter what the user did to try to protect their network, Google captured data that the underlying protocols required to be transmitted in the clear.</li>
<li>We had been led to believe that Google had only captured data from wireless access points (APs). Again the analysis shows that this was incorrect -- Google captured data on any device for which it was able to capture the wireless traffic for (AP or user device). So portable devices that were currently transmitting as the Street View vehicle passed would have their data captured.<br>
<p>One factor that is potentially in the user's favor is that the typical wireless configuration would encourage portable devices to transmit at just enough power for the AP to hear them (devices on wireless networks do not talk directly to each other). Depending upon the household configuration, it is possible (probable?) that a number of devices would not be transmitting strongly enough for them to be detected from a vehicle out in the middle of the street. However, if Google had a big honking antenna on the vehicle with lots of gain in the right frequencies, it could have detected every device within the house.</li>
</ol>
<p>Given this <span style="font-weight:bold;">new</span> information I would have to agree that Google has clearly stepped into the arena of doing something that could be detrimental to the user's privacy.</p>
<p>That said, however, we need to be a little careful about the automatic assumption that the intent was to put all of this data into some global database. In fact, the way the data was captured -- the header of every data packet was captured, many of which would contain duplicate information -- makes it clear that Google intended to do some post-processing of the data. One could hope that they would use this post-processing step to restrict the data making it into any general, world-wide database. Of course, we don't know whether or not they would do this and even if they would, they still have that raw data capture which contains information that could clearly be used to the users detriment.</p>
<p>In addition, the fact that we know that Google did this, doesn't preclude the fact that others can be doing this (or have already done this) without publicizing that they have done so -- especially those who do intend to use this information for nefarious purposes.</p>
<p><span style="font-weight:bold;">We should take this incident as a wake-up call to start building privacy into the foundations of our programs and protocols</span>.
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/identity" rel="tag">identity</a>
/ <a href="http://technorati.com/tag/privacy" rel="tag">privacy</a>
/ <a href="http://technorati.com/tag/google" rel="tag">google</a>
/ <a href="http://technorati.com/tag/ssid" rel="tag">SSID</a>
/ <a href="http://technorati.com/tag/gstumbler" rel="tag">Gstumbler</a>
/ <a href="http://technorati.com/tag/privacy" rel="tag">privacy</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com0tag:blogger.com,1999:blog-29173677.post-40024862808683099612010-06-07T08:47:00.001-07:002010-06-12T06:43:54.111-07:00Kim vs. Google summary...<p>As <a href="http://www.identityblog.com/">Kim</a> and my <a href="http://www.identityblog.com/?p=1113">ongoing blog discussion</a> seems to have gone off on various tangents (what some might call "<i>rat holes</i>") I thought it best to try to bring things together in a single summary (which I'm sure will probably generate more tangents.</P>
<p>Lets list some of the facts/opinions that have come out in the discussion:</p>
<ol>
<li>MAC addresses typically are persistent identifiers that by the definition of the protocols used in wireless APs can't be hidden from snoopers, even if you turn on encryption.</li>
<li>By themselves, MAC addresses are not all that useful except to communicate with a local network entity (so you need to be nearby on the same local network to use them.</li>
<li>When you combine MAC addresses with other information (locality, user identity, etc.) you can be creating worrisome data aggregations that when exposed publicly could have a detrimental impact on a user's privacy.</li>
<li>SSIDs have some of these properties as well, though the protocol clearly gives the user control over whether or not to broadcast (publicize) their SSID. The choice of the SSID value can have a substantial impact on it's use as a privacy invading value -- a generic value such as "home" or "linksys" is much less likely to be a privacy issue than "ConorCahillsHomeAP".</li>
<li><a href="http://www.google.com">Google</a> purposely collected SSID and MAC Addresses from APs which were configured in SSID broadcast mode and inadvertently collected some network traffic data from those same APs. Google <b>did not</b> collect information from APs configured to not broadcast SSIDs.</li>
<li>Google associated the SSID and MAC information with some location information (probably the GPS vehicle location at the time the AP signal was strongest).</li>
<li>There is no AP protocol defined means to differentiate between open wireless hotspots and closed hotspots which broadcast their SSIDs.</li>
<li>I have not found out if Google used the encryption status of the APs in its decision about recording the SSID/MAC information for the AP.</li>
</ol>
<p>Now we get to the point where there are differences of opinion.</p>
<ol>
<li>Kim believes that since there's no way for the user to configure whether or not to expose their MAC address and because the association of the MAC address to other information could be privacy invasive, that Google should not have collected that data without express user consent to do so and that in this case Google did not have user consent.<br>
<p>I believe that Google's treatment of the user's decision to broadcast their SSID as an implicit consent for someone to record that SSID and the associated MAC address is a valid and reasonable interpretation. If the user doesn't want their SSID and MAC address collected, they should configure their system to not broadcast their SSID.</p>
<p>Yes, even with the SSID broadcast turned off, some other party can easily determine the APs MAC address and this would clearly have potential negative impacts on the user's privacy, but that's a technical protocol issue not Google's issue since they clearly interpreted SSID silence to be a user's decision to keep their information private and respected that decision.</p></li>
<li>In "<a href="http://www.identityblog.com/?p=1111">What harm can come from a MAC address?</a>" Kim seems to argue that because there's some potential way for an entity to abuse a piece of data, that any and all uses of that data should be prohibited. So, because an evil person could capture your mac address of your phone and then drive along the neighborhood to find that mac address and therefore find your home, any use of mac addresses other than their original intent is evil and should be outlawed.<br>
<p>I believe that it's much better to outlaw what would clearly be illegal activity rather than trying to outlaw all possible uses. So, in this particular case, the stalker should be prohibited from using *any* means to track/identify users with the intent of committing a crime (or something like that).</p>
<p>Blindly prohibiting all uses will block useful features. For example, giving my device a means of establishing a location of where it is to obtain some location services without revealing to me the basis for that location is a useful feature that I have made use of on my iPhone and I don't believe that I've violated anyone's privacy in using this type of information to know where I am (to do things such as get a list of movies playing at the nearest theatre via the Fandango application).</p></li>
<li>Kim doesn't seem to have responded at all to my criticism of the privacy advocates failing to use this case as a learning experience for users to help them configure their APs in a way that best protects their privacy.</li>
</ol>
<p>In summary, I do agree that MAC addresses could be abused if associated with an end-user and used for some nefarious purpose. However, I don't believe that Google was doing either of these.</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/identity" rel="tag">identity</a>
/ <a href="http://technorati.com/tag/privacy" rel="tag">privacy</a>
/ <a href="http://technorati.com/tag/google" rel="tag">google</a>
/ <a href="http://technorati.com/tag/ssid" rel="tag">SSID</a>
/ <a href="http://technorati.com/tag/privacy" rel="tag">privacy</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com5tag:blogger.com,1999:blog-29173677.post-70043122305283779272010-06-06T08:22:00.000-07:002010-06-06T08:59:00.420-07:00House numbers vs SSIDsIn "<a href="http://www.identityblog.com/?p=1108">Are SSIDs and mac addresses like house numbers?</a>" <a href="http://www.identityblog.com/">Kim Cameron</a> argues against my characterization of SSIDs and mac addresses being like house numbers:
<blockquote>
<p>Let’s think about this. Are SSIDs and MAC addresses like house numbers?</p>
<p>Your house number is used - by anyone in the world who wants to find it - to get to your house. Your house was given a number for that purpose. The people who live in the houses like this. They actually run out and buy little house number things, and nail them up on the side of their houses, to advertise clearly what number they are.</p>
<p>So let’s see:</p>
<ol>
<li>Are SSIDS and MAC addresses used by anyone in the world to get through to your network? No. A DNS name would be used for that. In residential neighborhoods, you employ a SSID for only one reason - to make it easier to get wireless working for members of your family and their visitors. Your intent is for the wireless access point’s MAC address to be used only by your family’s devices, and the MACs of their devices only by the other devices in the house.</li>
<li>Were SSIDS and MAC addressed invented to allow anyone in the world to find the devices in your house? No, nothing like that.</li>
<li>Do people consciously try to advertise their SSIDs and MAC addresses to the world by running to the store, buying them, and nailing them to their metaphorical porches? Nope again. Zero analogy.</li>
</ol>
<p><strong>So what is similar? Nothing.</strong> </p>
<p>That’s because house addresses are what, in Law Four of the <a href="http://www.identityblog.com/wp-content/images/2009/06/7_Laws.htm">Laws of Identity</a>, were called “universal identifiers”, while SSIDs and MAC addresses are what were called “unidirectional identifiers” - meaning that they were intended to be constrained to use in a single context. </p>
<p>Keeping “unidirectional identifiers” private to their context is essential for privacy. And let me be clear: I’m not refering only to the privacy of individuals, but also that of enterprises, governments and organizations. Protecting unidirectional identifiers is essential for building a secure and trustworthy Internet.</p>
</blockquote>
<P>This argument confuses <b>house address</b> with <b>house number</b>. A <i>house number</i> is <b>not</b> able to be used as a universal identifier (I presume that there are many houses out there with the number 15, even in the same town, many times even on the same street in the same zip code (where the only difference is the N.W. and S.E. on the end of the street name).</P>
<P>Like SSIDs and mac addresses, the house number is only usable as an identifier once you get to the neighborhood and very often only once you get to the street.</p>
<P>People choose to advertise SSIDs so they themselves and others will have an easy time connecting with their network once they are within range of the AP - as evidenced by<a href="http://paranoidmike.blogspot.com/"> Mike's</a> <a href="http://conorcahill.blogspot.com/2010/06/privacy-theatre.html?showComment=1275667112308#c8176159072137723242">comment on my previous article</a> (and, the reason why I have chosen to configure my SSID as broadcast). Yes, many people don't know enough to make that decision and perhaps sometimes choose to do what others might consider a wrong thing, but a) that's part of my issue with the wireless AP industry and with the privacy folks not using this as a good educational example.</p>
<P>So while people don't need to go to the hardware store to buy the number to put up on their house, they can, and many do, choose the electronic equivalent when they setup their AP.</P>
<P>House numbers are very much unidirectional identifiers used within the context of a given address (street, city, state, country, postal cod) just as SSIDs and MAC addresses are.<P>
<P>I will admit that there are some differences with the mac address because of how basic Ethernet networking was designed. The mac address is designed to be unique (though, those in networking know that this isn't always the case and in fact most devices let you override the mac address anytime you want). So this could be claimed to be some form of a universal identifier. However, it's not at all usable outside of the local neighborhood. There is no way for me to talk to a particular mac address unless I am locally on the same network with that device.</P>
<P>I do believe that a more privacy enabled design of networking would have allowed for scenarios where mac addresses were more dynamic and thus reducing the universal-ness and persistence of the mac address itself. However, that's an issue for network design and I don't think that what Google did was a substantial privacy issue for the user.</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/identity" rel="tag">identity</a>
/ <a href="http://technorati.com/tag/privacy" rel="tag">privacy</a>
/ <a href="http://technorati.com/tag/google" rel="tag">google</a>
/ <a href="http://technorati.com/tag/ssid" rel="tag">SSID</a>
/ <a href="http://technorati.com/tag/privacy" rel="tag">privacy</a>
/ <a href="http://technorati.com/tag/privacy" rel="tag">privacy</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com1tag:blogger.com,1999:blog-29173677.post-36426205419512657232010-06-04T04:26:00.000-07:002010-06-04T05:34:00.785-07:00Privacy Theatre<p>In a series of <a href="http://www.identityblog.com/?p=1107">blog articles</a>, <a href="http://www.identityblog.com/">Kim Cameron</a> and <a href="http://twitter.com/benadida">Ben Adida</a> discuss Google's capturing of open access point information as part of its <a href="http://maps.google.com/streetview/">Street View</a> project.</p>
<p>Kim's assertion that Google was wrong to do so is based upon two primary factors:</p>
<ul>
<li>Google intended to capture the SSID and mac address of the access points</li>
<li>SSIDs and mac addresses are persistent identifiers</li>
</ul>
<p>And it seems that this has at least gotten Ben re-thinking his assertion that this was all about privacy theater and even him giving Kim a get-out-of-jail-free card.</p>
<p>While I agree that Kim's asserted facts are true, I disagree with his conclusion.
<ul>
<li>I don't believe Google did anything wrong in collecting SSIDs and mac addresses (capturing data, perhaps). The SSIDs were configured to *broadcast* (to make something known widely). However, SSIDs and mac addresses are local identifiers more like house numbers. They identify entities within the local wireless network and are generally not re-transmitted beyond that wireless network. </li>
<li>I don't believe that what they did had an impact on the user's privacy. As I pointed out above, it's like capturing house numbers and associating them with a location. That, in itself, has little to do with the user's privacy unless something else associates the location with the user.</li>
<li>I hold the wireless AP industry responsible for the fact that many users don't have their APs setup in SSID stealth and data encrypted mode. The AP industry should have designed things so that they were encrypted by default with hidden SSIDs and required the user to do something to create an open network if they wanted to. </li>
<li>The user has to assume some responsibility here, though I really don't expect my mother to know how to configure encryption on an AP (nor do I expect her to know enough to know it's necessary). So I'm back to the AP industry.</li>
<li>And, perhaps most of all, I fault the various privacy pundits and all the news outlets who did not take this as an opportunity to teach the users and the industry about how to protect their data. Not one report that I read/saw went into any detail on how the user could protect themselves (which, if they still broadcast their SSIDs and leave their network unencrypted they are open to much worse attacks than Google capturing their SID & mac address).</li>
</ul>
<p>Perhaps my view is contrarian for one who is somewhat active on the privacy side. However, I think it is a much more pragmatic view that will ultimately bring value to the user far beyond giving Google a hard time for capturing SSIDs and mac addresses which have little privacy value (in my opinion).</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/identity" rel="tag">identity</a>
/ <a href="http://technorati.com/tag/privacy" rel="tag">privacy</a>
/ <a href="http://technorati.com/tag/google" rel="tag">google</a>
/ <a href="http://technorati.com/tag/ssid" rel="tag">SSID</a>
/ <a href="http://technorati.com/tag/privacy" rel="tag">privacy</a>
/ <a href="http://technorati.com/tag/privacy" rel="tag">privacy</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com6tag:blogger.com,1999:blog-29173677.post-15192687742064792542010-01-23T05:00:00.000-08:002010-01-23T05:27:35.256-08:00Consent for my own software to look at my data???<p>Here in the US (and I presume elsewhere) the annual rite of passage of doing one's taxes is upon use yet again. Once you've done something crazy like getting married, having kids or buying a house, the whole process gets more and more complicated as you try to minimize the amount of taxes you owe Uncle Sam.</p>
<p>I've always done my own taxes and for the past 10 or 15 years, I've used <a href="http://www.intuit.com">Intuit's</a> <a href="http://turbotax.intuit.com/">Turbo Tax</a> software to do so. I still can't bring myself to do the taxes online -- I can't help feeling that there's just something wrong about not keeping that data in house.</p>
<p>Anyway, yesterday I installed TurboTax to start working on my 2009 taxes (yeah, I'm a bit early, but I like to do it piecemeal as I receive tax reports and have spare cycles here and there).</p>
<p>Following the installation, I was prompted with the following consent screen:</p>
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ4Srn5S1am3Rl9FJlvP9W9wMAsDe2LPCXASY6GIAQgBch-cFtLufubWqaaREShME5Exc-fgR8JPl1tt-4sxRuPPrDgiPfmom4bmxeZh1H2_qH4gudPwc_rqYa8mX4-l7QVJgm/s1600-h/TurboTaxConsent.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 398px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ4Srn5S1am3Rl9FJlvP9W9wMAsDe2LPCXASY6GIAQgBch-cFtLufubWqaaREShME5Exc-fgR8JPl1tt-4sxRuPPrDgiPfmom4bmxeZh1H2_qH4gudPwc_rqYa8mX4-l7QVJgm/s400/TurboTaxConsent.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5429920051553848130" /></a>
<p>If you look carefully, essentially the screen is asking if you give consent to release data to Intuit so that they can figure out whether they should offer you extra paid tax preparation services (paid out of your return) and/or a chance for you to get some portion of your return on a debit card. So they want to use the information on your return to market additional services to you.</p>
<p>What isn't clear to me from the disclosure is: are you actually giving the information to Intuit (in other words, is it being transferred to an Intuit server off-system) or is the consent is about the software that you've purchased and installed on your computer looking at the data locally.</p>
<p>If the former, then I think that they should explicitly say that the data is being transferred to an Intuit server as that isn't clear in the disclosure.</p>
<p>If the latter, why the heck is that necessary. It's my software that I purchased and it's keeping the data locally on my system. Intuit never sees the data unless I specifically send it to them for one reason or another. If this is really required by law, how does that match up with the <a href="http://financialplan.about.com/cs/taxes/a/TaxRefundLoans.htm">"instant refund" or "refund anticipation loans"</a> offered by the likes of <a href="http://www.hrblock.com">H&R Block</a> or <a href="http://www.jacksonhewitt.com/">Jackson Hewitt</a>? Do they have to get you to sign a similar consent form before they can "notice" that you're getting a loan and offer to give it to you instantly (at great cost to you, of course)?</p>
<p>Even if it is the crazy latter situation, the consent should clearly state that the data is not leaving the system, that it is only being used by the software I just installed.</p>
<p>In any case, I did not consent to any data release... I'll wait for my money to show up when it shows up (assuming I even get a refund, which isn't always the case).</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/taxes" rel="tag">taxes</a>
/ <a href="http://technorati.com/tag/privacy" rel="tag">privacy</a>
/ <a href="http://technorati.com/tag/intuit" rel="tag">Intuit</a>
/ <a href="http://technorati.com/tag/turbotax" rel="tag">TurboTax</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com0tag:blogger.com,1999:blog-29173677.post-55711608929773373882010-01-10T13:43:00.000-08:002010-01-15T18:07:12.313-08:00Setting up a new ubuntu server<p>I've been running my own mail server for close to 20 years... Through
years, I've gone from Interactive Unix (how many of you remember that one!) to
<a href="http://www.redhat.com/">Red Hat Linux</a> to<a href="http://fedoraproject.org/"> Fedora Linux</a> and now I'm moving to <a href="http://www.ubuntu.com/">Ubunto</a> (in
part thanks to the strong recommendations I've gotten from friends, especially <a href="http://blog.superpat.com/">Pat Patterson</a>.</p>
<p>I host several services on my server and because we're at the end of a
relatively slow pipe, I use a dedicated server hosted at
<a href="http://www.superbhosting.net/">Superb Hosting</a>. I use a
dedicated server rather than the more typical web hosting or shared hosting
because it gives me better control over my services and because I host
a bunch of email domains for friends (some of which I simply forward to
their current ISP and some who actually get their mail from my system.</p>
<p>So, I needed to setup the following services on my server:</p>
<ul>
<li>DNS services for the 12 or so domans I manage (2 of my own and
the rest friends & family).</li>
<li>Web server for my personal site.</li>
<li>Email services for something like 12 domains as well.</li>
</ul>
<p>Sounds simple, doesn't it?</p>
<p>Well, it wasn't that simple, but mostly becuase a) I was learning new
ways that things are done on Ubuntu vs Fedora, b) the tweaks of how I wnat
to do things typically involves manual configuration changes that aren't
always easily discerned from reading the man pages, and c) I like to
understand the why as well as the how when doing administrative stuff so
I spend a lot of time reading/reviewing/searching as I make my changes.</p>
<p>BTW - I'm not only willing, but actually want to do this so that I
can keep my hands a bit dirty (and maintain some basic understanding of
the current technologies used on servers). At work, they keep my grubby
little hands far away from the system adminstartion side of the houose.</p>
<p>Anyway, I thougt it would be useful to document what I went through as
I setup the server as it may help others trying to do the same things.</p>
<p>One note about the commands shown below: I logged in as <i>root</i> to do
the configuration, so you don't see "<b>sudo</b> <i>(command)</i>" for all
of the various commands. Some would say this might be a more dangerous
way to configure the system and I would agree for onsey twosey administrative
commands. However, for a long term session where you're doing <b>nothing</b>
other than administrative commands, <i>sudo</i> just gets in the way. And
yes, you need to be careful when you're logged in as <i>root</i>.</p>
<p>The following sections are presented below</p>
<ul>
<li><a href="#OSUpdates">OS Updates</a></li>
<li><a href="#Miscellaneous">Miscellaneous Tools</a></li>
<li><a href="#Firewall">Firewall</a></li>
<li><a href="#Backup">Backup</a></li>
<li><a href="#Bind9">Bind 9 (DNS Server)</a></li>
<li><a href="#WebServer">Web Server</a></li>
<li><a href="#Proxies">Proxies</a></li>
<ul>
<li><a href="#Proxies_Socks5">Socks 5 Proxy</a></li>
<li><a href="#Proxies_WebProxy">Web (HTTP/HTTPS) Proxy Server</a></li>
</ul>
<li><a href="#MailServer">Mail Server </a></li>
<ul>
<li><a href="#MailServer_Clients">Mail Clients</a></li>
<ul>
<li><a href="#MailServer_Clients_SSL">Secure Sockets Layer (SSL)</a></li>
<li><a href="#MailServer_Clients_imap">IMAP and POP</a></li>
<li><a href="#MailServer_Clients_smtp">Authenticated SMTP</a></li>
<li><a href="#MailServer_Clients_web">Web Server Mail Client</a></li>
</ul>
<li><a href="#MailServer_Spam">SPAM Filtering</a></li>
<li><a href="#MailServer_Switch">The Switchover</a></li>
</ul>
</ul>
<hr />
<h2 id="OSUpdates">OS Updates</h2>
<p>First step with any new system is to ensure that I have the latest
and greatest software installed -- this is expecially important on an
internet visible server.</p>
<p>This involved running the following commands:</p>
<blockquote>
<pre>
apt-get update # to update the apt-get configuration/data files
apt-get dist-upgrade # to upgrade all insalled packages to latest versions
</pre>
</blockquote>
<p>This made sure I had the latest patches for this release of the OS.
