Entries Tagged 'Security info' ↓

The unfortunate fact is that recorded listings are still unavailable on Niteflirt, and there are customers who were able to listen who did not feel comfortable downloading them to their computer, where someone else in the household might find them.

There are options. Probably the easiest one is to download them directly onto a USB flash drive or a memory card, then pull them from the computer when not using them. Any memory card can fit in its case in a wallet, and some USB flash drives are small enough to do this with, too.

However, these can still be password-protected in case they are lost or just found by the wrong person.

Using file compression and its accompanying password capability to protect a folder or file:

This is an old post. The same may or not apply to later versions. Article
USB Drive Encryption
Cryptainer LE
Folder Password Expert
StorageCrypt

Googling on “password-protect USB flash drive” and other similar phrases will turn up lots of other options.

Let’s say you have your own domain. You have uploaded files, say, photos, and you intend to sell access to those photos. You don’t want to give access to anyone who doesn’t pay. All you want is to sell access to photo sets by email, not start a member’s area where someone could have full access to all the files you might have.

If you’ve read this far, you probably aren’t sure how to go about this. There are a lot of ways to do it, many of them requiring a fair amount of technical expertise.

I’m going to skip around those and give the one that is the easiest to use that I know of.

Let’s say I have a domain named mydomain.com. The URL of that domain is http://mydomain.com. If I have an ‘images’ folder, as many people do, the URL would be http://mydomain.com/images/. If you have an image in there named myimage.jpg, the URL of that image is http://mydomain.com/images/myimage.jpg.

The first thing you need to do is check to see what happens if you go to that /images/ directory by typing in the address http://mydomain.com/images/. It is often the case that typing in a folder name will by default send you to an index page you have in that folder. But if you don’t have an index page in that folder (because maybe you didn’t put one there), depending on how your server is set up by your host, you may see a default directory page that has clickable links to all your images.

This is a bad thing, as anyone who knows you have an /images/ folder (or anyone who guesses you have one) can see everything you have in there. You may want to contact your host to see if they will change that, or you can simply create and upload a blank index page.

Open Notepad (Start=>Accessories=>Notepad), select File=>Save As. In the window that pops up, choose where you want to save it on your computer first, so you won’t forget where you put it. Type index.html in the “File name” box. Change “Save as Type” from “Text Documents (*.txt)” to “All Files”. Then click Save.

Upload the file into any directory that doesn’t already have an index file of some sort.

Now, let’s say you want to sell someone a set of files named reddress1.jpg, reddress2.jpg, and reddress3.jpg. You may want to sell multiple sets. It’s really convenient to name them like that, because it makes it easy for you to see what you have and work with it. But it also makes it easy for someone else to guess what else might be there. So if someone who bought Set 1 guessed that Set 2 contained reddress4.jpg, reddress5.jpg, and reddress6.jpg, then typed those in, they could very well find them. They might also go looking to see what you named your other photo sets, based on your sales info.

Obviously that’s way too easy. Here’s what I do. I append a random string to the end of the file or folder I am giving access to, using PassUtils, a free password generator. Unzip it and install it. To use it just open and uncheck the “punctuation box”, because having punctuation in a filename can mess up opening that file. Create as many passwords as you like. Then right click each password and copy the password to your clipboard. Rename your files one at a time by right clicking in a Windows ‘Save As’ or ‘Open’ window, or in FTP, by right clicking and selecting ‘Rename’. The name will be selected. Hit the right arrow to put the cursor to the end of the file name, between the file name and the file extension. Type an underscore ‘_’ or hyphen ‘-’, then copy in the random string.

The goal is to change the file ‘reddress1.jpg‘ to ‘reddress1_6cYm2FTg.jpg‘. Now you can still read what the file contains based on what you named it, but nobody can possibly guess correctly what you named it to access it without permission.

You can also do the same thing with folders containing multiple images. If you sell a single set of images in a folder named /Set1_6cYm2FTg/, nobody can guess the folder name, and you can still give the photos easy names inside the folder.

Hotlinking is when somebody uses an image that isn’t theirs in another page by linking directly to the image url.

It’s a form of stealing. They don’t have the right to use that image, as it belongs to somebody else. But they are also “stealing bandwidth”. When an image loads, the domain that is hosting it pays for the bandwidth out of their bandwidth limit. If people are visiting your site and seeing your image when they look at your page, then it is worth it to you. But if somebody else puts your image on display elsewhere without telling you, and it loads a lot, you can end up having to pay a big premium or get shut down by your host for exceeding their bandwidth limits.

The only way to find this out is to look at your server records. If you see a lot of hits from some site you don’t have a link on, and the page you have loading is actually an image, you’ve probably found a hotlinker.

One girl found a hotlinker this way. Some meathead had found a full-size image on her site of two girls kissing and was using it as his avatar in an Irish soccer forum. Many forums will upload an image off the web and resize it. This one just resized the image using height and width tags. So the full image was loading for every forum post he wrote, for every viewer who looked at any page he had a post on.

I think a couple of us joined the forum and posted that he did not have the right to do this. He was pretty arrogant about it. And this guy was a moderator! So she changed the name of the photo on her server and replaced it with an advertisement. I sent an email to the admin, who sent me back an apology. I guess there was going to be an email going out to forum members on that.

So first, the image must be hosted on your server so you have control of image names. This won’t work with any other image hosting, as they generate unique image names that you can’t change.

Here’s an image somebody might be using as a background:

Upload a new image you have chosen specially for the thieves. Change the link on your own webpage and rename the original image to match it. Now change the name of the special image, and your chosen image will appear on the site where the hotlink appears.

