Internet

Don’t keep backups on your web server, even if you think they’re secret

August 10, 2018 Internet No comments

It’s good to keep backups of website’s HTML and other assets. A common way to do backups, if you’re not using some sort of version control system like Git, is to make a zip of the entire document tree. Usually it’ll just get called “website.zip” or maybe “website-20180810.zip” or whatever the current date is.

It’s a fine way to take a snapshot, but don’t leave it on your web server in your website’s document tree. The document tree is that folder where you upload the files, like /sites/mysite. If you make a zip or tarball or similar and leave it as /sites/mysite/mysite.zip, you’re asking for it to be stolen by bad guys. Maybe you’ve got PHP files in there that have secrets in them, like connection passwords to your database. Maybe you’ve got original work files like the .psd files that you created your .jpg files from. If you don’t want it seen, don’t put it in your document tree.

“No way, nobody knows it’s there”, you may think. You don’t link to the backup file anywhere, and there’s no directory listing on the server. This idea is called “security through obscurity”, and it’s not security at all. It turns out that the bad guys don’t have to know a file is there. They just have to make a lucky guess.

Here’s what brought this to mind: Today I was looking through the error log for a website I work on and noticed a series of 404s, where someone at the same IP address in China was asking for files that didn’t exist. Here are some of the files that this bot was looking for:

/web.zip
/web.tar.gz
/web.rar

Pretty logical way to start, looking for likely filenames, in all three of .zip, .tar.gz and .rar formats. Then they wen’t looking for duplicates that had to have a sequence number added.

/web (2).zip
/web (2).tar.gz
/web (2).rar

Then they looked for variations on the site’s name (www.example.com for this example) and today’s date. Again, they’re trying all the archive formats, and now adding the .7z zip format.

/www.example.com20180810.zip
/www.example.com20180810.tar.gz
/www.example.com20180810.rar
/www.example.com20180810.7z

Now they’re trying all sorts of variations on the filename, and they’re making guesses as to what a subdirectory might be called.

/www.example.com2018.zip
/www.example.com2018.tar.gz
/www.example.com2018.rar
/www.example.com2018.7z
/www.example.com/examplecom.zip
/www.example.com/examplecom.tar.gz
/www.example.com/examplecom.rar
/www.example.com/examplecom.7z
/www.example.com/_example_com.zip
/www.example.com/_example_com.tar.gz
/www.example.com/_example_com.rar
/www.example.com/_example_com.7z
/www.example.com/examplecom.zip
/www.example.com/examplecom.tar.gz

On Apache the document folder is often called public_html so that’s a good thing to try.

/www.example.com/public_html.zip
/www.example.com/public_html.tar.gz
/www.example.com/public_html.rar
/www.example.com/public_html.7z

Maybe the target site uses underscores? It’s worth a shot.

/_example_com20180810.zip
/_example_com20180810.tar.gz
/_example_com20180810.rar
/_example_com20180810.7z

And on and on it went, with all sorts of guesses at naming schemes. And why not? It’s free to make a guess. They tried all sorts of variations, like these examples:

/_example_com2018.zip
/_example_com (2).zip
/example20180810.zip
/examplecom20180810.zip
/examplecom.zip
/example_com20180810.zip
/example_com.zip
/example2018.zip
/example/examplecom.zip
/example/_example_com.zip
/example/examplecom.zip
/example/example_com.zip
/example/example.com.zip
/example/example.zip
/example/wwwroot.zip
/example/www.zip
/example/web.zip
/example/public_html.zip
/example/2018.zip
/example/2017.zip
/example.com20180810.zip
/example.com.zip
/example.zip
/example (2).zip
/ww.zip
/wwww.zip
/wwwweb.zip
/wwwroot2018.zip
/wwwroot.zip
/www.zip
/public_html.zip
/htdocs.zip
/ftp.zip
/freehost.zip
/flashfxp.zip

In under three minutes, the bot tried 307 different variations trying to find a backup file in my root directory. This is why security through obscurity doesn’t work. The bot doesn’t have to know, but just has to have a lucky guess.

Stay safe. Keep your backups out of the document tree, or better yet, off the web server entirely.

Why I’m finally leaving GoDaddy

February 6, 2012 Internet 7 comments , , , , ,

I watched the Super Bowl last night, and GoDaddy’s annual brain-dead skinfest reminds me that I have domains to transfer off of this embarrassment of a company. I’ve already transferred away a half dozen, and have nine more coming up for renewal in the next eight months. All will be transferred to new registrars.

I’m not leaving GoDaddy because their TV ads are demeaning to women.

It’s not that their TV ads are demeaning to viewers.

It’s not that their home page currently features seven sexualized women in the first screen. Even playboy.com only has three.

It’s not that they supported SOPA.

It’s not that they changed their stance on SOPA in the face of predictable public backlash.

It’s not that their user-facing admin screens were designed by an orangutan on meth and a committee from Marketing.

It’s all of it. Put together, GoDaddy prove themselves to be buffoons.

The SOPA turnaround was especially telling. The company figured it could come out with some good PR by taking a stand on SOPA, and bailed when they found out they were on the wrong side of it. “Go Daddy will support it when and if the Internet community supports it” said a press release. That’s hardly inspiring, GoDaddy. If you’re going to come out and support legislation, do it because it’s the right thing to do, not because “the Internet community” says so.