However, I wanted also to make sure I had the latest OS version. For
Ubuntu, they have two development lines for servers: a somewhat frequently
changing/evolving line and a more stable Long Term Support (LTS) line.
Both lines get security patches regularly but LTS gets them for several years
longer while the fast changing line will more frequently require you to
upgrade to the latest OS version for patches.</p>
<p>Given what I do with the server, using the LTS line is the right thing
for me to do (which is the version that was installed by my provider). So
I ran the follwing commands to ensure I had the latest version:</p>
<blockquote>
<pre>
apt-get install update-manager-core
do-release-upgrade
</pre>
</blockquote>
<p>WHich reported that there was "<i>No new release found</i>" which is
correct as 8.04LTS is the latest LTS.</p>
<p>If, on the other hand, I wanted the latest OS rev (not just the latest
LTS OS rev), I could have edited the file: </p>
<blockquote>
<pre>
/etc/update-manager/release-upgrades
</pre>
</blockquote>
<p>and changed the line "<i>Prompt=lts</i>" to "<i>Prompt=normal</i>"
</p><hr />
<h2 id="Miscellaneous">Miscellaneous Tools</h2>
<p>As I went throught the isntallation and setup, I found a number of tools
were missing that I had to install to do the things I wanted to do, so I'll
list them here...</p>
<ol>
<li><b>System V Configuration files</b>
<p>I like to use the System V commands for managing the system (including the
<i>service</i> command to start/stop init.d services).</p>
<blockquote>
<pre>apt-get install sysvconfig</pre>
</blockquote>
</li>
<li><b>Make</b>
<p>I use a lot of Makefiles for managing the build and installation of software
and packages. I was a bit suprised that my server didn't include that by
default, but I presume that was because it is a server and doesn't have the
development system installed either. </p>
<blockquote>
<pre>apt-get install make</pre>
</blockquote>
</li>
</ol>
<hr />
<h2 id="Firewall">Firewall</h2>
<p>First thing to do is get the firewall up and running. While I plan
to tightly control which services are exposed on which ports, I still
feel much more comfortable having an explisit list of ports which are
accessible from the internet at large. I also like to setup and test
services locally while the are still blocked (including only opening up
access from my own systems so I can even do remote testing without worrying
about others getting into the server while it is a work-in-progress.</p>
<p>I use an iptables based firewall that is manually configured for the
system. I've been using pretty much the same setup for years though I
continuously tweak it. The script is written as an init.d service script
so that I can install it there and have it automatically run it at system
startup. </p>
<p>In addition to the typicall port protections, I also keep a blacklist
of IPs for which I block all access to my server. Systems get on this
list when I see that they are trying to hack into my system via repeated
SSH login attempts.</p>
<p>The core iptables rules in the script include:</p>
<blockquote>
<pre>
#
# Create a new chain named "filter" and "OFilter"
#
iptables -N filter # add the new chain
#
# allow established connections
#
iptables -A filter -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# if there are any ports to be dropped
#
if [ -f "${FILE_DroppedPorts}" ]; then
grep -v "^#" "${FILE_DroppedPorts}" | while read proto port
do
#
# for non-blank lines
#
if [ x${proto} != x ]; then
iptables -A filter -i eth0 -p ${proto} --dport ${port} -j DROP
fi
done
fi
#
# if there are any blocked IPs
#
if [ -f "${FILE_BlockedIPs}" ]; then
grep -v "^#" "${FILE_BlockedIPs}" | while read ip
do
if [ x${ip} != x ]; then
iptables -A filter -s ${ip} -j LOG
iptables -A filter -s ${ip} -j DROP
fi
done
fi
#
# allow ssh to this host from anywhere
#
iptables -A filter -p tcp --dport ssh -j ACCEPT
#
# allow HTTP/HTTPS to this host
#
iptables -A filter -i eth0 -p tcp --dport http -j ACCEPT
iptables -A filter -i eth0 -p tcp --dport https -j ACCEPT
#
# allow SMTP, SMTPS and SMTP/TLS to this host
#
iptables -A filter -i eth0 -p tcp --dport smtp -j ACCEPT
iptables -A filter -i eth0 -p tcp --dport smtps -j ACCEPT
iptables -A filter -i eth0 -p tcp --dport 587 -j ACCEPT
#
# allow IMAPs & POP3s to this host
#
iptables -A filter -i eth0 -p tcp --dport 993 -j ACCEPT
iptables -A filter -i eth0 -p tcp --dport 995 -j ACCEPT
#
# Allow DNS lookups to this host
#
iptables -A filter -i eth0 -p tcp --dport domain -j ACCEPT
iptables -A filter -i eth0 -p udp --dport domain -j ACCEPT
iptables -A filter -i eth0 \
-p udp --sport domain --dport 1024: -j ACCEPT
#
# allow outgoing ftp connections
#
iptables -A filter -p tcp --sport 21 \
-m state --state ESTABLISHED -j ACCEPT
iptables -A filter -p tcp --sport 20 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A filter -p tcp --sport 1024: --dport 1024: \
-m state --state ESTABLISHED -j ACCEPT
#
# let people ping us
#
iptables -A filter -p icmp -j ACCEPT
#
# Log all else
#
iptables -A filter -j LOG
#
# drop all else
#
iptables -A filter -j DROP
#
# install the input and output filters for input transactions
#
iptables -A INPUT -j filter
</pre>
</blockquote>
<p>If you're interested, you can download the script and associated files
<a href="http://www.cahillfamily.com/files/firewall.tar.gz">here</a>.</p>
<p>Note that at this point, while I'm setting up the system, many of those
ports opened above are commented out and then, as I install the various
components (such as Apache2) I open the respective port.</p>
<p>Once completed, I installed the script in <i>/etc/init.d</i> using
the <i>install</i> directive in my <i>Makefile</i> (make
install) and then used the following command to setup the necessary
/etc/rc*.d files to ensure the firewall started as necessary when the system
was booted.</p>
<blockquote>
<pre>update-rc.d firewall defaults</pre>
</blockquote>
<hr />
<h2 id="Backup">Backup</h2>
<p>Whether or not we actually do it, we <b>all</b> know that we should be
backing up our systems and data. This is especially true for remote systems
where we don't have easy local access.</p>
<p>My hosting provider does have backup options, but they cost re-occuring
money that I don't want to spend if I don't have to. So, my solution is to
backup my remote server onto one of my home servers (where I have TBs of
space anyway).</p>
<p>Since I have a firewall at home, I have to do the backup across a two
step ssh tunnel similar to what I decribed in
<a href="http://conorcahill.blogspot.com/2006/11/backing-up-using-ssh-rsync.html">Backing up using S
SH & Rsync</a>.
The first connection goes from my remote server to my firewall and the
second connection goes from the remote server through the first
connection to my backup server. I then rsync a number of directories
on the remote server to the backup sever including:</p>
<blockquote>
<pre>/etc, /var, /usr/local, /home</pre>
</blockquote>
<p>For security reasons, I require private key authentication for this
connection on both my gateway and my backup server, I use a user account
which has no login shell and no login directory and I configure that
the only service that can be accessed is the rsync service. Not perfect,
but it's good enough that I can get some sleep at night.</p>
<p>One problem with this setup is that the second ssh tunnel connects
to a port on localhost in order to establish the connection to the remote
system which can be a problem if there's other ssh connection tunnels
setup similarly. To get around that, I add an alias for my backup server
to the <i>localhost</i> entry in <i>/etc/hosts</i> file. So, rather than
connecting to <i>localhost</i> the second tunnel connects to the host
<i>backup_server</i> and thus keeps all of the SSH host keys separate.</p>
<p>If you're interested, you can download a modified (I removed any
credentials & system names) of the script from
<a href="http://www.cahillfamily.com/files/backup.sh">here</a>.</p>
<hr />
<h2 id="Bind9">Bind9 (DNS Server)</h2>
<p>I host DNS for a most of the domains for which I host mail (a few of
my friends host their own DNS, but use my mail server). A long time
ago, I wrote a shell script that creates the necessary configuration
files for the set of domains I manage (which makes it easy to add new
domains which are following the same rules and makes it easy to change
things around when I change my configuration).</p>
<h3 id="bind9_prep">Preparation for the move</h3>
<p>Since nameserver changes can take some time to propogate through the
internet, this is the first service that I installed, configured and
exposed on the new system. In preparation for the move, I went to my
old nameserver and cranked down the caching settings for the domains
I hosted there in order to reduce the propagation time. My typical
settings are:
</p><blockquote>
<pre>
@ IN SOA mydomain.com. postmaster.mydomain.com. (
2010010200 ; serial number
86400 ; refresh every 24 hours
3600 ; retry after an hour
604800 ; expire after 7 days
86400 ; keep 24 hours
)
</pre>
</blockquote>
<p>In preparation for the move, about a week in advance I
reduced these settings to:
</p><blockquote>
<pre>
@ IN SOA mydomain.com. postmaster.mydomain.com. (
2010010800 ; serial number
3600 ; refresh every hour
1800 ; retry after a half hour
7200 ; expire after 2 hours
3600 ; keep 1 hour
)
</pre>
</blockquote>
And finally, the day before the switch, I moved to:
<blockquote>
<pre>
@ IN SOA mydomain.com. postmaster.mydomain.com. (
2010010900 ; serial number
1800 ; refresh every half hours
1800 ; retry after a half hour
600 ; expire after 10 mins days
600 ; keep 10 mins
)
</pre>
</blockquote>
<h3 id="bind9_install">Installation and configuration</h3>
I installed the nameservice daemon software and utilities using:
<blockquote>
<pre>apt-get install bind9 dnsutils bind9-doc resolvconf</pre>
</blockquote>
<p>I then copied my setup files from the old server to the new server. The
way that <i>/etc/named.conf</i> is managed has changed. On my old server
all of the settings were in that one file. However, in Ubuntu, that
file is intended to be unchanged and the local options are supposed to
be placed into <i>/etc/named.conf.options</i> while the host references
are intended to be placed into <i>/etc/named.conf.local</i>. So I changed
my scripts to match the new model and modified the <i>Makefile</i> to
correctly installe the new compoonents.</p>
<p>I've always run my <i>named</i> (the nameserice daemon) within a
<a href="http://en.wikipedia.org/wiki/Chroot">chrooted</a> environment and
every time I do this I have to yet again figure out what pieces need to
be there in order to get things working. So this time, I wrote a
<a href="http://www.cahillfamily.com/files/CreateChroot.sh">CreateChroot.sh</a>
script and ran it to create the chroot environment for me (and now I don't
have to figure it out from scratch the next time!). In addition to creating
the chroot environment, I had to change the OPTIONS directive in
<i>/etc/default/bind</i> to include "-t /var/cache/bind" so that the
file now looks like:</p>
<blockquote>
<pre>
OPTIONS="-u bind -t /var/cache/bind"
#OPTIONS="-u bind"
# Set RESOLVCONF=no to not run resolvconf
RESOLVCONF=yes
</pre>
</blockquote>
<p>In first setting up the new server, I made no changes other than to add
a new entry for my new server. So my new nameserver had pretty much the
same host entries that were on the old server. So I ran my script for
creating and installing my named configuration and restarted the bind9
service.</p>
<p>At this point, I opened the DNS TCP & UDP ports on my filewall so that
I could accept incoming nameservice requests. In order to test the service,
I went to my old server and used nslookup to test the new server:</p>
<blockquote>
<pre>
# nslookup
> server newns.mydomain.com
Default server: newns.mydomain.com
Address: 192.168.169.11#53
> www.mydomain.com
Server: newns.mydomain.com
Address: 192.168.169.11#53
Name: www.mydomain.com
Address: 192.168.169.11
> mail.mydomain.com
Server: newns.mydomain.com
Address: 192.168.169.11#53
Name: mail.mydomain.com
Address: 192.168.169.11
>exit
</pre>
</blockquote>
<p>This showed that things were working as I intended.</p>
<h3 id="Bind9_switch">The Switchover</h3>
<p>At this point, everything was ready to go, so I went to my domain
registry (<a href="http://www.networksolutions.com/">Network Solutions</a>)
and changed the host records for my nameservers to make the new nameserver
my primary dns server and my old server to be the secondary server.</p>
<p>This worked fine (though they warned me it could take 72 hours to
propagate) and I ran a bunch of tests from my home network, my work network
and my old server and everything was peachy keen.</p>
<hr />
<h2 id="WebServer">Web Server</h2>
<p>I run a web server for my own family web site. It's all hand-coded
html (yeah, kinda old fangled, but I haven't had the time, energy or
inclination to re-architect it. Setting it up on the new server was
pretty simple.</p>
<p>First step was to copy over the directory heirarchy from the old
server to the new server. Just tar'd it up and scp'd it over to
the new server and untar'd it within the <i>/home/www</i> directory.
</p><p>Next step involved geting apache2 installed...</p>
<blockquote>
<pre>apt-get install apache2</pre>
</blockquote>
<p>The configuration for the web servers is located in:
<i>/etc/apache2/sites-available</i>
which comes with a single <i>default</i> file. I renamed this file
to be <i>www.cahillfamily.com</i> (allowing for more sites at some point
in the future) and editet that file to match up the settings from the old
server.</p>
<h3 id="WebServer_ServerSideIncludes">Server Side Includes (SSI)</h3>
<p>SSI is a capability on the server which allows an html file to include
html from other files on the same web server. I use this feature extensively
to maintain a consistent menu structure by placing it in one file and
including it in all the html files on the server.</p>
<p>To enable this feature, I did the following:</p>
<ol>
<li>Set the <i>Includes</i> option within the configuration section for
my virtual host.</li>
<li>Set the <i>+XBitHack</i> option as well. This allows me to indicate
to the server that there's an include directive in the file by simply
setting the executable bit on the file (rather than having to have a
particular suffix on the html file).</li>
<li>Enabled mod-include by running the following command:
<blockquote>
<pre>a2enmod include</pre>
</blockquote>
</li>
</ol>
<hr />
<h2 id="Proxies">Proxies</h2>
<p>I run a few proxy severs on my remote server that I have found useful
when I'm behind some crazy firewalls or when an ISP has tight controls
on the number of outgoing connections -- I've run into racheted down
connection limits on my former home ISP
(<a href="http://www.roadstarinternet.com/">RoadStar Internet</a> and
at some hotels while on the road. </p>
<p>So I setup the proxies on my remot server, SSH to the server and
then tunnel my services through that server.</p>
<p><b>WARNING</b>: You have to be very careful when you setup proxies
so that you don't end up creating an open proxy that others can use
to make it appear that bad things are coming from your server. If
you do set one up, do so carefully.</p>
<h3 id="Proxies_Socks5">Socks 5 Proxy</h3>
<p>Socks 5 is used for proxying many of my different Instant Messenger
connections (I have like 5 of them). For Ubuntu, the common/best one
seems to be the Dante-Server wich I installed using:</p>
<blockquote>
<pre>apt-get install dante-server</pre>
</blockquote>
<p>I configured it to only allow connections from the local system (since
I will have an SSH tunnel to the server). This prevents others from using
it unless they have internal access to my server.