Like this:

The fun part is that you can put anything you want in there. Somebody who right-clicked your image url to use it may very well not have used height and width tags on that image. So you could substitute a gigantic image for a small one.
Like this:

If the original image is a .gif rather than a .jpg image, you can substitute an animation, which can really get the attention of viewers.
Like this:

Here’s a link to a blog post where the writer got tired of people stealing his content. For him, the issue was not images, but text that other people were stealing. What he did was make a tiny clear .gif image and include it in the code. It did not show, so if somebody stole his text and didn’t realize they were getting an image, they might end up unwittingly hotlinking to it.

Most content thieves don’t do that, but eventually one did. It’s pretty funny when they do. All the author had to do was switch out the tiny, transparent image for one that got his message across.

If you catch someone like this and pull this switcheroo, make sure you take a screenshot so you can show everyone. And if you substitute an animated one, try to get a video screen capture.

There are a lot of means of “protecting” your photos, text, or site itself that can leave you vulnerable, thanks to the fact that anyone can click “View => Source” in just about any browser. Now if your security measures include javascript, commonly used to disable the right click menu—among other things—the surfer can still look at your source code to see what you’re hiding. Some people will be made more curious by the fact that you’re obviously hiding something, even though they might have right-clicked on a photo just to see who your image host is.

Also, keep in mind that javascript only works when it is turned on. Most scripts have no effect when the user turns off javascript, as many users do.

Anyway, anyone who wants your phots badly enough can always take a screenshot of your page to snag your images.

It’s best to prominently watermark all photos of any size, so at least if anybody saves them, your character name, website, contact info, etc, will always be with the photos.

Here’s a little tale of a website which had a javascript login protecting its membership area. It was a simple issue for someone with even half an idea of how javascript works to look at the code and figure out how to get in. Having a security method which is useless like that is worse than having none. Clearly they put things in the private area thinking they were secure, rather than completely accessible to anybody curious enough to look.

HACKED!

Lots of people are just getting started on WordPress, installing their first blog on their site or getting a free blog somewhere. They’ll soon learn about blog comment spam.

Readers can comment on your blog entries. If you write interesting or controversial blog entries and you have a lot of readers, you can sometimes get some lively discussions going in the comments.

Blog comments are good. Blog comment spam is bad.

What is blog comment spam?

It is everything from links to free porn, drugs, spyware, trojans, dialers, and scams to otherwise legitmate affilate links. These are spammed to your blog in massive numbers, thanks to the fact that WordPress blogs share a common comment entry form, which bots have been designed to recognize and spam.

Obviously, the reason they’re doing it is that people do click those links and get suckered in. It’s a dirty secret that corporate America makes big bucks when their affiliates spam anyone and everything hundreds or thousands of times.

You could easily get hundreds of spam comments a week on a popular blog.

WordPress’s answer to this was to give you a moderation list of terms to put certain comments into a moderation queue in your admin area, and a blacklist to send comments containing certain words into oblivion. I tried this, but it was of limited usefulness, as spammers got sneakier and came up with new ways to fake out the blacklist.

So what can you do?

First of all, you have to moderate your blog comments. A blog with unmoderated comments will rapidly get buried in spam comments, and nobody will want to wade through them to try to read your blog, even if you try to remove them as soon as possible after they arrive.

Go to Options => Discussion. Select the first two options from this menu:

Make sure you resave the page.

So now your comments will form a queue in your admin area, and you will have to approve or delete them. This gets old really fast if you get a lot of spam. It’s easy to miss the real thing when you’ve got hundreds of comments to inspect and maybe only a few that are really comments.

The next thing I did was to install Akismet, a WordPress plugin which uses a database of known spam to detect suspected spam and put it in its own moderation list. Not bad, at least at first, but you still have to moderate them. And once in a while, Akismet does catch real comments in its snare. After you reach a certain threshold, Akismet is not enough, like here:

No kidding.

I was getting really annoyed at the situation. Next I installed Bad Behavior, which observes behavior to separate out the people from the bots. I also added Spambam, yet another anti-spam plugin that does a delaying tactic before accepting comments.

I don’t have a spam problem anymore on any of my blogs. If I do have a problem, I’ll let you know how I deal with it. There are plenty more plugins out there where these came from.

In case there’s any question in your mind, here’s one I got today. I used Opera to view it, which gave it those nice little popups.

I got a ‘Paypal’ phishing email. Hopefully most everyone is familiar with these, but just in case, I’m posting here.

They send you a random email saying there has been suspicious account activity, and helpfully suggest you click the link provided to login and verify your account.

Not always, but often the emails look very official. This one came to the address I actually use for Paypal, but I have also received them at almost every active email account I have ever had.

First of all, notice that nowhere does the email have my account name on it, which official emails do. Also, look at that little yellow box. In Opera, when you move your mouse pointer over a link, a box like that will pop up and tell you where the link actually is going to send you. In other browsers, this link will show up at the bottom of the page.

That link doesn’t look anything like any official Paypal url you have ever seen.

If you were to actually click the link, it would probably take you to an official-looking login page. Were you to login, whoever sent you this would not only have control of your Paypal account, but they would probably also be installing all kinds of malware and viruses on your computer.

If you ever have any question as to your account status at Paypal, Ebay, or anywhere else, type the url into your address bar and go there normally.

Update 02-27-08:
Here’s another Paypal phishing email I just got today. This email said my account had been suspended for endangering all of Paypal. Look where this link would take you!