Walter Soldierer’s Blog

Whenever I take a look at our web server log files, I am amazed how many robots are trying to hack their way into our machines every day. And whenever I help a friend or neighbor to fix a computer problem, I need to explain even the most essential safety measures as most PCs are infected with some trojan or virus already. Computer and network security is a big issue, don’t underestimate the risks. I first noticed this years ago when I installed a free personal firewall on my PC. Only seconds after the program started to do its job, it alerted me of suspicious activity on ports and protocols that I even didn’t know existed. Steve Gibson calls this activity Internet Background Radiation. Much of this is not merely junk but malicious traffic. To protect my personal computers, data, and privacy, I have taken a number of simple security measures which I want to share with you. (more…)

When I heard Steve Gibson talk about the Ironkey I wanted to have one. Its basically a USB storage device with strong hardware encryption built in. In a earlier post about encryption I said

“Some USB drives (SanDisk, Lexar, Kingston, IronKey) have hardware encryption built in, but when it comes to encryption, I prefer to stay away from proprietary implementations.”

Well, the Ironkey is proprietary of course. However, after Steve’s interview with Ironkey’s CEO I was very curious how the thing would actually work. For my daily needs Ironkey’s level of security is more than I need anyway. And I’m not a big fan of conspiracy theories. Ironkey is very likely not a subsidiary of the NSA. And should I ever be concerned about some government agency breaking into it, I can still encrypt the data on my Ironkey with PGP. Call me paranoid but actually I run a copy on the Ironkey and use it to encrypt the hundreds of entries in my master passwords file.

Gnu Privacy Guard (GPG) is an open source PGP clone. It uses strong encryption to protect emails as well as files and folders. For encrypting drives, folders, and files I use a different piece of software (Truecrypt). GPG is my encryption tool for email. The majority of email traffic on the Internet still goes unencrypted, which still amazes me. Many email users don’t know that their email can be easily intercepted and read. PGP’s documentation compares sending email to sending paper postcards, and rightly so. There is no envelope. Any person having access to a mail server or a router could read or automatically filter the many emails that are processed every day. Wireless connections are even more of a problem. There is software which can make email data visible if it is sent over an unencrypted WLAN connection.

So do I encrypt all my email? No. I wish I could, but none of my friends and colleagues uses email encryption. There is only two things I can do: Download my mail with a secure protocol to at least encrypt the last hop, and never forget that emails are like paper postcards that not only the postman can read.

Free encryption software (1): Introduction
Free encryption software (2): File encryption on USB flash drives
Free encryption software (3): Hard disc encryption

In an effort to meet accessibility requirements, I was looking for tools to check whether users with a variety of color blindness conditions can actually use our websites. Posters and brochures can already be difficult to read for color blind people. On web sites another dimension is added to this problem because certain features may be rendered useless by choosing a bad color palette. Colored links for example, if not underlined, may not be seen as links because they appear to be of the same color as all other text.

(more…)

I have been doing do a lot of email marketing lately. Our email marketing service does a pretty good job at removing records with an invalid email address from the imported data set. However, some invalid addresses still slip through and cause unnecessary bounces and license costs. We therefore need to correct or remove all invalid addresses before we import them. Some can be easily corrected without involving the subscriber, like

someone@hotmail
someone @ yahoo.com
someone@gmail.cmo

Others can be removed from the subscriber list because they originate from fake subscriptions, like test@justtesting.

I was looking for an online tool to clean up an email address list but could only find tools that process one address at a time. So I read RFC 3696 to learn more about valid email address formats and wrote my own. The tool does email format checks for most of the RFC requirements. It also queries the email domain’s DNS server to look for MX and A records.

(more…)

For one of our current projects I was looking for a way to validate strong passwords with regular expressions. Form field validation requirements are defined as a regex in the database properties for the field, so the easiest way to set up secure passwords was using this method. I found many examples for regular expressions but they all lacked one important feature. To avoid SQL injection issues or html formating issues we need to limit the characters allowed in passwords, and all regular expressions that I found on the web would not allow us to do this. Many of the examples posted also contained useless or redundant patterns. Here is my own pattern, which works in Perl, PHP, Java, and .Net. Needless to say that regex engines based on the old POSIX standard will not support something cryptic like this (read as one line):

(?=^[\w ,\.;:/\!@\#\$%&\*=\-\+\(\)\[\]\{\}\|]{10,}$)
(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*\W)

- ten or more characters long
- one or more a-z
- one or more A-Z
- one or more 0-9
- one or more    ,.;:/!@#$%&*=-+()[]{}|   (includes space)

You can easily test this pattern using online tools for different languages:

Perl (PCRE, surround pattern by ” “)
PHP (surround pattern by # #)
Java
.Net