</p><blockquote>
<pre>
*** /etc/danted.conf.orig 2009-12-31 11:29:41.000000000 -0500
--- /etc/danted.conf 2009-12-31 11:39:16.000000000 -0500
***************
*** 37,43 ****
# the server will log both via syslog, to stdout and to /var/log/lotsoflogs
#logoutput: syslog stdout /var/log/lotsoflogs
! logoutput: stderr
# The server will bind to the address 10.1.1.1, port 1080 and will only
# accept connections going to that address.
--- 37,43 ----
# the server will log both via syslog, to stdout and to /var/log/lotsoflogs
#logoutput: syslog stdout /var/log/lotsoflogs
! logoutput: syslog
# The server will bind to the address 10.1.1.1, port 1080 and will only
# accept connections going to that address.
***************
*** 45,54 ****
--- 45,58 ----
# Alternatively, the interface name can be used instead of the address.
#internal: eth0 port = 1080
+ internal: 127.0.0.1 port=1080
+
# all outgoing connections from the server will use the IP address
# 195.168.1.1
#external: 192.168.1.1
+ external: xx.yy.zzz.aaa
+
# list over acceptable methods, order of preference.
# A method not set here will never be selected.
#
***************
*** 57,66 ****
#
# methods for socks-rules.
! #method: username none #rfc931
# methods for client-rules.
! #clientmethod: none
#or if you want to allow rfc931 (ident) too
#method: username rfc931 none
--- 61,70 ----
#
# methods for socks-rules.
! method: username none #rfc931
# methods for client-rules.
! clientmethod: none
#or if you want to allow rfc931 (ident) too
#method: username rfc931 none
***************
*** 106,112 ****
# can be enabled using the "extension" keyword.
#
# enable the bind extension.
! #extension: bind
#
--- 110,116 ----
# can be enabled using the "extension" keyword.
#
# enable the bind extension.
! extension: bind
#
***************
*** 162,167 ****
--- 166,178 ----
# method: rfc931 # match all idented users that also are in passwordfile
#}
+ #
+ # Allow any connections from localhost (they will get here via SSH tunnels)
+ #
+ client pass {
+ from: 127.0.0.1/32 port 1-65535 to: 0.0.0.0/0
+ }
+
# This is identical to above, but allows clients without a rfc931 (ident)
# too. In practise this means the socksserver will try to get a rfc931
# reply first (the above rule), if that fails, it tries this rule.
</pre>
</blockquote>
<h3 id="Proxies_WebProxy">Web (HTTP/HTTPS) Proxy Server</h3>
<p>Since I already had the web server up and running, setting up a web
proxy was easy. First I had to ensure that the necessary modules were
installed and enabled:</p>
<blockquote>
<pre>
a2enmod proxy
a2enmod proxy-connect
a2enmod proxy-ftp
a2enmod proxy-http
</pre>
</blockquote>
<p>Then I edited the <i>/etc/apache2/httpd.conf</i> file and added the
following entries:</p>
<blockquote>
<pre>
ProxyRequests On
<Proxy *>
AddDefaultCharset off
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Proxy>
AllowConnect 443 563 8481 681 8081 8443 22 8080 8181 8180 8182 7002
</pre>
</blockquote>
<p>The <i>AllowConnect</i> option is necessary if your're going to
proxy other connections (such as HTTPS). Most of those numbers are
legacy from some point in the past. The really necessary one is 443
(for HTTPS), some of the 8xxx ones were from when I was doing some
web services testing from behind a firewall at work (so I could invoke
the web service endpoint from my test application). Not sure
about all the others, but I'm not to worried about it since I only
accept proxy requests from the local system.</p>
<hr />
<h2 id="MailServer">Mail Server</h2>
<p>Setting up a mail server can be somewhat complex, especialy when you
throw in the fact that I was moving a running mail server to a new system
<b>and</b> adding new client capabilities.
On my old server, all of my users had to SSH into my server with private
key authetnication and then tunnel POP & SMTP over the SSH connection. This
could be a pain (to say the least) and restricted access for clients like
the iphone or other devices. Most of my users (family & friends) are using
an ssh tunnelling product from
<a href="http://www.vandyke.com/">VanDyke</a> that was discontinued back
in 2004.</p>
<h3 id="MailServer_Installation">Installation</h3>
First step is to install the necessary components. Some of these were
already installed with the server OS package (e.g. Postfix) but there's
nothing wrong with making sure...
<blockquote>
<pre>
apt-get update
apt-get install postfix
apt-get install courier courier-pop-ssl courier-imap-ssl courier-doc
apt-get install spell mail
</pre>
</blockquote>
<p>Before I start actually accepting and processing mail, I thought it best
to get the clients protocols all working, so onto the clients.
</p><h3 id="MailServer_Clients">Mail Clients</h3>
<p>I needed to enable support for your typical mail clients such as
<a href="http://www.microsoft.com/outlook/">Outlook</a>
and <a href="http://www.mozillamessaging.com/thunderbird/">Thunderbird</a>
(which require IMAP or POP3 to retrive mail and SMTP to send mail) as
well as web browser clients. In the past, I have not supported web clients
and I have required mail clients to tunnel their POP3 & SMTP over ssh
tunnels. With the new server, I wanted to allow access without requiring
ssh tunnels so that other clients (such as my iPhone) that didn't have
ready support for ssh tunneling could get to the mail server. I also wanted
to add browser based support so that people could check their email from
other locations (such as a friends computer).</p>
<p>This involved the following steps:</p>
<ul>
<li><a href="#MailServer_Clients_SSL">Secure Sockets Layer (SSL)</a></li>
<li><a href="#MailServer_Clients_imap">IMAP and POP</a></li>
<li><a href="#MailServer_Clients_smtp">Authenticated SMTP</a></li>
<li><a href="#MailServer_Clients_web">Web Server Mail Client</a></li>
</ul>
<h4 id="MailServer_SSL">Secure Sockets Layer (SSL)</h4>
<p>For remote access to my server I needed to enable SSL
so that user credentials were protected. My intent was to enable SSL on
all the standard mail client protocols (SMTP, IMAP and POP) and to enable
browser based access to mail via HTTPS and a web server based mail client.</p>
<h4 id="MailServer_SSL_KeyGen">Certificate Generation</h4>
<p>In order to support SSL, I needed to get an SSL certificate. I could
have created my own certificate and signed it myself, but that would have
lead to error messages from the clients telling my users that perhaps they
shoudln't trust my server. Instead, I signed up for an SSL certificate
from
<a href="http://www.godaddy.com/">GoDaddy</a> which was running a
special for $12.95/year for up to 5 years.</p>
<p>In order to create the certificate, I had to generate my private key
and then a certificate signing request using the following commands:</p>
<blockquote>
<pre>
*** make sure openssl is installed
# <font size="+1"><b>apt-get install openssl</b></font>
*** Generate 4096 bit RSA server key
# <font size="+1"><b>openssl genrsa -des3 -out server.key 4096</b></font>
Generating RSA private key, 4096 bit long modulus
.............................................................................++
................................................................................
......................................++
e is 65537 (0x10001)
Enter pass phrase for server.key: <font size="+1"><b>abcd</b></font>
Verifying - Enter pass phrase for server.key: <font size="+1"><b>abcd</b></font>
*** Generate certificate signing request for server key (note that the
*** "Common Name" must be the name of the host that the clients will connect
*** to if you don't want to get ssl errors)
# <font size="+1"><b>openssl req -new -key server.key -out server.csr</b></font>
Enter pass phrase for server.key: <font size="+1"><b>abcd</b></font>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <font size="+1"><b>US</b></font>
State or Province Name (full name) [Some-State]: <font size="+1"><b>Virginia</b></font>
Locality Name (eg, city) []: <font size="+1"><b>Waterford</b></font>
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <font size="+1"><b>Cahills</b></font>
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: <font size="+1"><b>mail.cahillfamily.com</b></font>
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</pre>
</blockquote>
<p>At this point, I took the server signing request, <i>server.csr</i>,
and sent it to GoDaddy to get them to sign it and create my certificate.
If, on the other hand, I wanted to do a self-signed certificate, I would
have performed the following steps:</p>
<blockquote>
<pre>
*** sign the csr using our own server key (making this a self-signed cert)
# <font size="+1"><b>openssl x509 -req -days 1825 -in server.csr \
-signkey server.key -out server.crt</b></font>
Signature ok
subject=/C=US/ST=Virginia/L=Waterford/O=Cahills/CN=mail.cahillfamily.com
Getting Private key
Enter pass phrase for server.key: <font size="+1"><b>abcd</b></font>
</pre>
</blockquote>
<p>To test this, I configured Apache2 to support SSL and tested
access to https://mail.cahillfamily.com. I first needed to enable the
SSL module using the following command:
</p><blockquote>
<pre>a2enmod ssl</pre>
</blockquote>
<p>I took the server key and server certificate and place them into
a secure non-standard location (no need to advertise where) and set the
access modes on the directory to restrict it to root only. In
order for the server key to be used without a pass phrase, I ran the
following commands to remove the pass phrase from the file:</p>
<blockquote>
<pre>mv server.key server.key.safe
openssl rsa -in server.key.safe -out server.key</pre>
</blockquote>
<p>I copied the default Apache2 site file into one
for <i>mail.cahillfamily.com</i> and set it up using the following
commands:</p>
<blockquote>
<pre>cp /etc/apache2/sites-available/default /etc/apache2/sites-available/mail.cahillfamily.com
ln -s /etc/apache2/sites-available/mail.cahillfamily.com /etc/apache2/sites-enabled/mail.cahillfamil
y.com</pre>
</blockquote>
<p>I then edited the configuration file to enable SSL and to point to
the newly installed certificate and key files:</p>
<blockquote>
<pre>
NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin webmaster
ServerName mail.cahillfamily.com
DocumentRoot /home/www/mail.cahillfamily.com
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
SSLEngine On
SSLCertificateFile /path-to-ssl-files/server.crt
SSLCertificateKeyFile /path-to-ssl-files/server.key
</VirtualHost>
</pre>
</blockquote>
<p>I also wanted to automatically redirect any http: access to
<i>mail.cahillfamily.com</i> to https: access, so I added the following
section to the default site file which uses the <i>RedirectPermanent</i>
directive to automatically redirect access on port 80:</p>
<blockquote>
<pre>
<VirtualHost *:80>
ServerAdmin webmaster
ServerName mail.cahillfamily.com
RedirectPermanent / https://mail.cahillfamily.com
</VirtualHost>
</pre>
</blockquote>
<h4 id="MailServer_Clients_imap">IMAP and POP</h4>
<p>After poking about some, I came to the conclusion that the right mail
server for me to use to expose IMAP and POP interfaces for my mail clients
is the <a href="http://www.courier-mta.org/">Courier Mail Server</a>. </p>
<p>Courier requires that you use the <i>MailDir</i> structure for user
mailboxes while Postfix uses the <i>mbox</i> structure by default. So I
changed Postfix to use the <i>MailDir</i> structure by adding the following
setting to <i>/etc/postfix/main.cf</i>:
</p><blockquote>
<pre>home_mailbox = Maildir/</pre>
</blockquote>
<p>I manually created an empty Maildir structure for all my user
accounts.</p>
<p>For SSL, Courier requires the key and the certificate to be in a
single .pem file. So I concatenated <i>server.key</i> and <i>server.crt</i>
into a single <i>server.pem</i> file.
</p><p>I edited the <i>/etc/courier/imapd-ssl</i> file to make the following
changes:</p>
<ul>
<li>Set <i>SSLPort</i> to 993.</li>
<li>Set both <i>IMAPDSSLSTART</i> and <i>IMAPDSTARTTLS</i> options to
<i>YES</i> to allow both IMAP over SSL and TLS within IMAP (the latter
being a TLS session that's started from within the IMAP session while
the former is a plain IMAP session over an SSL tunnel).</li>
<li>Set <i>IMAP_TLS_REQUIRED</i> to 0 so that local connections from the
web mail server could make use of imap without having to do TLS on
the local (same system) connection. I planned to still block the
standard IMAP port (143) in the firewall, so remote clients would not
be able to access their mail without SSL/TLS).</li>
<li>Set <i>TLS_CERTFILE</i> to point to the recently created <i>server.pem</i>
file.</li>
</ul>
<p>I edited the <i>/etc/courier/imapd</i> file to make the following
changes:</p>
<ul>
<li>Added "AUTH=PLAIN" to the <i>IMAP_CAPABILITY</i> setting so that
plain text authentication is allowed on non-tls connections to the imap
server. This is necessary for the local connection from some web server
mail clients which don't come with support for CRAM-MD5 or other non-PLAIN
authentication mechanisms.</li>
</ul>
<p>I edited the <i>/etc/courier/pop3d-ssl</i> file to make the following
changes:</p>
<ul>
<li>Set <i>SSLPort</i> to 995.</li>
<li>Set both <i>POP3DSSLSTART</i> and <i>POP3DSTARTTLS</i> options to
<i>YES</i> to allow both POP3 over SSL and TLS within POP3 (the latter
being a TLS session that's started from within the POP3 session while
the former is a plain POP3 session over an SSL tunnel).</li>
<li>Set <i>POP3_TLS_REQUIRED</i> to 0 so that local connections from the
web mail server could make use of imap without having to do TLS on
the local (same system) connection. I planned to still block the
standard POP3 port (110) in the firewall, so remote clients would not
be able to access their mail without SSL/TLS). However, this would
enable my existing clients which ssh to the server and then use
non-TLS POP to still be able to get their email.</li>
<li>Set <i>TLS_CERTFILE</i> to point to the recently created <i>server.pem</i>
file.</li>
</ul>
<p>Restarted the courier related services:</p>
<blockquote>
<pre>service courier-imap stop
service courier-imap-ssl stop
service courier-pop stop
service courier-pop-ssl stop
service courier-imap start
service courier-imap-ssl start
service courier-pop start
service courier-pop-ssl start</pre>
</blockquote>
<p>Yeah, I probably could have simply used the "restart" command on each of
them but I wanted to have them all stopped and then start them all so I was
sure that they call came up cleanly under the same configuration.</p>
<p>Now it was time to test things. First a quick telnet connection to
the local imap port (143):</p>
<blockquote>
<pre>
# <font size="+1"><b>telnet server 143</b></font>
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THRE
AD=REFERENCES AUTH=PLAIN SORT QUOTA IDLE ACL ACL2=UNION] Courier-IMAP ready. Cop
yright 1998-2005 Double Precision, Inc. See COPYING for distribution informatio
n.
<font size="+1"><b>01 LOGIN username password</b></font>
01 OK LOGIN Ok.
<font size="+1"><b>0000 logout</b></font>
* BYE Courier-IMAP server shutting down
0000 OK LOGOUT completed
closed
</pre>
</blockquote>
<p>So that worked. I ran a similar test for POP3 which also worked. Now
I was ready for some remote testing. First step was to go back to my
<a href="#Firewall">firewall</a> and open ports 993 (IMAPS) and 995 (POP3S)
to allow incomming connections to the IMAP and POP services.</p>
<p>Then I went to http://www.wormly.com/test_pop3_mail_server and ran
several tests with the POP3S implementation (with test accounts, of course)
which all worked fine.</p>
<p>I didn't see a similar testing tool for IMAP, so I ran some tests from one
of my home computers using the following command: </p>
<blockquote>
<pre>openssl s_client -crlf -connect mail.cahillfamily.com:993</pre>
</blockquote>
<p>Which worked like a charm (with some finagling with the /etc/hosts
file to override mail.cahillfamily.com's IP address). This also
worked like a charm, so at this point I figured I had IMAP and POP
up and running.</p>
<h4 id="MailServer_Clients_smtp">Authenticated SMTP</h4>
<p>When setting up an SMTP server, you have to be very careful that you don't
configure your server as an open relay (where it will send mail from
anyone to anyone). It seems that hackers, scammers and spammers are
forever looking for new open relays that they can use to send out spam and
shortly after opening an SMTP port on the internet you can usually find
attempts to make use of the server as a relay.</p>
<p>For basic unauthenticated SMTP (e.g. where there's no local user
authentication within the SMTP session), I configured the server to only
accept incomming mail whose delivery address is within one of my managed
domains. Any mail with a destination address outside of my domain is
rejected before we accept the mail message itself.</p>
<p>However, that configuration wouldn't work very well for my users who
typically do want to send mail to people outside of my domain. In the
past, my solution was simple: ssh tunnel to my host then sent mail via
SMTP on the local host interface where I could treat any local connections
as, by default, authenticated.</p>
<p>While I am continuing to allow that configuration with the new server
setup, it wouldn't work for those users trying to use a mail client without
the ssh tunnel. So I had to enable authenticated SMTP and I had to
configure it to require such sessions over SSL.</p>
<p>The SMTP server is managed by Postfix itself. So first step was to
modify the <i>/etc/postfix/main.cf</i> configuration file to
only accept main with recipients in my networks:</p>
<blockquote>
<pre>
#
# restrict smtp operations on unauthenticated (port 25) connections
#
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
</pre>
</blockquote>
<p>Then I modified the <i>/etc/postfix/master.cf</i> configuration file
to enable both TLS within SMTP sessions and SMTP over SSL/TLS by including
the following directives:</p>
<blockquote>
<pre>
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
</pre>
</blockquote>
<p>These settings, along with the base configuration, should give me
server to server SMTP on port 25 and client to server user authenticated
SMTP over TLS/SSL on ports 465 and 587.</p>
<p>Now that I have SMTP which allows for authentication, I had to install
and configure the sasl authentication daemon as follows:
</p><ol>
<li>I installed the package using:<p></p>
<blockquote>
<pre>apt-get install libsasl2 sasl2-bin</pre>
</blockquote>
</li>
<li>
<p>I edited the <i>/etc/defaults/saslauthd</i> to make the
following changes:</p>
<ul>
<li>Set <i>START=yes</i> so the daemon will start.</li>
<li>Configured saslauthd to place it's runtime information underneath the
postfix chroot environment by changing the OPTION parameter and
adding the following lines:
<blockquote>
<pre>PWDIR="/var/spool/postfix/var/run/saslauthd"
OPTIONS="-c -m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"</pre>
</blockquote>
</li>
</ul>
</li>
<li>I created the saslauthd run directory using:
<blockquote>
<pre>mkdir -p /var/spool/postfix/var/run/saslauthd</pre>
</blockquote>
</li>
<li>Configured saslauthd to leave its files readable by postfix (so
postfix could communicate with the daemon) using the following command:
<blockquote>
<pre>dpkg-statoverride --force --update --add root sasl 755 \
/var/spool/postfix/var/run/saslauthd </pre>
</blockquote>
</li>
<li>Created <i>/etc/postfix/sasl/smtpd.conf</i> file and added the
following lines:
<blockquote>
<pre>pwcheck_method: saslauthd
mech_list: plain login</pre>
</blockquote>
</li>
<li>Restarted both saslauthd and postfix</li>
</ol>
<p>Now I was ready to start testing, so I went back to my
<a href="#Firewall">firewall</a> and opened ports 25 (SMTP), 465 (SMTP over
SSL) and 587 (TLS within SMTP) so that I could start testing.</p>
<p> To test all of this you could use a mail client, or if you're a bit
more adventurous (and want to see exactly what's going on) you can do
this manually within a telnet/openssl connection). The following is
an example test session:</p>
<blockquote>
<pre>
$ <font size="+1"><b>telnet localhost 25</b></font>
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.cahillfamily.com ESMTP Postfix (Ubuntu)
<font size="+1"><b>ehlo mail.cahillfamily.com</b></font>
250-mail.cahillfamily.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
<font size="+1"><b>mail from: user@localhost</b></font>
250 2.1.0 Ok
<font size="+1"><b>rcpt to: someuser@someotherhost.com</b></font>
250 2.1.5 Ok
<font size="+1"><b>data</b></font>
354 End data with <cr><lf>.<cr><lf>
<font size="+1"><b>Subject: Test message
Sending yet another test... hope it gets there...