Worst, how can I support a company that treats me with such contempt? Every part of every admin process is filled with pitches for add-on services that obscure what I want to do. Bob Parsons thinks that I’m going to be swayed to use his company because they’re edgy enough to show skin.

GoDaddy thinks I’m stupid. And maybe I was for sticking with them for this long. No more.

For me, I’ve been moving my domains to pairNIC and dynadot. Some people have recommended gandi.net, but I think that any company that sells itself with a tagline of “no bullshit™” is only slightly less buffoonish as selling with the Pussycat Dolls.

If you’re using GoDaddy as a registrar, I ask you to consider the contempt with which GoDaddy holds you in next time it’s time to renew your domain names.

Where to find me online

October 4, 2011 Internet, Social No comments , , , , , , , , , , ,

Although I mostly write to my blog and my Twitter feed, here’s a dump of most of my online presences.

petdance.com
My blog is where I post about technology and job hunting and careers.
@petdance on Twitter
My main outlet for posting short thoughts and links to interesting stuff. (I try not to engage in conversation on Twitter, because I think it’s annoying for everyone but the two people involved in the conversation.) If you were following @theworkinggeek or @techworklove on Twitter, switch to @petdance.
Perlbuzz
Perl news and the occasional original article. Most of the blog traffic is a weekly recap of the news bits posted to the @perlbuzz Twitter feed.
Facebook
I’ve whittled down my Facebook friend roster to mostly friends and family and people I know in day-to-day life. I’ve found that I’m not interested in the day-to-day lives of people I only know from the world of open source. Therefore, most of the friend requests I get from people I only know online get ignored.
Google+
I’m not sure how I’m going to wind up using Google+. Mostly I’ve been posting longer-form blurbs or embedding media.
Slideshare and Speakerdeck
I’ve always been posting slides of my talks on Slideshare, but Speakerdeck has just popped up and I like their interface much more, so I’ve put some content there, too. Look for Speakerdeck to gain more traction in the programming community.
LinkedIn
I have yet to have anything useful come out of LinkedIn, but I maintain a network there as well. My rule for adding someone as a contact on LinkedIn is that it has to be someone with whom I’ve actually worked on a project.
Github
Github is where I host most of my open source projects. Love love love.
Flickr and twitpic
I’m not at all a photographer, but there you go.

Did I forget one? Leave me a comment.

Band naming made easy

August 9, 2011 Internet 1 comment , ,

My friend Rob Warmowski has a new band named Sirs. They have a show coming up with another band opening for them. The second paragraph is key.

Join Sirs Saturday, August 20 at 4 PM with a live performance to celebrate the release of our 12″ EP “Boo Hoo”. Where better to do this than at Saki, the fine purveyor of records located at 3716 W. Fullerton in Chicago? Nowhere, that’s where.

Opening band: Small Trabajo. (Note: nobody in Small Trabajo yet knows that their name is Small Trabajo. We were told by store staff that the band, being very new, was having a hard time coming up with a band name. Hearing this, I went to the first Captcha I could find (http://captcha.net) and solved the problem immediately.)

The Internet has a solution for every problem!

401 passwords Twitter won’t let you use

July 25, 2011 Internet, Programming 2 comments

Twitter has a list of 401 passwords that they disallow, not because of content, but because of how commonly used they are. A common password is easier for a bad guy to guess. None of these are passwords you’d want to use anyway, because they’re so easily guessable by a simple dictionary attack. Bad guys have lists like this anyway, and Twitter is trying to make the most common and unsafe passwords unusable. I wonder how many people would use “111111” as a Twitter password if allowed.

The list is embedded in the JavaScript of the website. Search in the page source for “BANNED_PASSWORDS”. The list is ROT13-encoded, but with Perl that’s trivial to decode:

$str =~ tr[a-mn-z][n-za-m];

The list contains a fair amount of profanity and sexual language below, as you might expect, and geek words like “ncc1701“, “thx1138” and “rush2112“, but also plenty of sports teams like “steelers”, “broncos” and “arsenal”. Many common names like “jennifer” and “michael” show up as well. Note that shorter passwords like “asdf” aren’t included because Twitter requires a minimum of six characters for passwords anyway.

As I write this today, there are 401 passwords in the list, which is 31 more than were reported in 2009. It seems from that article that they weren’t ROT13ed at the time.

The full list (slightly expurgated) follows:

(more…)

Use Google Alerts to monitor your online presence

January 7, 2010 Career, Internet, Job hunting 1 comment ,

Next time you apply for a job, the hiring manager is going to Google your
name and see what she finds. Do you know what people say about you? About
things you’ve written? You should.

Google Alerts is a fantastic little tool that I don’t hear people talk about
enough. Google Alerts lets you enter a Google search once, and Google will
update you whenever the Googlebot finds new matches for your search, often
within only an hour or two of the page’s publication.

The most obvious Alert search is your name, as a phrase in double quotes, but
that’s just the start. Here are some more ideas:

  • Your name (“Andy Lester”)
  • Your nick (“petdance”)
  • Your email address (“andy@theworkinggeek.com”)
  • Your company’s name
  • Resumes related to your job market in your area of expertise (I have an alert for “resume Perl Chicago” (but without the quotes)
  • Titles from blog postings you’ve made
  • Links to specific blog postings you’ve made using the link: syntax

Keep an eye on the results. It’s not vanity, it’s understanding your personal
brand.

For more of my suggestions of how to improve your working life in 2010, see the January 2010 issue of PragPub magazine. It’s a free download in three different electronic formats: PDF, ePub and mobi.