.</b></font>
250 2.0.0 Ok: queued as B28C461A0A9
<font size="+1"><b>quit</b></font>
221 2.0.0 Bye
Connection closed by foreign host.
</pre>
</blockquote>
<p>That's a standard, unauthenticated SMTP session. I find using the
manual sesssion for testing makes it easier to identify what the problem
is when there is a problem. For example, in the list of responses after
my "ehlo" command, you see "250=-STARTTLS" - this indicates that TLS is
enabled within the server).</p>
<p>To test an authenticated SMTP session, you will need to enter a
command similar to the following (I usually do this right after the
"ehlo" command, though I'm not sure if it has to be exactly there):</p>
<blockquote>
<pre><font size="+1"><b>auth plain AHVzZXJpZABwYXNzd29yZA==</b></font>
235 2.7.0 Authentication successful</pre>
</blockquote>
<p>The "AHVzZXJpZABwYXNzd29yZA==" parameter is a base64 encoding of a
plain text SASL authentication string. You can generate one manually
using the following perl command: </p>
<blockquote>
<pre>perl -MMIME::Base64 -e 'print encode_base64("\000userid\000password")'</pre>
</blockquote>
<p>Where userid = the test user's id and password = the test user's password
If you have a special character in either string (such as an @ in the
user id (e.g. user@host) you need to escape the character (e.g. "\@").</p>
<p>So, now that I have all that, I ran the following tests:</p>
<ul>
<li>Test local unauthenticated SMTP connection to send mail to remote
system (for my clients that ssh to server and send out from there)
<blockquote>
<pre>telnet localhost 25 </pre>
</blockquote>
and then run through SMTP session described above.
</li>
<li>Test remote unauthenticated SMTP connection doesn't allow
sending mail to remote locations. Go to a remote system and run:
<blockquote>
<pre>telnet mail.cahillfamily.com 25</pre>
</blockquote>
and try SMTP session above - should fail with either a) permission
denied or with relay access denied when you enter the "rcpt to" command.
</li>
<li>Test remote unauthenticated SMTPS connection as follows:
<blockquote>
<pre>openssl s_client -starttls smtp -crlf -connect mail.cahillfamily.com:587</pre>
</blockquote>
<p>and try SMTP session above - should also fail, this time with permission
denied since we only setup authenticated SASL connections on this port.
</p></li><li>Test remote authenticated SMTPS connection using the following:
<blockquote>
<pre>openssl s_client -starttls smtp -crlf -connect mail.cahillfamily.com:587</pre>
</blockquote>
and this time include the "AUTH PLAIN" command at the start of the
session. This should succeed.
</li>
<li>Test remote authenticated SMTP over TLS connection as follows:
<blockquote>
<pre>openssl s_client -crlf -connect mail.cahillfamily.com:465</pre>
</blockquote>
and include the "AUTH PLAIN" command at the start of the
session. This should succeed.
</li>
</ul>
<h4 id="MailServer_Clients_web">Web Server Mail Client</h4>
<p>For browser clients, there are a couple of obvious possibilities
that come to mind:</p>
<ul>
<li><a href="http://www.courier-mta.org/sqwebmail/">SqWebMail</a> -
a component of the Courier Mail Server which provides access to
mail files via direct access to the mailboxes.</li>
<li><a href="http://squirrelmail.org/">Squirrel Mail</a> - a web server
based mail client that gets lots of good recommendations as being one of
the best open source solutions. This tool uses the IMAP interface to access
the user's mail files rather than direct manipulation.
<p>As a bonus, this tool also has an available Outlook-like plug-in that
gives users the look/feel of Outlook 2003.
</p></li></ul>
<p>I took a look at the two tools and decided to go with Squirrel Mail
and, for now, just install the basep toolkit. I'll explore the Outlook
model at some point in the future. Ubuntu has SquirrelMail available
as a standard package so I installed it using the following command:</p>
<blockquote>
<pre>apt-get install squirrelmail</pre>
</blockquote>
<p>I then modified the <i>/etc/apache2/sites-available/mail.cahillfamily.com</i>
configuration file to use the squirrelmail application as the document
root, so my users go straight into the application when they visit
mail.cahillfamily.com in a browser. The modified file looks as follows:</p>
<blockquote>
<pre>
NameVirtualHost *:443
<VirtualHost *:443%gt;
ServerAdmin webmaster@localhost
ServerName mail.cahillfamily.com
DocumentRoot /usr/share/squirrelmail
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
SSLEngine On
SSLCertificateFile /etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/server.key
Include /etc/squirrelmail/apache.conf
</VirtualHost%gt;
</pre>
</blockquote>
<p>Used by browser to test it and everything seems kosher.</p>
<h3 id="MailServer_Spam">SPAM filtering</h3>
<p>To filter or not to filter.... For many years I ran my server with
no server-side filtering and instead relied on client filtering. However,
the abundance of crap that keeps on coming only seems to grow exponentially
every year and I finally convinced myself that not only was server side
filtering necessary, but it was mandatory. This is especially evident when
you're trying to download mail after having been disconnected for a day or
so and find that you have hundreds of email messages, most of which are
clearly SPAM.</p>
<p>I use spamassassin for spam filtering. Looking around at most of the
how-to's/docs I see that most people recommend usiing spamassassin to just
flag spam, but then go ahead and deliver it to the user's mailbox. This
is probably the best solution if you don't want to lose any potential
emails that have incorrectly been marked as SPAM. However, that means
that my clients have to download hundreds of spam messages just to throw
them out when the got to the client.</p><p>For my system, I'd rather have Spamassassin get rid of at least some
spam and then let some of the questionalbe stuff through. So, I've setup
things such that mail messages that get a Spamassassin grade of 10 or higher
get saved off into a directory on the server (one directory for each day
to ease management). For messages that have a grade between 5 and 10, the
subject gets re-written to include a SPAM indicator, but the message
is still delivered to the intended recipient. </p>
<p>I've been doing it this way for the past 2 years. We get on the order of
five thousand (yeah: 5,000) messages culled this way each day and I've yet
to find or get a report of any false positives. Note that there's still
a bunch of email that gets through with grades between 5 and 10.</p>
<p>Anyway, to set this up on the new server:</p>
<ul>
<li>Install the latest version of spamassassin using:
<blockquote>
<pre>
apt-get update
apt-get install spamassassin spamd
</pre>
</blockquote>
</li>
<li>Installed spamchk script (not sure where I originally got it, but I've been using it on my old mail server for several years now) in
<i>/usr/local/bin/spamchk</i>
</li>
<li>
Created /var/spool/postfix/spam/save and /var/spool/postfix/spam/tmp
directories for processed messages
</li>
<li>
Edited the /etc/postfix/master.cf file to add an output filter for mail
coming in the default smtp connection (we don't need it on the SSl
connections since they are authenticated) and to add the spamck
invocation. Modified lines look as follows:
<blockquote>
<pre>
smtp inet n - - - - smtpd
-o content_filter=spamchk:dummy
</pre>
</blockquote>
<P>And at the end of the file, added:</P>
<blockquote>
<pre>
#
# SpamAssassin check filter
#
spamchk unix - n n - 10 pipe
flags=Rq user=spamd argv=/usr/local/bin/spamchk -f ${sender} -- ${recipient}
</pre>
</blockquote>
</li>
<li>
By default, Spamassassin places a detailed spam report in any message
that is flagged as spam (spam score >= 5) and moves the original message
to an attachement. I find this cumbersome and so instead I like to
flag the subject of the message with a "[SPAM]" flag and otherwise leave
the message alone (you do still get the Spamassassin headers added to the
message, but they are hidden from the default view in most mailers).
<p>To achieve this, I edited the
<i>/etc/mail/spamassassin/local.cf</i> file and make the following
changes:</p>
<blockquote>
<pre>
*** local.cf.orig 2010-01-02 10:45:58.000000000 -0500
--- local.cf 2010-01-09 20:54:46.000000000 -0500
***************
*** 9,21 ****
# Add *****SPAM***** to the Subject header of spam e-mails
#
! # rewrite_header Subject *****SPAM*****
# Save spam messages as a message/rfc822 MIME attachment instead of
# modifying the original message (0: off, 2: use text/plain instead)
#
! # report_safe 1
# Set which networks or hosts are considered 'trusted' by your mail
--- 9,21 ----
# Add *****SPAM***** to the Subject header of spam e-mails
#
! rewrite_header Subject [SPAM]
# Save spam messages as a message/rfc822 MIME attachment instead of
# modifying the original message (0: off, 2: use text/plain instead)
#
! report_safe 0
# Set which networks or hosts are considered 'trusted' by your mail
</pre>
</blockquote>
</li>
<li>Spamassassin likes to learn about its mistakes (both positive and
negative). Since my users don't have local access to the system, I need
to add aliases which allow people to forward mail attachments that are
or are not spam so that Spamassassin can use that information in its
learnings.
<p>First step was to get the <i>sa-wrapper.pl</i> script from
<a href="http://www.localside.net/sal-wrapper/">Stefan Jakobs</a>. This
script had a dependency on the perl modlue <i>MIME::Tools</i> which I
used the following comand to download and install it (as well as a
bunch of dependencies it had):</p>
<blockquote>
cpan -i MIME::Tools
</blockquote>
<p>Then I setup the aliases in /etc/aliases as follows:</p>
<blockquote>
<pre>
# Spam training aliases
spam: "|/usr/local/bin/sal-wrapper.pl -L spam"
ham: "|/usr/local/bin/sal-wrapper.pl -L ham"
</pre>
</blockquote>
<p>When I tested it, the script failed because it couldn't open/write to
the log file. I manually created the log file and set it be writable
by the tool.</p>
</li></ul>
<h4 id="MailServer_Switch">The Switchover</h4>
<p>The switchover had to be handled carefully in an attempt to not loose
any mail as I moved things (or as little as possible). The sequence I
worked out and used was as follows:</p>
<ol>
<li>Stop mail services on <b>both</b> the old and the new servers -- <b>ALL</b>
mail services: SMTP, POP3, IMAP, etc.</li>
<li>On the old server, tar up all of the existing user accounts and user
mailboxes and transfer them to the new server.</li>
<li>Copy the <i>/etc/passwd</i> and <i>/etc/shadow</i> files to the new
server and copy out the user accounts that are moving and add them to the
existing <i>/etc/passwd</i> and <i>/etc/shadow</i> files on the new server.</li>
<li>Copy the <i>/etc/postfix</i> configuration files from the old server to
the new server and merge in any of the local settings from the old server. In
particular the virtual domains information for all of the domains I host had
to be incorporated into the new setup.</li>
<li> Copy the <i>/etc/aliases</i> file from the old server to the new server
editing the file to remove any extraneous/old/useless entries. Run
<i>newaliases</i> to notify Postfix of the changes.</li>
<li>Untar the user accounts in <i>/home</i> on the new server and set the
owner/group ownership as necessary.</li>
<li>Convert Mbox mailboxes to the new Maildir format on the new server.
<p>While I do alot of relaying of mail, there are a number of people who
actually get their mail off of my server and so I needed to move their
incomming mail to the new server and beccause we changed from mbox format
to Maildir format, I needed to split the mail up in to individual files.</p>
<p>I found a perl script to do the conversion (<b>mb2md</b>) which
I downloaded from
<a href="http://batleth.sapienti-sat.org/projects/mb2md/">here</a>. Ran
a few tests and figured out that I would use the command as follows:</p>
<blockquote>
mb2md -s "full path to mbox file" -d "full path to Maildir directory"
</blockquote>
And, since I was doing this as root, I would need to:
<blockquote>
chown -R user.group "full path to Maildir directory"
</blockquote>
so that the right user owned all the files.
</li>
<li>Create Maildir structures for those users who didn't have mail in their
mailboxes.
<p>For those users who didn't have mail sitting in their mbox files on the old
system, I would need to create the correct heirarchy within their login
directory for Maildir delivery. So I ran a script similar to the following
(I just did it from the command line, so I don't have an actual copy of the
script) in <i>/home</i>:</p>
<blockquote>
<pre>
for user in user_list
do
mkdir $user/Maildir $user/Maildir/cur $user/Maildir/new $user/curdir/tmp
chown -R $user $user/Maildir
done
</pre>
</blockquote>
</li>
<li>On <b>both</b> servers: Edit the DNS records to change the IP
address for mail.cahillfamily.com to be the new server and assign the name
oldmail.cahillfamily.com to the old server. And, of course, pubish
these changes.</li>
<li>Enable mail services on the new server (do not, for at least a day or
so, enable mail services on the old server in order to force any mail in
other SMTP queues to go to the new server).</li>
<li>Test the setup by sending emails to various users in my hosted domains
from local clients, clients in my hame and from my work email account to
ensure that the changes had propogated out to the real world.</li>
</ol>
<h2>Epilogue</h2>
<p>That's about it... At least what I remember. I'm sure that there are
things I did during the move that I forgot to write down, but I did try to
record everything. I'll update this if/when I figure out anything I did
wrong or forgot to note.</p>
<p>I hope someone out there finds this useful. I know I will the next time
I need to move the mail server to a new system.</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/ubuntu" rel="tag">ubuntu</a>
/ <a href="http://technorati.com/tag/postfix" rel="tag">postfix</a>
/ <a href="http://technorati.com/tag/firewall" rel="tag">firewall</a>
/ <a href="http://technorati.com/tag/spamassassin" rel="tag">spamassassin</a>
/ <a href="http://technorati.com/tag/apache2" rel="tag">apache2</a>
/ <a href="http://technorati.com/tag/ssl" rel="tag">ssl</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com0tag:blogger.com,1999:blog-29173677.post-26406500282754034332009-03-03T08:40:00.000-08:002009-03-03T12:09:35.026-08:00Cool gadget #14<p>I've always been an anti-multifunction office device kind of person. If you got a good printer, it sucked at scanning or faxing. If you got a good fax, it sucked at printing or scanning. If you wanted to print a lot inexpensively, you used a monochrome laser printer. If you wanted to print color, you used an ink jet type printer. None of the multifunction devices seemed to be good enough to replace multiple dedicated devices.</p>
<p>In my home office, I've had a good monochrome laserjet printer (HP 4000TN), a good inkjet printer (HP 1200DN), excellent fax machine (Xerox something or other), a good copier (again a Xerox something or other) and a decent scanner.</p>
<p><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgG0dTbDN_hBGapESunALK3HGHnaN6p9QKLWVjUO1bczyicPCaOaB5czpW0kWMfxUFiRG2wgHJfjlxJuH3jMmzllyLE03Vq_2OUK0aEWa0639B9aiuQ3B6T_DFkEdE7eo1cfb2M/s1600-h/IMG_1749.JPG"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;width: 309px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgG0dTbDN_hBGapESunALK3HGHnaN6p9QKLWVjUO1bczyicPCaOaB5czpW0kWMfxUFiRG2wgHJfjlxJuH3jMmzllyLE03Vq_2OUK0aEWa0639B9aiuQ3B6T_DFkEdE7eo1cfb2M/s320/IMG_1749.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5309045604860750210" /></a>Well, that has finally changed. The quality of all-in-one devices has gotten good enough that I now find them acceptable for most office tasks. Well, I guess I should clarify that I find the higher end devices satisfactory. The low end devices still are missing or have brain dead implementations of many of the core features that I require. The <a href="http://h10010.www1.hp.com/wwpc/us/en/en/WF06b/18972-18972-238444-12004-3328086-3597338-3597361-3597470.html">HP Color Laserjet CM2320fxi Multifunction Printer</a> is one such all-in-one printer. The cost is a bit high for some home purchases (I paid a discounted $850), but the functionality gives me all the magic features I needed and does them all well enough that I can get rid of the existing multiple devices I have lying about which, together, accomplish some of the same tasks.</p>
<p>This device does the following tasks very well:</p>
<ul>
<li>Built-in network printing from any computer in the house.</li>
<li>Black/white laser printing</li>
<li>Color laser printing -- looks as good as anything I've gotten off inkjets</li>
<li>Automatic duplex printing (printing both sides of the paper).</li>
<li>Black/white copying (single or multi-page)</li>
<li>Color copying (single or multi-page)</li>
<li>Fax sending/receiving with auto document feed</li>
<li>Automatic Scanning to email of multi-page documents (PDF)</li>
<li>Print directly from camera memory cards</li>
</ul>
<p>My only complaints are:</p>
<ul>
<li>it is somewhat more noisy than my old laserjet printer, though after a few weeks I've gotten used to it and don't notice it all that much</li>
<li>it is <span style="font-weight:bold;">tall</span> (because of the scanner unit on top with space for paper outputs and with 2 input trays). So tall that I haven't hooked up the 2nd input tray or the top would hit the cabinets above. It would be nice if the scanner/control unit could be separated and placed to the side of the printer. Yeah that would look like two devices, but it would make it easier for my kids to see the top buttons.</li>
</ul>
<p>Those are relatively minor nits. We are extremely happy with this printer and all of its features..</p>
<p>That said, I do continue to own a desktop flatbed photo scanner and a dedicated film scanner. I could probably do most of what I want to do with the flatbed scanner with the new device. However, there's a lot of convenience to having it on my desk easily reachable when scanning many prints and I can take it with me when I go to the parents house to scan old pictures there.</p>
<p>So while I have gotten rid of the fax machine, copier, laser printer and inkjet, I still have some specialized devices lying about. And, BTW, I sold the old devices for $100 and sent back the inkjet printer to HP for an upgrade rebate of another $100, so the net cost to me was just $650.</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/printer" rel="tag">printer</a>
/ <a href="http://technorati.com/tag/hp" rel="tag">HP</a>
/ <a href="http://technorati.com/tag/multifunction" rel="tag">multifunction</a>
/ <a href="http://technorati.com/tag/cm2320fxi" rel="tag">CM2320fxi</a>
/ <a href="http://technorati.com/tag/all-in-one" rel="tag">all-in-one</a>
/ <a href="http://technorati.com/tag/gadget" rel="tag">gadget</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com0tag:blogger.com,1999:blog-29173677.post-85555551795850537262009-02-27T20:19:00.000-08:002009-02-27T20:34:15.920-08:00Exercising on the road<p>I've spent the past week bouncing up and down the west coast between San Jose, CA and Portland, OR -- not spending even 48 hours in either location at any point.</p>
<p>This threw a wrench into my exercise program because not only did I have to find the time to exercise, I also had to figure out what to do with my sweaty clothes when I checked out each day.</p>
<p>At first glance, you might think that's easy -- just put the wet clothes in one of the plastic laundry bags and pack it. That is what I typically do when I'm checking out on my way home. However, since I wanted to use the clothes to exercise each day and I didn't feel like putting on wet clothes to go work out, I needed to dry them out.</p>
<p>When I'm staying at the same place, I can just let them air dry and that works well enough. However, since I had to change hotels 3 times this week, I needed something else to do. I could have used the iron to heat up and steam them out, but it just felt like something was wrong with ironing sweat into my clothes.</p>
<p>I ended up using the room blow dryer to just blow them dry. Worked fine. Clothes were dry each day and nothing appeared to be growing on them (plus the rest of my clothes stayed dry.</p>
<p>In case you're wondering, I did an hour on the stationary bike each day. Not too shabby for an old man, if I must say so myself.</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/travel" rel="tag">travel</a>
/ <a href="http://technorati.com/tag/exercise" rel="tag">exercise</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com0tag:blogger.com,1999:blog-29173677.post-39561855617189245282009-02-20T18:45:00.000-08:002009-02-20T18:45:58.327-08:00Digitizing slides<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiENS3nh4C3Y1LqojR5Rhzm6Vzp_cjYoTlnxd1fBWnGO8rT9wMaB6QYlViCFYBywJNVvkZA6ehdmzGU8osSzfqYlB2ADFJTZfHn10tPjw-LJwqIVinVJuVhvGJEJfymj1tYNCVI/s1600-h/Slide.jpg"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;width: 200px; height: 168px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiENS3nh4C3Y1LqojR5Rhzm6Vzp_cjYoTlnxd1fBWnGO8rT9wMaB6QYlViCFYBywJNVvkZA6ehdmzGU8osSzfqYlB2ADFJTZfHn10tPjw-LJwqIVinVJuVhvGJEJfymj1tYNCVI/s200/Slide.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5305044051130718226" /></a>In the days of film cameras, one of the ways to take a lot of pictures cheaply was to use slide film rather than standard film. The film was around the same price, but when developing slides, you didn't get any prints, so rather than a $10 or $15 bill for the developing, the bill was just $3 or so (if I remember correctly -- in any case it was way cheaper). Others also would claim that the slide film was better for pictures & sharing since you could no project them to an audience (back in the days of 9 and 11 *inch* black and white TVs and *no* computers, there wasn't any other way to do it).</p>
<p>So, I have thousands of slides that I have taken over the years(several hundred from my honeymoon alone) and my mother-in-law brought over a bunch of slides that Angie's father had taken over the years (going back to the late 50s). I want to get all of these scanned into the computer so that we can share them and, if desired, print them.</p>
<p>Before I get into the nitty gritty, I want to lay out some ground rules that I have for scanning large batches of slides/negatives. These have grown out of my experience scanning film and your mileage may vary, but I think they are a good starting point for anybody thinking about a similar project. They include:</p>
<ul>
<li>I want the process as automated as possible so that I can do real work while the scanning is going on. Processes that require manual intervention every few minutes means that I have to dedicate larges amounts of spare time that I just don't have (like any of you do).</li>
<li>I want "good enough" quality pictures to come out of the scan process so that I don't have to do any manual processing of the photos (other than rotating them). When I first started scanning negatives, I would do a raw scan at high resolution and then spend 15 to 20 minutes per photo to get them to a state where I liked them. This is clearly unacceptable for large amounts of photos.
<p>So my model is to get them good enough off the scanner so that I can enjoy/share/watch/etc. without any manual processing.</p>
<li>I want to be able to easily figure out which slide/negative the photo came from after I'm done scanning in case there's a picture that I want to do more with (such as scanning at high resolution and lots of manual processing so we can print out an 8x10 or 16x20 photo). This means that I need to be able to figure out which negative from without having to resort to a manual search of thousands of slides.</li>
<li>I want to preserve the film in case someone wants to work with it years from now.</li>
<li>Speed is not the driving factor. Scanning thousands of slides/negatives will take time. What is key is that the work can be done while I'm doing other stuff. This leads to some choices on the scanning which actually make the scans take longer, but you get better quality scans and you get to keep working on the day job while you're doing the scanning.</li>
</ul>
<p>These ground rules led to a number of choices I made in setting up this process. As I describe the process, I'll try to explain why and how I made these choices.</p>
<H2>Choosing the scanner</H2>
<p>The first issue to address is how am I going to scan slides themselves. There are two basic options for scanning slides:</p>
<ul>
<li>Using the slide adaptor that comes with most flatbed photo scanners (if you have a multi-function device (otherwise known as an all-in-one), you're probably out of luck as they don't seem to come with options for scanning slides). These adapters typically require that you place some number of slides (typically 3 or 4) into the adapter, remove the typical white background for document scanning and then scan the slides).
<p>I find this process painful for many reasons, the biggest one being that it's very time consuming and manual in nature. However, this isn't too bad if you don't have a bazillion slides to process.</p></li>
<li>Using a film scanner designed to scan slides and negatives (film) rather than scanning documents/photos. These typically do a much better job on film that the flatbed scanners and they usually also have substantial automation capabilities.</li>
</ul>
<p>It just so happens that I have both types of scanners and for me the clear choice was to use the film scanner. My film scanner is a <a href="http://www.imaging-resource.com/PRODS/LS4K/L40A.HTM">Nikon Super Coolscan 4000 ED</a> (it's about 5 years old and has been superseded by the newer 5000ED).</p>
<H2>Organizing for scanning</H2>
<p>If you're like most people, your slides have not stayed in their little boxes that you get back from the developer and frequently they are intermingled (in some cases within one of those slide projector trays, in other cases in the little slide shoe box where you threw all the slides).</p>
<p>One note about handling slides: Most slides are raw film stored within a cardboard or plastic mount which just holds the film without providing any protection to the film itself. You should use care when handling the slides to keep fingerprints, water, dust, etc. off the slides. I recommend using low-cost lint free gloves available at most photo shops when handling the slides.</p>
<p>You can choose to stay with the disorganization and just scan things, or you can put the slides back into their original sets. I chose to do the latter because figuring out what's on slides and telling stories about them frequently his helped by the nearby slides on the same strip of film. Getting the slides back into the set and then perusing them in order helps greatly.</p>
<p>To get them back into sets, you need to look at each slide. Most slides, even those printed many years ago, will have two pieces of information on each slide. A slide number in one of the corners and a processing month/year stamp. Sometimes this information is printed on the slide. Sometimes it's embossed in the cardboard mount. In many cases, the printing is hard to read and you have to use some sleuthing to figure out what set the slide belongs to and what slide number it is in that set. In the slide below you can fairly clearly see the slide number (34), but the processing date (May 89) is embossed on the cardboard and a bit harder to see.</p>
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhls0dUDdfxVNYCEv3fSBZuGTcQ1ZYxumCr7SNxY6jp0TUUSrQhNQp0gLUWcDPFCWsuC2lZga8hs3dcpQkUcLMrz0kGsz7FYUTIyfv8MEUff-ULgrPCyotsqz_cKuLr5ZIBt5Vp/s1600-h/Slide-header.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 163px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhls0dUDdfxVNYCEv3fSBZuGTcQ1ZYxumCr7SNxY6jp0TUUSrQhNQp0gLUWcDPFCWsuC2lZga8hs3dcpQkUcLMrz0kGsz7FYUTIyfv8MEUff-ULgrPCyotsqz_cKuLr5ZIBt5Vp/s400/Slide-header.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5305047714513413666" /></a>
<p>Once I had them all grouped in sets & ordered by slide number I simply rubber banded them and put them into my to-be-done box and then started cranking.</p>
<H2>Scanning the slides</H2>
<H3>Setting up the scanner</H3>
<p>My 4000ED has an optional slide feeder (SF-200) which can feed up to 50 slides at a time for automated processing. This is ideal for my project. However, in many of the reviews of the product and in various support web sites, I found that there were many complaints about slides jamming in the machine -- which would really interfere with my automatic process requirement. I came close to just blindly upgrading to the latest version of the feeder (SF-210) thinking that it had to be better than the one I already had. However, from the reviews that didn't seem to be the case.</p>
<p>I should note that after looking at the wide variety of slides that I had in my collection (especially when I added in the older slides from my mother-in-law) it isn't so surprising that this is an issue. The slides vary greatly in materials (plastic, cardboard, even some metal) and they varied greatly in thickness.</p>
<p>All that said, I found one suggestion in an Amazon review that recommended tilting the scanner about 10 degrees and instead of using the spring-loaded slide pusher, place a C battery into the tray (it would roll down with the slides adding just a small amount of continuous, even, pressure). I gave that solution a whirl and across about 2K slides only had 6 or so jams -- two of which were caused by material defects in the slide mounting (the film had curved out of the mount and caught on the next slide causing the two to load simultaneously). Not bad.</p>
<p>To accomplish this I used two index card packs to raise the one side of the scanner and just placed the battery into the tray as you can see below:</p>
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjw0IE8NrxXlrp-veViXYy7LkbHfDZBMBDakiQ51wD4T8CKlpKb8CphaxymoL40PZhCDqG3QeSOu1ktCB7b6p0I73j-eXK4u6MufGOn_AA7ZE39gmsiwv_vZjlyfkdU3hProEcE/s1600-h/SlideScanner.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 274px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjw0IE8NrxXlrp-veViXYy7LkbHfDZBMBDakiQ51wD4T8CKlpKb8CphaxymoL40PZhCDqG3QeSOu1ktCB7b6p0I73j-eXK4u6MufGOn_AA7ZE39gmsiwv_vZjlyfkdU3hProEcE/s320/SlideScanner.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5305051179946950770" /></a>
<h3>Setting up the scanner software</h3>
<p>Nikon Scan 4 is the software package that comes with the scanner. I modified the default settings to enable the following features:</p>
<ul>
<li>Enabled Digital ICE - which does a great job getting rid of dust and small scratches -- it's not perfect, but it does work pretty well.</li>
<li>Enabled Digital ROC and Digital GEM post processing - these do a level of fade & color correction that makes many scans presentable that otherwise wouldn't be without a lot of manual processing.</li>
<li>Enable multi-scanning 2x - each slide is scanned twice and the scanned data is averaged together -- this gets a better scanned picture on most slides.</li>
<li>Set resolution to 2,000 pixels/inch (about 1/2 the full res quality of the scanner) at 100% scale. Just to keep the pictures down to a reasonable size on disk and to make some of the post processing more efficient. I can always come back later if I want a better quality scan on a particular slide.</li>
<li>For each batch scan, I set the file name to a one up sequence starting with the year (so, for example, the slides I recently scanned had a base file name of si2009001 and a two digit sequential number of the slide within the slide set). When I processed the next batch, I would increase the base file name by one (e.g. si2009002). The net result is that I could tell which slide set and which slide within a slide set a digital file came from . For example, a digital file with the name si200904523.jpg came from slide 23 in the 45th slide set scanned in 2009.</li>
</ul>
<h3>Loading the slides</h3>
<p><b>Emulsion side</b> - Each slide has an emulsion side and a smooth side. The emulsion slide is the side that the image is recorded and it recorded backwards (to view the slide correctly you view through the slide from the non-emulsion side. This is important because most scanners will tell you that they want the emulsion side facing a particular way (either by directly mentioning the emulsion side, or by using pictures of a slide with an ABC on it (when ABC is backwards you are looking at the emulsion side). On most slides that have some kind of printing, the side that indicates "this side toward screen" or something like that is the emulsion side and the slide number and date stamp are typically on the viewing (non-emulsion) side.</p>
<p><b>Up vs down</b> - the orientation of the slides (which edge is up) seems to be somewhat random with respect to the printing on the slides. In some cases they are both in sync (the slide correctly oriented when the number/time stamp are on the top. In other cases it's the opposite (the number/date stamp needs to be upside down on the bottom in order for the slide to be oriented correctly). I found I had to look at a few slides to figure out which way it worked with that set.</p>
<p><b>Landscape vs Portrait</b> - while slides usually appear square, the film within the slide is not. When you're holding the camera horizontally (the normal position) the image will be recorded in a landscape mode (where the width of the image is longer than the height of the image). When you're holding the camera vertically (on its side) the image will be recorded in portrait mode (longer height, shorter width). This is important in slides because in most scanners you should <b>not</b> turn the slide to correctly orient the picture if it was taken in portrait mode. Just scan the picture in landscape mode and later, in software, rotate it 90 degrees to get it into portrait mode. The reason for this is that most scanners only scan the landscape portion of the slide and will miss some of the slide while recording some of the mount if you scan the slide in portrait mode.</p>
<p><b>Slide Numbers</b> - most slide sets do not start with slide 1 (at least most of mine did not) and frequently that have slides missing (sometimes simply because the slide image was blank). I wanted the actual slide numbers to match the file names so I would start the file numbers with the first slide number and I would ensure that all slides were sequentially in order, filling in missing slides with slides from the end. When I had to do filling in, I would go back to the files after the set was scanned and manually renumber the fill-in slides to correctly represent their slide number.</p>
<h3>Scanning the slides</h3>
I would simply load a set into the feeder (correctly oriented, emulsion side to the right when looking at the scanner) indicate in the software that I was feeding X slides and set the starting number at Y. Then I was off to do the real work while the scanner went along chugging through the slides in the feeder.</p>
<h2>Slide Storage</h2>
In order to be able to quickly locate slides, as well as to provide for archival storage of the slides, I chose to use <a href="http://www.printfile.com/index.asp?PageAction=VIEWPROD&ProdID=82">Print File Archival Slide Preserver</a> sheets for the slides and placed a label on each sheet indicating the slide set (which was part of the digital file name) that the sheet contained:</p>
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinuhjO3vwcytoeO-ucjeb41qEjDSBZPOshjmDDLqNJ91qvcdqzQ9HntSoKkLQw1LHGyOIgj4La3dKL0dMfdHRGYT7QGAsZT-4Sr1rG-Qoonnl63tM0pWNEd0FyB9fvyVWEaB4a/s1600-h/PrintFileSheet.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 217px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinuhjO3vwcytoeO-ucjeb41qEjDSBZPOshjmDDLqNJ91qvcdqzQ9HntSoKkLQw1LHGyOIgj4La3dKL0dMfdHRGYT7QGAsZT-4Sr1rG-Qoonnl63tM0pWNEd0FyB9fvyVWEaB4a/s320/PrintFileSheet.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5305067312280968258" /></a>
<p>You can get these at many photography supply stores. I purchased my at <a href="http://www.archivalusa.com/">Archival USA</a>.
<p>Once I had the slides stored in the sheets, I placed the slide preserver sheets into <a href="http://www.centuryboxes.com">Century Box</a> Archival Storage Albums (that I also purchased from Archival USA). Another option would have been to buy the file hangers that Print File makes and simply hang the sheets in a file cabinet, but I preferred the storage box. Anyway, I placed the slide pages into the boxes and placed labels onto the boxes indicating which slide set ranges were in the box.</p>
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMdTSYY1TPljzzp-eL466HUHyyEsYD4clKUKyqfN1PoIn1OPMxdHcMU_sSJnVjWXInOFcnX2z9iNLtVjvYdCk0EyHs2hlLLrvJuN5IeQqTTEsarfIgxVV_Pvg5fw_DCykaGCy4/s1600-h/SlideSheetsInBox.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 214px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMdTSYY1TPljzzp-eL466HUHyyEsYD4clKUKyqfN1PoIn1OPMxdHcMU_sSJnVjWXInOFcnX2z9iNLtVjvYdCk0EyHs2hlLLrvJuN5IeQqTTEsarfIgxVV_Pvg5fw_DCykaGCy4/s320/SlideSheetsInBox.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5305069814319721650" /></a><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEmTBiF6DLiSoaVRJGQEIUhpuQ1PDj8M7SvG6EGPWKAHY6xQ52bX2OfmPpfK6s4sgPPFDMwQIbhc2riTZiYIuXMk6ujTFFhcq7zjnunq_MVXesCImm6uxcwb2H7ZEfDNTi5T32/s1600-h/SlideBoxesLabeled.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 243px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEmTBiF6DLiSoaVRJGQEIUhpuQ1PDj8M7SvG6EGPWKAHY6xQ52bX2OfmPpfK6s4sgPPFDMwQIbhc2riTZiYIuXMk6ujTFFhcq7zjnunq_MVXesCImm6uxcwb2H7ZEfDNTi5T32/s320/SlideBoxesLabeled.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5305069660215616418" /></a>
<h2>Miscellaneous Tidbits</h2>
<h3>Use the magnifying glass, Luke</h3>
I found having a magnifying glass quite useful in trying to determine the slide numbers and/or date stamps on slides as well as to try to determine the orientation of the slides on slides that had no markings. It was just plain useful. Get one and have it nearby when you're working on the slides.
<h3>Remounting Slides</h3>
<p>In some cases, it might be worthwhile to remount slides. For example if the mount is damaged, too thick, or otherwise interferes with being able to scan the image. I had this with one particular set of slides that came from my mother-in-law. It seems that in the late 1950s in Europe, slides were mounted in metal mounts that sandwiched the film between two pieces of glass. When they got to me, they were in pretty sad shape:</p>
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirO4GnMUQXvydLFwbGAuyJ0Pzx7sYK_qQzH2OUdHH7dRDUs__rwwOA-lsy6hvHIwoUCp7qDGbwOuCcsa3-HD9XFKcdxvaGXeX-bSV6HsGDjUGT_WburreuQE03hnfM0yqHsXv-/s1600-h/MetalSlide.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 267px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirO4GnMUQXvydLFwbGAuyJ0Pzx7sYK_qQzH2OUdHH7dRDUs__rwwOA-lsy6hvHIwoUCp7qDGbwOuCcsa3-HD9XFKcdxvaGXeX-bSV6HsGDjUGT_WburreuQE03hnfM0yqHsXv-/s320/MetalSlide.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5305072811693140098" /></a>
<p>So I ordered some slide mounts and peeled back the metal cover, separated out the film from the glass sandwich and mounted them into new slides which scanned much better than the originals had.</p>
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhakx_buwNjwk9xw8WZGLlkA-FVV1sLK7ZjXhlayd5nQzSPoNPz_NFFVsPnM61M1s0AFFh9L5HCLrLQ35DyHt4wF-pw7M5Plr6f7xEoftgphz0q39CwhUH5MfGyOBymvrYloehr/s1600-h/MetalSlidePeeledBack.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 236px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhakx_buwNjwk9xw8WZGLlkA-FVV1sLK7ZjXhlayd5nQzSPoNPz_NFFVsPnM61M1s0AFFh9L5HCLrLQ35DyHt4wF-pw7M5Plr6f7xEoftgphz0q39CwhUH5MfGyOBymvrYloehr/s320/MetalSlidePeeledBack.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5305073331883662498" /></a><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJlQyKgWl8pSFVld4uc3vTzE-P6WQ4sKohUDRF93MPbb3WFC37zLF9CfFSgpBlEDxCwOdFfcqF7tbIc8JsbbUC7DEbLe3YzW5DD1be-g7Dhrl3e9UR7CV86z2-jxVvjILXgTSb/s1600-h/MetalSlideSeparated.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 167px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJlQyKgWl8pSFVld4uc3vTzE-P6WQ4sKohUDRF93MPbb3WFC37zLF9CfFSgpBlEDxCwOdFfcqF7tbIc8JsbbUC7DEbLe3YzW5DD1be-g7Dhrl3e9UR7CV86z2-jxVvjILXgTSb/s320/MetalSlideSeparated.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5305073539843917378" /></a>
<h2>Summary</h2>
<p>This process seems long and arduous, but in reality the most time consuming part (other than the remounting of that one metal set) was the organizing the slides step because many of the slides were mixed together, some had no writing on them whatsoever, many had slide numbers and date stamps that were almost unreadable (magnifying glass helped there sometimes).</p>
<p>Once the scanning got started, the process essentially amounted to about 5 to 7 minutes to swap slides and store the scanned slides every hour an a half or so (that's about how long it took to go through the average 30 or so slides per set with the settings I had used on the scanner software).</p>
<p>I'm very happy with most of the pictures and for those that I'm not happy with, the slide itself usually left a lot to be desired -- almost always because of low exposure on the film.</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/scanning" rel="tag">scanning</a>
/ <a href="http://technorati.com/tag/photograph" rel="tag">photograph</a>
/ <a href="http://technorati.com/tag/slide" rel="tag">slide</a>
/ <a href="http://technorati.com/tag/35mm" rel="tag">35MM</a>
/ <a href="http://technorati.com/tag/digital+conversion" rel="tag">digital conversion</a>
/ <a href="http://technorati.com/tag/digitizing" rel="tag">digitizing</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com2tag:blogger.com,1999:blog-29173677.post-78964864585054667272009-02-18T03:57:00.000-08:002009-02-18T09:26:35.651-08:00Unsubscribing hell...<p>For some unfathomable reason I decided today to try to unsubscribe to some of the various spam messages I get from reputable companies. I would never try to unsubscribe to the umpteen million messages I get about body parts enlargement (some of which wouldn't look so hot on my if they were enlarged) or performance enhancement as the act of unsubscribing just confirms that they have a real person on the other end of the email line.</p>
<p>So, for reputable companies in the US, they are required by the <a href="http://en.wikipedia.org/wiki/CAN-SPAM_Act_of_2003">CAN-SPAM act of 2003</a> to have an opt out method in each email. From the <a href="http://www.ftc.gov/bcp/edu/pubs/business/ecommerce/bus61.shtm">FTC's web site</a>:
<blockquote>
It requires that your email give recipients an opt-out method. You must provide a return email address or another Internet-based response mechanism that allows a recipient to ask you not to send future email messages to that email address, and you must honor the requests. You may create a "menu" of choices to allow a recipient to opt out of certain types of messages, but you must include the option to end any commercial messages from the sender.
<br><br>
Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your commercial email. When you receive an opt-out request, the law gives you 10 business days to stop sending email to the requestor's email address. You cannot help another entity send email to that address, or have another entity send email on your behalf to that address. Finally, it's illegal for you to sell or transfer the email addresses of people who choose not to receive your email, even in the form of a mailing list, unless you transfer the addresses so another entity can comply with the law.
</blockquote>
<p>So, I took a look at several of my emails... The emails from <a href="http://www.landsend.com">Lands End</a>, <a href="http://www.sears.com">Sears</a>, <a href="http://www.1800flowers.com">1-800-Flowers.com</a>, <a href="http://www.americanexpress.com">American Express</a> and <a href="http://www.apple.com">Apple</a> all had links and they all worked as one would expect. The either directly unsubscribed you or brought you to a page that gave you a few options (different kinds of emails, change email address, etc.) and one or two clicks and you were done.</p>
<p><a href="http://www.microsoft.com">Microsoft</a>, on the other hand, was a true royal pain in the *ss. I received an email from them that included the unsubscribe link at the top:</p>
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxXzBgHJe6fQcTeGLHpp7oUcxh0vae4oi0KY6PQEVDoMuFD1-fL65dFcZ3x16ZCkdpdD8S9e6lbnf6oHBCcfzmF3V8KzM2KhbulOwgWb9A9ciylB_X88zYrK22FCO803RRlqrh/s1600-h/MSEmailHeader.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 49px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxXzBgHJe6fQcTeGLHpp7oUcxh0vae4oi0KY6PQEVDoMuFD1-fL65dFcZ3x16ZCkdpdD8S9e6lbnf6oHBCcfzmF3V8KzM2KhbulOwgWb9A9ciylB_X88zYrK22FCO803RRlqrh/s320/MSEmailHeader.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5304185799921263538" /></a>
<p>And another at the bottom:</p>
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiq4XBZiS6qHfSxpIdVpFQ53oF4RslDCppCc-bSkcZcBOqyIKkm-HWOwH7lMyOb-hylRtBUGL2Jmk3oNzMQSMu5TPV9Hai7ILXQuE3o7rCsF9ONdzzxUJmPsaX0svSfe_cgdZbY/s1600-h/MSEmailFooter.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 22px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiq4XBZiS6qHfSxpIdVpFQ53oF4RslDCppCc-bSkcZcBOqyIKkm-HWOwH7lMyOb-hylRtBUGL2Jmk3oNzMQSMu5TPV9Hai7ILXQuE3o7rCsF9ONdzzxUJmPsaX0svSfe_cgdZbY/s320/MSEmailFooter.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5304186053652630210" /></a>
<p>So one would think that it's all kosher. That clicking on the link would get you unsubscribed. However, that wasn't to be the case. What you got when you used that link was a page which said that I had to use my Windows Live ID to manage my settings and that if I didn't have one, I would have to create a Windows Live ID account in order to manage my subscriptions.</p>
<p>So you can't just unsubscribe. You have to create an account on some Microsoft server.</p>
<p>Being the persistent one, I went ahead and did so. That required that I provide an email address and also required out-of-band email validation (where they send you an email that has a link you have to click on to prove that you actually have that email address.</p>
<p>Did that and got logged into Windows Live. However, all the stuff about managing my subscription was gone and there were no clear links on the page that would get me there. So I went back to the email that started this and selected the unsubscribe link again.</p>
<p>This brought me to the "Profile Center" where there was a link for manage subscriptions. I thought I was getting close, but no, there was another roadblock that they threw up. There was no email address in there (they didn't take the one I entered for my Windows Live ID account). So I had to enter it again. And, of course, before I could manage it I had to go through the email validation again.</p>
<p>Then back to the profile page and back to managing subscriptions where I could finally unsubscribe. Now I'm stuck with a Windows Live ID account that I don't want but I don't see any easy way to get rid of it.</p>
<p>I think this rigmarole they have set up is in clear violation of the spirit and intent of the CAN SPAM laws and should be fixed. I should be able to unsubscribe easily without having to create an account. I should be able to unsubscribe with a minimal of effort.</p>
<p>Kudos to Apple, Sears, and all the rest who, IMHO, got it right. Daggers to Microsoft who clearly got it totally and inexcusably wrong.</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/spam" rel="tag">spam</a>
/ <a href="http://technorati.com/tag/microsoft" rel="tag">Microsoft</a>
/ <a href="http://technorati.com/tag/can-spam" rel="tag">can-spam</a>
/ <a href="http://technorati.com/tag/live+id" rel="tag">Live ID</a>
/ <a href="http://technorati.com/tag/identity" rel="tag">identity</a>
/ <a href="http://technorati.com/tag/email" rel="tag">email</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com0tag:blogger.com,1999:blog-29173677.post-78800469683766132432009-02-16T04:11:00.001-08:002009-02-16T04:45:48.038-08:00Digitizing life<p>Like many people today, I have a large collection of analog media containing family memories. Much of it is my own, but a substantial portion belongs to either my or my wife's parents. This includes film negatives, slides, prints, video film, video tapes, etc.</p>
<p>The saddest part about this old stuff is that it deteriorates over time (even when aggressive archival storage methods are used). In addition, it's very hard to share and usually gets dispersed as various interested parties (i.e. siblings) request to take one of them (sometimes promising to make a copy and return the original -- and I'm sure some actually do that).</p>
<p>I have piles and piles of pretty much all of that other than video film. I have decided that it's about time to bring it all into the modern digital world and am digitizing all of it -- negatives from all the 35MM photos I took, prints from all of our kids class/sports photos or from those 4x6s that we don't have negatives for, thousands of slides (which, IMHO, were the old fashioned "digital" camera in that you just paid $3 to get the roll of film developed without any prints and then said you would print the photos you liked, but never got around to it :-)).</p>
<p>When I'm done, I expect to be able to share my entire digital collection with my family either directly or when I post the more interesting photos on <a href="http://www.facebook.com">Facebook</a> :-). I also expect that when my kids grow up and leave the house, they will each be able to take a copy of our entire collection with them to be able to peruse whenever they like. </p>
<p>I'm going to write a series of blog entries describing what I've chosen to do for each type of media and how I proceeded. Hopefully some out there will find it useful in one way or another.</p>
<p>BTW - there are a number of services out there that will do this for you for a fee. I've chosen to do it all myself rather than use a service because I want to organize things as I convert and I want to have sensible conversions (if you used the video camera to record your kids birthday and your friends kids' school performance you don't want them on the same DVD -- at least I don't). I've also worked to automate the process as much as possible so I can do it while I'm doing other things.</p>
<p>Finally, I've accepted that this will take a long time and not be done overnight and I will methodically work through the piles (and they are large piles).</p>
<p>Wish me luck!</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/digitizing" rel="tag">digitizing</a>
/ <a href="http://technorati.com/tag/scanning" rel="tag">scanning</a>
/ <a href="http://technorati.com/tag/film" rel="tag">film</a>
/ <a href="http://technorati.com/tag/35mm" rel="tag">35mm</a>
/ <a href="http://technorati.com/tag/slides" rel="tag">slides</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com1tag:blogger.com,1999:blog-29173677.post-38221383341853656272009-01-18T11:32:00.000-08:002009-01-18T11:43:13.750-08:00Another change in United's Mileage Plus ProgramI've <a href="http://conorcahill.blogspot.com/2008/11/paying-for-upgrades.html">written</a> about some of the changes <a href="http://www.united.com">United</a> made to the <a href="http://www.united.com/page/article/0,6722,52895,00.html?jumpLink=%2F2009prgchng">Mileage Plus program for 2009</a> (most of which I don't like), but I just noticed one that hasn't been documented much of anywhere that I have found. Kind of just snuck in there.
<p>In the past, when you qualified for one of the premier levels, that status was good through the end of February the following year (so, my 2008 1K status was good through the end of Feb 2009). However, for my 2009 1K status my card is only good through the end of January 2010 -- a month shorter.</p>
<p>This is probably because with all the electronic record keeping, they think they don't need the extra month to get all the records in order to determine status.</p>
<p>This was not mentioned in the <a href="http://www.united.com/page/article/0,6722,52895,00.html?jumpLink=%2F2009prgchng">2009 program changes page</a>.</p>
<p>We'll see if my <a href="http://conorcahill.blogspot.com/2007/01/uniteds-global-services.html">Global Services</a> card (which I haven't received yet, half way through the month) has the same timeframe or if it gets the extra month when my card, hopefully, shows up.</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/united" rel="tag">United</a>
/ <a href="http://technorati.com/tag/ual" rel="tag">ual</a>
/ <a href="http://technorati.com/tag/mileage+plus" rel="tag">Mileage Plus</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com0tag:blogger.com,1999:blog-29173677.post-85915598002630788422009-01-06T07:32:00.000-08:002009-01-06T07:45:50.981-08:00United comes clean on Global Services status<p>For years, <a href="http://www.united.com">United</a> has been very secretive about how one becomes a Global Services member. My <a href="http://conorcahill.blogspot.com/2007/01/uniteds-global-services.html">blog entry on Global Services</a> is still the most popular page here, 2 years after it has been written -- accounting for more than 25% of my page hits. It's even the number one search result for <a href="http://www.google.com/search?q=united+global+services">"United Global Services"</a> on Google (yeah, I'm proud :-) ).</p>
<p>When I logged into my united account today, I found the following published on the web site:</p>
<blockquote>
<b>Ensure your Global Services status for 2009</b>
Fly 50,000 miles on United® or United Express® in First (F, A, P), Business (C, D, Z), or full-fare United Economy® (Y or B) during 2008, and your Global ServicesSM membership will be renewed for the 2009 program year.
<br><br>
Track your progress by visiting <a href="http://www.united.com/gstracking">united.com/gstracking</a>.
</blockquote>
<p>Of course, it's kind of late for the 2009 program year at this point. But still it's now out in the open as to what you need to do to qualify. They even have a web page that you can go to to check your earnings status. Mine is still showing my 2008 earnings (since I know I have absolutely zero earnings in 2009).</p>
<p>Of course, I'm not convinced that this is the <b>only</b> way to get Global Services status. I think that their marketing and business relationship department will use GS stats as a reward for important business partners who bring them substantial corporate business, even if they, themselves, don't fly a lot. That's business as I would expect it to be.</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/ual" rel="tag">ual</a>
/ <a href="http://technorati.com/tag/united+airlines" rel="tag">United Airlines</a>
/ <a href="http://technorati.com/tag/global+services" rel="tag">Global Services</a>
/ <a href="http://technorati.com/tag/travel" rel="tag">travel</a>
/ <a href="http://technorati.com/tag/mileage+plus" rel="tag">Mileage Plus</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com10tag:blogger.com,1999:blog-29173677.post-73577366773627831362008-12-19T09:54:00.001-08:002008-12-19T16:08:41.126-08:00Situational Awareness<p>One of the best defenses against phishing, scamming or pretty much any other type of social engineering attack is to be aware of your situation and what to expect to have happen as well as to know when it should happen. The various attacks that come along should all raise red flags at several steps in the process. In the real world, we get this through millions of years of survival training -- those who didn't sense trouble usually died out before they could reproduce.</p>
<p>However, in the internet world, most of the visual and/or aural queues that raise your sense of awareness and caution are missing and we need to learn a new set of such protection mechanisms.</p>
<p>To that end, I'm going to periodically talk through an attack and point out things that one might notice which should cause you to think twice about continuing (or at least do a much more detailed check of whats going on before you continue).</p>
<p>Today, I received an interesting email reportedly from "Classmates.com" (which, of course, we all know we can't trust as anyone can claim to be anyone else with current mailing technologies):
<blockquote>
Your Classmates Events: Reunion January 16th 2009
" With pride and joy we invite you to share a special day in our lives and join us for the Class Reunion on Friday, January 16th 2009.
Bring the gang from Our High School back together again!
Great party - from start to finish! "
Proceed to view details:
http://video.classmates.completeserv.user-v5mn1ckah.newyearclassmates.com/messages.htm?/type/INVITATION=m5kibxmz390kynf
Your favorite people are already here, so use ClassmatesTM to bring them together.
With best regards, Carmine Hilton. Customer Service Department.
Copyright 1995-2008 Classmates Online, Inc. All Rights Reserved.
</blockquote>
<p>At first glance this seemed somewhat legit because I am a member of <a href="http://www.classmates.com">Classmates.com</a> and so could reasonably expect to get emails from them. I'm also in a graduating class that would have an interesting anniversary in 2009 so it does make sense that we would be scheduling a reunion.</p>
<p>However, the email address to which the email was addressed is not the one that I have associated with classmates.com account - so clearly it wasn't classmates.com sending me the email. The address that was used is one that I've had for ages and typically gets close to 99.9% spam, so my internal "what's going on here" guard sprung up.</p>
<p>In addition, the email didn't look like the typical Classmates.com email -- which is just stupid laziness on the part of the attacker as it's pretty easy to fake someone else's email style, so while the email looking right isn't a good sign, having it look wrong is a big red flag.</p>
<p>Finally, the link in the email wasn't at the classmates.com domain (to find the actual domain you have to look at the third slash (/) in the URL and then work backwords -- the first two slashes should be right after the http: at the begining of the URL, so it's the next /). In this case it was newyearclassmates.com which should be another big red flag since it clearly was made to look like the real classmates.com domain.</p>
<p>If you did, somehow, follow the link, it brought up the following page:</p>
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhlNQgC-WvTW2eAQV5M3uc6g8w8IV7K_o0CHnl3ApsA8EpAt3D6Dsc6JpTCsBRyWk1MdDBz62xUgcagZvMcQBdaxqPHvF5r3E97rIMYvjx8WG_XVGl51rgpvzolHreViJAOn3A/s1600-h/ClassmatesHoax.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 196px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhlNQgC-WvTW2eAQV5M3uc6g8w8IV7K_o0CHnl3ApsA8EpAt3D6Dsc6JpTCsBRyWk1MdDBz62xUgcagZvMcQBdaxqPHvF5r3E97rIMYvjx8WG_XVGl51rgpvzolHreViJAOn3A/s320/ClassmatesHoax.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5281563936058814242" /></a>
<p>This, too, doesn't look like the Classmates.com site -- another red flag and has no real information about what's going on. One would expect to at least have some text at this point with the name of the high school and other such information.</p>
<p>Instead all you have is a thing that looks like a video player application but actually is just an image and if you click anywhere on the image (like the play button or, if you're thinking of a YouTube video, the center of the video image) or on the Adobe Get media player button, the site tries to download and run a native application (an EXE). That should send big <span style="font-weight:bold;">"DANGER WILL ROBINSON"</span> shivers up your spine. Any website that tries to download an exe directly to your platform has to be treated as the enemy until proven to be a friend (no innocent until proven guilty here -- good sites rarely download EXEs directly like that without at least having some interactions with the user).</p>
<p>In this case the executable was Adobe_Player10.exe -- which I'm sure is a Trojan Horse which would do very nasty things to your computer at some point and it wasn't coming from Adobe's own web site, but rather from the newclassmates.com site itself -- another red flag (which, I hope, you never got because you didn't get to this stage). If you did get here and you think everything's legit, you should stop, go to the adobe web site and check version numbers or at least download the application directly from Adobe -- never download/install software that you got to through an untrusted link or from an untrusted site.<p>
<p>UPDATE: I've gotten 7 more of these same invites. All to different email addresses that route to me. That's another really good sign that things aren't well in Kansas and you should stay away from the email.</p>
<p>Moral of the story: It's a jungle out there and you've gotta watch out for yourself as there's nobody else doing it for you.</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/hacking" rel="tag">hacking</a>
/ <a href="http://technorati.com/tag/phishing" rel="tag">phishing</a>
/ <a href="http://technorati.com/tag/trojan+horse" rel="tag">Trojan Horse</a>
/ <a href="http://technorati.com/tag/internet+self+defense" rel="tag">Internet Self Defense</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com0tag:blogger.com,1999:blog-29173677.post-38986533329592069022008-12-03T05:21:00.000-08:002008-12-03T07:02:56.114-08:00Facebook vs DNS<p>Sometime back, about a couple of weeks ago, my <a href="http://www.facebook.com">Facebook</a> page loads all of a sudden started getting very slow (like 20 seconds or so before the data started loading, but once it did start loading it was fast). It was only happening at Facebook (<a href="http://www.google.com">Google</a>, <a href="http://www.wheresgeorge.com">WheresGeorge</a>, <a href="http://www.blogger.com">Blogger</a>, pretty much any other site) was working fine, so I thought the problem had to be at Facebook rather than on my side.</p>
<p>However, after it kept up for a week, I started to get irritated enough to dig into it. First I turned off my web proxy and went directly to the sites from my browser. Things worked fine then, so clearly it was an issue in my proxy. I run a <a href="http://fedora.redhat.com">Fedora Linux</a> server at home that serves as my web proxy using the <a href="http://httpd.apache.org/">Apache HTTP daemon</a>.</p>
<p>This past weekend, I started digging into the problem and spent several hours debugging, testing, searching the web and while I still don't have a clear reason as to the why, I do understand the what and have put together a somewhat nasty hack around the problem. Hopefully I will dig around and find or figure out what the problem is so that I can put in a good fix.</p>
<p>My first look at the server didn't show anything amiss. The httpd logs showed the accesses to Facebook with no errors. That led me to consider DNS as this felt like what you get when your DNS is timing out.</p>
<p>My <a href="http://en.wikipedia.org/wiki/Resolv.conf">/etc/resolv.conf</a> file was clean and correct. Using the nslookup or <a href="http://linux.die.net/man/1/dig">dig</a> tools, I was able to look up the names without problems and quite quickly on both my own name server as well as the name servers provided by my ISP. The system logs didn't show any problems in named or anything that looked like the firewall could be getting in the way.</p>
<p>However, using any other tool (telnet, wget, httpd) the name look ups would go through several failures before succeeding -- causing a substantial delay in accessing the site. This <span style="font-weight:bold;">only</span> happened with Facebook related sites (www.facebook.com and apps.facebook.com to mention two of them). The same tools, accessing any other site that I tried, had no problems and no delays.</p>
<p>Using strace, I could see that the first pass at the name service look ups were failing and each timing out after so many seconds before trying the next. Eventually, the tools go back and try again and the second time, the response comes back almost immediately and the tool continues. For example, "wget http://www.facebook.com" returned the following:</p>
<blockquote>
<pre>
01 0.000106 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
02 0.000068 connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("127.0.0.1")}, 28) = 0
03 0.000076 fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR)
04 0.000054 fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
05 0.000042 gettimeofday({1227974358, 62163}, NULL) = 0
06 0.000048 poll([{fd=3, events=POLLOUT, revents=POLLOUT}], 1, 0) = 1
07 0.000059 send(3, "\0079\1\0\0\1\0\0\0\0\0\0\3www\10facebook\3com\0\0\34"..., 34, MSG_NOSIGNAL) = 34
08 0.000861 poll([{fd=3, events=POLLIN}], 1, 5000) = 0
09 4.998266 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
10 0.000065 connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("66.36.226.50")}, 28) = 0
11 0.000071 fcntl64(4, F_GETFL) = 0x2 (flags O_RDWR)
12 0.000046 fcntl64(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0
13 0.000041 gettimeofday({1227974363, 61621}, NULL) = 0
14 0.000046 poll([{fd=4, events=POLLOUT, revents=POLLOUT}], 1, 0) = 1
15 0.000053 send(4, "\0079\1\0\0\1\0\0\0\0\0\0\3www\10facebook\3com\0\0\34"..., 34, MSG_NOSIGNAL) = 34
16 0.000098 poll([{fd=4, events=POLLIN}], 1, 3000) = 0
17 2.998500 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5
18 0.000070 connect(5, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("207.228.225.50")}, 28) = 0
19 0.000073 fcntl64(5, F_GETFL) = 0x2 (flags O_RDWR)
20 0.000045 fcntl64(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0
21 0.000043 gettimeofday({1227974366, 60548}, NULL) = 0
22 0.000045 poll([{fd=5, events=POLLOUT, revents=POLLOUT}], 1, 0) = 1
23 0.000052 send(5, "\0079\1\0\0\1\0\0\0\0\0\0\3www\10facebook\3com\0\0\34"..., 34, MSG_NOSIGNAL) = 34
24 0.000118 poll([{fd=5, events=POLLIN}], 1, 6000) = 0
25 5.997342 gettimeofday({1227974372, 58108}, NULL) = 0
26 0.000050 poll([{fd=3, events=POLLOUT, revents=POLLOUT}], 1, 0) = 1
27 0.000054 send(3, "\0079\1\0\0\1\0\0\0\0\0\0\3www\10facebook\3com\0\0\34"..., 34, MSG_NOSIGNAL) = 34
28 0.000416 poll([{fd=3, events=POLLIN}], 1, 5000) = 0
29 4.997778 gettimeofday({1227974377, 56418}, NULL) = 0
30 0.000063 poll([{fd=4, events=POLLOUT, revents=POLLOUT}], 1, 0) = 1
31 0.000055 send(4, "\0079\1\0\0\1\0\0\0\0\0\0\3www\10facebook\3com\0\0\34"..., 34, MSG_NOSIGNAL) = 34
32 0.000106 poll([{fd=4, events=POLLIN, revents=POLLIN}], 1, 3000) = 1
33 0.001235 ioctl(4, FIONREAD, [34]) = 0
34 0.000065 recvfrom(4, "\0079\201\202\0\1\0\0\0\0\0\0\3www\10facebook\3com\0\0\34"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("66.36.226.50")}, [16]) = 34
</pre>
</blockquote>
<p>As you can see, the delays come waiting for a response from the nameserver and it's not until the second try on the second name server (lines 31-34 before we get a response. You might think that this has something to do with my name server on 127.0.0.1, but that wasn't originally in my /etc/resolv.conf file until I started the debugging and the problem still occurs when I remove it.</p>
<p>A similar trace of the dig command shows that the first name server (whether it be 127.0.0.1 or my ISPs) resolves the name almost immediately (though dig uses a different communications method (sendmsg vs send) and different networking libraries.</p>
<p>Traces for wget with other host names return successfully on the first lookup.</p>
<p>I haven't (yet) figured out what exactly is causing this. But I have figured out two workarounds (neither of which are all that nice):</p>
<ul>
<li>Set one of Facebook's name servers as the first name server in my resolv.conf file (so my applications use that name server to resolve <span style="font-weight:bold;">all</span> host names.
<p>This does work (name resolutions worked first try and in very reasonable times). However, name servers are core trusted parties in your network access and I really don't like setting things up so that I totally trust Facebook's server for all of my outgoing name service look ups. Call me paranoid, but this one just isn't right for me.</p></li>
<li>Add www.facebook.com and apps.facebook.com host entries to my /etc/hosts file (which is checked before name service look ups.
<p>This definitely works, though it does remove the usefulness of DNS from my access to Facebook (like if they change their IP address I won't know). However, it is the lesser evil of the two solutions I have found so far and so this is what I've done for now.</p></li>
</ul>
<p>I'll post an update if I figure out exactly what's wrong (which I'm very unhappy about not being able to figure out so far -- I like being able to understand things and spent several hours after I had workarounds trying to figure it out to no avail).</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/facebook" rel="tag">facebook</a>
/ <a href="http://technorati.com/tag/dns" rel="tag">dns</a>
/ <a href="http://technorati.com/tag/name+server" rel="tag">name server</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com2tag:blogger.com,1999:blog-29173677.post-39417092902292709152008-12-03T03:32:00.000-08:002008-12-03T03:59:54.532-08:00Paul can't be wrong all the time<p>I have to say that, for once, I totally agree with <a href="http://connectid.blogspot.com">Paul</a>. In <a href="http://connectid.blogspot.com/2008/12/i-dont-follow.html">responding</a> to a <a href="http://www.links.org/?p=425">post</a> by Ben Laurie, Paul disagrees with Ben's opinions of passwords and phishing.</p>
<p>Ben had said (and I'm showing a bit more here than Paul did in his response):</p>
<blockquote>
Well, no. If your password is unphishable, then it is obviously the case that it can be the same everywhere. Or it wouldn’t be unphishable. The only reason you need a password for each site is because we’re too lame to fix the real problem. Passwords scale just fine. If it wasn’t for those pesky users (that we trained to do the wrong thing), that is.
</blockquote>
<p>First off the phishability and reusability of passwords are distinct and separate issues. They have pretty much nothing to do with each other.</p>
<p>The primary reason one should not use the same password everywhere is that once that password is discovered at one location, then it can be reused at other locations. So, if, for example, you use the same password at Amazon, eBay, PayPal and Facebook, all one needs to do is find out your password on Facebook and then they will be able to sell things in your name on eBay, buy things in your name using PayPal and ship lots of things in your name at Amazon).</p>
<p>As Paul mentioned, there are many attacks to finding your password -- an administrator at Facebook could look it up in the password database, you could have a weak password that the hacker could attack via brute force (and if you're using the same password everywhere, they could use multiple sites to break the password making all/most of the anti-brute force rate limiting capabilities at a given site pretty moot). Just to name a few.</p>
<p>All of that said, Ben did have several good points in his post. Yes, we, as an industry, have done a terrible job in the usability of passwords. The typical user has been prompted for passwords so often and in so many places that they have no feel for when it should or shouldn't happen (one of the best personal defenses against phishing).</p>
<p>Personally, I think the utopia for online identity comes in with strong authentication to a small number of identity providers which assert my identity through SSO and Federation out to a large number of relying parties. Ben's point about the attacks around issuance/re-issuance of such strong credentials is very valid -- they can't be based on much weaker socially engineerable factors. The credentials will end up having to be issued with strong levels of assurance.</p>
<p>I also look forward to being able to login once at the start of my day and maintain that state in a reasonably secure fashion for the entire day without having to re-authenticate every few minutes or deal with "your session has been terminated for your security" when I've been sitting at the computer the entire time.</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/identity" rel="tag">identity</a>
/ <a href="http://technorati.com/tag/authentication" rel="tag">authentication</a>
/ <a href="http://technorati.com/tag/assurance" rel="tag">assurance</a>
/ <a href="http://technorati.com/tag/federation" rel="tag">federation</a>
/ <a href="http://technorati.com/tag/sso" rel="tag">SSO</a>
/ <a href="http://technorati.com/tag/password" rel="tag">password</a>
/ <a href="http://technorati.com/tag/phishing" rel="tag">phishing</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com2tag:blogger.com,1999:blog-29173677.post-50768245394318884052008-11-18T12:29:00.000-08:002008-11-18T12:37:45.876-08:00Is Sir Bonar one of Paul's aliases?<p>I just have to say that the <a href="http://www.idealgovernment.com/index.php/blog/security_and_contactpoint_perception_is_all/">article on ContactPoint written by Sir Bonar</a> and <a href="http://www.identityblog.com/?p=1029">quoted by Kim</a> just feels like it was written by our one and only <a href="http://connectid.blogspot.com">Paul</a>.</p>
<p>Either Paul is writing under an alias, someone is working hard to emulate his ironic style, or somebody is writing seriously and just doesn't have an f***ing clue.</p>
<p>Interesting, very interesting....</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/identity" rel="tag">identity</a>
/ <a href="http://technorati.com/tag/identity+theft" rel="tag">identity theft</a>
/ <a href="http://technorati.com/tag/security" rel="tag">security</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com2tag:blogger.com,1999:blog-29173677.post-62808259808305585152008-11-13T12:44:00.000-08:002008-11-13T13:17:52.915-08:00Delayed Upgrades<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLf8tQzJb86n_GZcsbCNmSq_FKh5bc4k-aOOUGgm5uMpKY-7jqJcArMGycDOogZVLFhMjULf5plxdn89k2XuqDlyVgfHZF-x1DNs9oR0HkebCb5nMjN5su0b1c6QyTN_UxyWG5/s1600-h/united_logo.JPG"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 80px; height: 71px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLf8tQzJb86n_GZcsbCNmSq_FKh5bc4k-aOOUGgm5uMpKY-7jqJcArMGycDOogZVLFhMjULf5plxdn89k2XuqDlyVgfHZF-x1DNs9oR0HkebCb5nMjN5su0b1c6QyTN_UxyWG5/s200/united_logo.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5268253575710671698" /></a>
<p>One of the benefits one gets for being an elite member of <a href="http://www.united.com">United</a>'s <a href="http://www.united.com/page/middlepage/0,8680,1153,00.html?navSource=Dropdown07&linkTitle=aboutmileageplus">Mileage Plus</a> program is the ability to upgrade into the next class of service on select fares (most domestic fares qualify and some international fares qualify). Theoretically, there's also a benefit to being at a higher level in the program as your upgrades should clear sooner:</p>
<blockquote>
<table border="4">
<tr><th><center>Status</center></th><th><center>Clears at</center></th></tr>
<tr><td>General Member</td><td>24 hours before flight</td></tr>
<tr><td>Premier Associate</td><td>36 hours before flight</td></tr>
<tr><td>Premier</td><td>48 hours before flight</td></tr>
<tr><td>Premier Executive</td><td>72 hours before flight</td></tr>
<tr><td>Premier 1K</td><td>100 hours before flight</td></tr>
<tr><td>Global Services</td><td>120 hours before flight</td></tr>
</table>
</blockquote>
<p>This used to work pretty much dependably until there were very limited seats left (the last one or two seats usually were left until boarding time).</p>
<p>However, this fall I've noticed that United has not been clearing upgrades, even when there are a multitude of seats available. For example, I'm on a flight tomorrow (in less than 24 hours) that has 8 of 12 seats still available for purchase but my (and presumably several other's) upgrade still hasn't cleared. </p>
<p>This has been pretty consistent on the last 8 or 10 flights I've been on, both domestic and international. It seems that the guys in "inventory control" (the part of United that makes the seats available for upgrade) has decided to not release any seats for upgrade until 10-12 hours before the flight.</p>
<p>This kind of makes the cool table of when things clear pretty useless and, to some extent, a bit of misleading marketing if not an outright lie.</p>
<p>Here's to hoping it's just a temporary glitch in their systems and things will get back to normal soon.</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/united" rel="tag">United</a>
/ <a href="http://technorati.com/tag/ual" rel="tag">ual</a>
/ <a href="http://technorati.com/tag/mileage+plus" rel="tag">Mileage Plus</a>
/ <a href="http://technorati.com/tag/upgrade" rel="tag">upgrade</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com0tag:blogger.com,1999:blog-29173677.post-12150898925049693272008-11-07T07:08:00.000-08:002008-11-07T07:25:09.838-08:00Paying for upgrades<p><a href="http://www.ual.com">United Airlines</a> has announced a <a href="http://www.united.com/2009prgchng">host of changes for their Mileage Plus program for 2009</a>. Many of the changes involved increased mileage for award travel (other than domestic economy travel).</p>
<p>However, the worst change, IMHO, is that like <a href="http://www.aa.com">American Airlines</a>, United is now going to charge $$ (in addition to mileage) for mileage based upgrades from anything other than full fare economy tickets.</p>
<p>To me, a long term, very loyal 1K, million mile flyer, this really sucks. This was the one real benefit (upgrades without $$) that would drive business travelers to want to fly on the same airline. Now our business trips are going to cost as much as $1,000 if we want to upgrade both directions on an international flight. </p>
<p>United, I suggest you reconsider this change or, a bit selfishly, make an exception for your most loyal customers (1Ks/GSs) like you do for most other fees. Otherwise, I suggest that those of you who are flying in 2009 or early 2010 make your upgrade requests prior to July 1, 2009 (the effective date for the upgrade charges).</p>
<p>I also suggest that if this change bothers you, you take the time to let United know so. Recently, negative feedback about moving to pay for meals on international flights cause United to change their minds and maintain their current meal program on such flights. Perhaps we can do the same with upgrade charges.</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/travel" rel="tag">travel</a>
/ <a href="http://technorati.com/tag/ual" rel="tag">ual</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com2tag:blogger.com,1999:blog-29173677.post-29316504564994322782008-10-02T08:49:00.000-07:002008-10-02T09:06:19.988-07:00Data Privacy Day<p>Please join the US, Canada (yeah, it's not just a blue state), and 27 European countries in celebrating second annual Data Privacy Day on January 28, 2009.</p>
<blockquote>
Designed to raise awareness and generate discussion about data privacy practices and rights, Data Privacy Day activities in the United States have included privacy professionals, corporations, government officials, and representatives, academics, and students across the country.
<br><br>
One of the primary goals of Data Privacy Day is to promote privacy awareness and education among teens across the United States. Data Privacy Day also serves the important purpose of furthering international collaboration and cooperation around privacy issues.
</blockquote>
<p>You can get more information, presentations, event information, etc from the <a href="http://www.intel.com/policy/dataprivacy.htm">Data Privacy Day web site</a>.
<p>Join the <a href="http://www.new.facebook.com/group.php?gid=28893372868">Facebook Data Privacy Day 2009 Group</a> to hang with other participants and follow along with the developments.</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/identity" rel="tag">identity</a>
/ <a href="http://technorati.com/tag/privacy" rel="tag">privacy</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com0tag:blogger.com,1999:blog-29173677.post-22254049491881527802008-10-01T05:15:00.000-07:002008-10-01T08:47:56.777-07:00Changing Planes<p>It happens to me a lot more than I would like. I'm booked on an <a href="http://www.airbus.com/en/aircraftfamilies/a320/a320/">Airbus A320</a> only to have United change it to an <a href="http://www.airbus.com/en/aircraftfamilies/a320/a319/">Airbus 319</a> causing my exit row seat in row 11 to be a standard economy seat (not even an economy plus seat) -- that's why I'm not too keen on booking exit row seats nowadays -- though booking exit row seats is one of the primo perks of a <a href="http://www.united.com/page/middlepage/0,6823,1164,00.html">United Mileage Plus Premier Executive</a>.</p>
<p>However, it seems to be a much worse change when you've got a seat booked in <a href="http://www.united.com">United</a>'s new <a href="http://www.suitedreams.united.com/">Premium International Class</a> only to have United change the plane at the last moment and replace it with a standard configuration plane. This happened to me 3 out of 4 flights this summer between Dulles and Frankfurt. </p>
<p>I mean would you rather have this (the old confirguration):</p>
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgigcyjXRZ1Tg-Ct2j6ivGcqUuzBYWS6MUkG3ZmmMxQAPeMEliioff7KG0eKZrsCkjcCoGneeP236b0wf5j0aKD1rueQI0QdKtk9PKcASnnEnsy7-WgFKZiO8GntnohFb8SHEs/s1600-h/UALBusinessSeat.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgigcyjXRZ1Tg-Ct2j6ivGcqUuzBYWS6MUkG3ZmmMxQAPeMEliioff7KG0eKZrsCkjcCoGneeP236b0wf5j0aKD1rueQI0QdKtk9PKcASnnEnsy7-WgFKZiO8GntnohFb8SHEs/s320/UALBusinessSeat.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5252150518098475522" /></a>
<p>Or this (the new configuration):</p>
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVPPtiSoqxpQyuLnCOXkGqEcosPh9thHQwhHSMcT6ql-3e11B_VHTvcSswi6PftLTxTbhjAqYRtd045tDnVHvA57_QwpmeUCPiuhd0rUP1M5PfMnDsEk1aWFvZpZT8Cgi-x87u/s1600-h/UALNewBusinessClassSeat.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVPPtiSoqxpQyuLnCOXkGqEcosPh9thHQwhHSMcT6ql-3e11B_VHTvcSswi6PftLTxTbhjAqYRtd045tDnVHvA57_QwpmeUCPiuhd0rUP1M5PfMnDsEk1aWFvZpZT8Cgi-x87u/s320/UALNewBusinessClassSeat.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5252151568958475170" /></a>
<p>It felt like a big bait-and-switch to me. Show me the cool fancy new seats that are a world of difference better than the standard seats (the premium seats lie flat, have 15" screens with 100s of video on demand shows/movies, have cushy cushions, etc., etc.) and then stick me in a standard configuration without telling me till I get on the plane. No notice before hand. No chance to change to a different flight. No compensation whatsoever. Not even an "I'm sorry."</p>
<p>I could understand this if it happens once in a while, but 3 out of 4 flights doesn't sound like once in a while. I could also understand it more if there wasn't such a big financial benefit to United in using the standard configuration plane (they get to sell a whole lot more business and first class seats in the old configuration than in the new configuration). How do I know that United isn't simply saying "well, we've oversold business by 20%, so let's use the standard configuration plan so that we can scoop all that revenue." ? There's also the fact that United started publicly announcing that they were using the new configuration planes on Asian international routes around that time, so perhaps they moved the planes from the europ</p>
<p>Perhaps I should take the advice I received from my friend <a href="http://practicalid.blogspot.com/">George</a> (who was on
the last such change with me): Just go with the flow and be happy with what life brings you. That would certainly be better for my blood pressure, but I just don't think that's me. I think United should offer some form of compensation to those who chose to fly on the plane because of the premium seating that United is heavily advertising.</p>
<p>I guess the only thing to learn from this experience is to not depend upon the new configuration planes until United has completed its roll out of the upgrades. Originally the conversion was to be complete in 2009, but now they are predicting 2010. So far, as of Sept 2008, they have only converted 13% of their international planes (7 of 21 767s, 5 of 24 of 747s and 0 of 46 777s).</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/united+airlines" rel="tag">United Airlines</a>
/ <a href="http://technorati.com/tag/ual" rel="tag">ual</a>
/ <a href="http://technorati.com/tag/travel" rel="tag">travel</a>
/ <a href="http://technorati.com/tag/dulles" rel="tag">Dulles</a>
/ <a href="http://technorati.com/tag/airbus" rel="tag">Airbus</a>
/ <a href="http://technorati.com/tag/a320" rel="tag">A320</a>
/ <a href="http://technorati.com/tag/a319" rel="tag">A319</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com3tag:blogger.com,1999:blog-29173677.post-37439446656624425912008-09-30T11:16:00.000-07:002008-09-30T11:29:14.279-07:00Smart Card hackery<p>This is an old video (from May of '08) and probably accomplished using an older technology smart card (theoretically easier to break), but it's still quite interesting to watch how one can peel back the layers of a smart card in order to snoop the communications going on within the components.</p>
<p><object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/tnY7UVyaFiQ&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><embed src="http://www.youtube.com/v/tnY7UVyaFiQ&hl=en&fs=1" type="application/x-shockwave-flash" allowfullscreen="true" width="425" height="344"></embed></object></p>
<p>The <a href="http://www.wired.com/politics/security/news/2008/05/tarnovsky?currentPage=all">related story on Wired.com</a> gives a lot of interesting details to the ongoing cold-ware between satellite TV operators and hackers attempting to get free TV.</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/smart+card" rel="tag">smart card</a>
/ <a href="http://technorati.com/tag/hacking" rel="tag">hacking</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com0tag:blogger.com,1999:blog-29173677.post-73155824368529308902008-09-25T03:57:00.000-07:002008-09-25T07:43:20.453-07:00Cardspace, Liberty, & Intel's ICP<p>A couple of weeks back at <a href="http://public.cxo.com/conferences/index.html?conferenceID=24">DIDW 2008</a>, I reported on a proof-of-concept that we put together at <a href="http://www.intel.com">Intel</a> where we combined <a href="http://netfx3.com/content/WindowsCardspaceHome.aspx">Cardspace</a> with our Identity Capable Platform (ICP) to show how ICP could extend/strengthen a cardspace deployment. While we used Cardspace in this demonstration, the code should work with any Identity Selector conforming to the Identity Selector Interoperability Profile.</p>
<p>For those of you who don't know, ICP is a <span style="font-weight:bold;">research project</span> we have been working on at Intel exploring how identity capabilities could be added to a platform to enhance online transactions. Our contributions to the <a href="http://www.projectliberty.org">Liberty Alliance</a>'s <a href="http://www.projectliberty.org/resource_center/specifications/liberty_alliance_id_wsf_advanced_client_1_0_specifications">Advanced Client Technologies</a> are part of that work.</p>
<p>In this proof-of-concept, we showed how a mythical bank (ACME Bank, of course) could provision an identity agent to the platform which was then subsequently used as the identity source for Cardspace when the user initiated a session at the bank. To Cardspace, the identity agent was a full fledged STS and had a managed card that has been provisioned into Cardspace (so, essentially, this was an off-the-shelf Cardspace deployment).</p>
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4_rmrelUsA0DLpkbGX6MkKdqIK_U5gIRD1gc_3aJAeWo-lS_rrRmYSukjDwUJ5wGX-v6_3cOaNxMlR9BYzmm1c0ylOyUowfn6pUgMCcWi2ve22I4z_4uqR7rx3-V9YJuMPYnb/s1600-h/ICP-Cardspace-Use.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4_rmrelUsA0DLpkbGX6MkKdqIK_U5gIRD1gc_3aJAeWo-lS_rrRmYSukjDwUJ5wGX-v6_3cOaNxMlR9BYzmm1c0ylOyUowfn6pUgMCcWi2ve22I4z_4uqR7rx3-V9YJuMPYnb/s320/ICP-Cardspace-Use.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5249924591911223714" /></a>
<p>The provisioning process made extensive use of the Liberty Advanced Client Technologies protocols to securely provision the identity agent to the platform.
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHEOCaxNajpWHdkauBjA_IxmFHUFUR-t-XU-IXE3GhiGFMLKFI3prGGsLNdg994zbhMDBTzjh0NeFYpkBBLEtpF-OBlyuK6nyzJKPX8wRxcF_zu7ujrA8D2YhRSxFshukTAY5u/s1600-h/ICP-Cardspace-Prov.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHEOCaxNajpWHdkauBjA_IxmFHUFUR-t-XU-IXE3GhiGFMLKFI3prGGsLNdg994zbhMDBTzjh0NeFYpkBBLEtpF-OBlyuK6nyzJKPX8wRxcF_zu7ujrA8D2YhRSxFshukTAY5u/s320/ICP-Cardspace-Prov.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5249924714613223970" /></a>
<p>One might ask what exactly is an identity agent. I use the term very loosely to define any identity related agent software. In this particular case, the identity agent exposes <a href="http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html">WS-Trust</a> and ID-WSF Provisioned Module interfaces as well as containing a SAML token generator and an ID-WSF IdP Service client (to be able to get minting assertions).</p>
<p>If you want to take a look at the presentation it's <a href="http://projectliberty.org/liberty/content/download/4443/30422/file/080918-ICP-Cardspace-DIDW-Cahill_Mellempudi.pdf">here</a>. However, I have to warn you I write my presentations as something that needs speaking to and not as standalone documents.</p>
<p>Even better, there's going to be an encore presentation as a Liberty webcast on November 18th. I'll post the details once I get them.</p>
<p>UPDATE: Britta found it for me: <a href="http://www.projectliberty.org/news_events/events/webcast_liberty_alliance_using_an_identity_capable_platform_to_enhance_cardspace_interactions">Info/Registration for Webcast
</a>. Where would we be without Britta!</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/identity" rel="tag">identity</a>
/ <a href="http://technorati.com/tag/intel" rel="tag">Intel</a>
/ <a href="http://technorati.com/tag/liberty" rel="tag">Liberty</a>
/ <a href="http://technorati.com/tag/cardspace" rel="tag">Cardspace</a>
/ <a href="http://technorati.com/tag/ws-trust" rel="tag">WS-Trust</a>
/ <a href="http://technorati.com/tag/saml" rel="tag">SAML</a>
/ <a href="http://technorati.com/tag/identity+selector" rel="tag">Identity Selector</a>
/ <a href="http://technorati.com/tag/didw" rel="tag">DIDW</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com0tag:blogger.com,1999:blog-29173677.post-28027181770860970322008-09-22T12:01:00.000-07:002008-09-22T12:23:51.557-07:00Absentee Ballots<p>At last week's <a href="http://www.projectliberty.org">Liberty</a> TEG F2F in Boston, <a href="http://blogs.sun.com/hubertsblog/">Hubert</a> (the guy living in French alps who just recently became a US Citizen) pointed out to the rest of us that the fall Liberty Alliance Sponsor's meeting in Tokyo is taking place the week of our presidential elections here in the US.</p>
<p>So, those many of you who will be attending the meeting in person should head on down to your local registrar (or however you would do it within your state/county) and register for an absentee ballot.</p>
<p>In Virginia, they only allow absentee voting for a limited set of reasons, none of which include "I'm more comfortable voting from home" or "I don't want to have to deal with the long lines at the local precinct." I think that they should allow anybody to use an absentee ballot, regardless of reason (even if they just feel like it). I mean, that's the point, isn't it: Get the person's vote counted.</p>
<p>I also don't like the fact that some/many/all places that use absentee ballots, only count them when they can make a material difference in the outcome (e.g. if the election's difference in votes is less than the total number of absentee ballots). I think that sucks. I would rather they just always count them (and perhaps start with those numbers first. Just makes sense to always count a vote. Imagine if they chose to not count a state's votes if the state's population couldn't make the difference in the outcome of a race.</p>
<p>In any case, if you're going to the meeting, be sure to get your ballot. This is sure to be an interesting election (though I wouldn't mind an <a href="http://www.barackobama.com/">Obama</a> landslide -- even if that meant that they didn't count my absentee ballot).</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/voting" rel="tag">voting</a>
/ <a href="http://technorati.com/tag/liberty+alliance" rel="tag">Liberty Alliance</a>
/ <a href="http://technorati.com/tag/absentee" rel="tag">absentee</a>
/ <a href="http://technorati.com/tag/absentee+ballot" rel="tag">absentee ballot</a>
/ <a href="http://technorati.com/tag/obama" rel="tag">Obama</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com0tag:blogger.com,1999:blog-29173677.post-20418536151452268632008-09-17T08:47:00.000-07:002008-09-17T11:26:33.197-07:00What ID-TBD means to me....<p>For those that don't know what <a href="http://groups.google.com/group/idtbd">ID-TBD</a> is, it's an effort underway trying to tie the umpteen different identity efforts together into an uber identity organization. TBD as in To Be Determined (as in, we don't want to argue over the name till we get agreement on the organization and organizational structure).</p>
<p>My main goal here is to get out of the Liberty Alliance and away from it's exotic meeting locations like Singapore, Paris, Stockholm, Tokyo, Madrid, Sydney, Rome, etc.. I have become an active member in the Liberty 50 (those of us who have put on an extra 50 pounds or more since starting to participate in the organization). I'm probably at the head of the line and perhaps hit my peak at around 60lbs (30 or so kilos for the rest of you guys outside the US).</p>
<p>Yes, I blame Liberty for this (not my lack of good eating habits, my desire to have hamburgers and fries for every mean -- even breakfast -- my lack of exercise, etc., etc.). It's clearly Liberty's fault. You can see it in the pictures below:</p>
<p><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAi2zVw5QvOHWtYq5Fvy6gqS4yXs478bi7mpl1TSSlBfTbNTpD7qxyZI2XZciPVrDuNgDIKAYhdYK8TEi3E2uQSNcSjVfjUuY39Seiaky3eBYubS4F6qz-gN9Bxuy2lew3CftG/s1600-h/Conor-2000.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAi2zVw5QvOHWtYq5Fvy6gqS4yXs478bi7mpl1TSSlBfTbNTpD7qxyZI2XZciPVrDuNgDIKAYhdYK8TEi3E2uQSNcSjVfjUuY39Seiaky3eBYubS4F6qz-gN9Bxuy2lew3CftG/s320/Conor-2000.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5247054808382464786" /></a></p>
<p>That's me in 2001, shortly before I joined Liberty. And now, after 7 years participating in Liberty:</p>
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUyy1vF5Ggcj3_oTPVetcFvDFrWsRCNJfct4A403T9oMScPm3brp-BeYn5b6PGtr8oEst-oZl815GHGw2ofg4PZfqDjtkfJDJc5YPGVb4k1mK8FUIycGMmfO_KmVOOjT7vA-1e/s1600-h/Conor-2007.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUyy1vF5Ggcj3_oTPVetcFvDFrWsRCNJfct4A403T9oMScPm3brp-BeYn5b6PGtr8oEst-oZl815GHGw2ofg4PZfqDjtkfJDJc5YPGVb4k1mK8FUIycGMmfO_KmVOOjT7vA-1e/s320/Conor-2007.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5247055281178916994" /></a>
<p>So by exiting Liberty and joining ID-TBD, I hope/expect to be able to loose my Liberty 50 and go back to my 2001 self. Even with just the announcement of the potential organization, I've made some progress in that direction:</p>
<p><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrueHbm8csgsvtPLOT1mixQfWBB7zzWh6UHUAOwzAKzqE-ionJb0w81dzbtFlMEMAz1xQ4plEL859fC_4k5HEeLB9xnNMV1D5hPkCs_H6FToHc2xcEDcYIvyz_bfkxcWuT3YZs/s1600-h/Conor-2008.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrueHbm8csgsvtPLOT1mixQfWBB7zzWh6UHUAOwzAKzqE-ionJb0w81dzbtFlMEMAz1xQ4plEL859fC_4k5HEeLB9xnNMV1D5hPkCs_H6FToHc2xcEDcYIvyz_bfkxcWuT3YZs/s320/Conor-2008.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5247056799466649474" /></a>
<p>This is why I am sooo supportive of the new organization. It has nothing to do with messaging convergence, coordination, consolidation or any other such mom and apple pie reason for me. I just want to get out of the Liberty 50 group!</p>
<p><span style="font-size:78%;">Tags :
<a href="http://technorati.com/tag/liberty" rel="tag">liberty</a>
/ <a href="http://technorati.com/tag/id-tbd" rel="tag">ID-TBD</a>
</span></p><div class="blogger-post-footer"><FONT size="1">
<B>
These comments are purely those of Conor P. Cahill
and do not represent the views of any company he
now works for or has ever worked for in the past.
</B>
</FONT>
<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=1940158;
var sc_invisible=1;
var sc_partition=17;
var sc_security="89a2979b";
</script>
<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c18.statcounter.com/counter.php?sc_project=1940158&java=0&security=89a2979b&invisible=1" alt="free hit counter" border="0"></a> </noscript>
<!-- End of StatCounter Code --></div>Conor P. Cahillhttp://www.blogger.com/profile/18408504477586184299noreply@blogger.com1