This culture of instant media, instant gratification and instant fame usually is closely trailed by shame and doubt. After watching a one hour special dedicated to “King James”, the two words I would use to describe the look on his face are shame and doubt. The Cleveland Cavaliers billionaire owner should also feel the same way for his tribute to the “Chosen One” that was fitting of a bratty, spoiled 13 year old girl. Who is to blame for this latest display of selfishness and taking the path of least resistance? You…well, us I guess.

I too have been in awe of his talent just like every other sports fan. But I saw his flaws before most. Last year when the Orlando Magic exposed the Cleveland Cavaliers in 6 games to reach the NBA Finals, “Bron Bron” walked off the court without congratulating or at least acknowledging the winning team’s upset. Not even a post game interview. What was his explanation for this act of immaturity and disrespect?

“It’s hard for me to congratulate somebody after you just lose to them. I’m a winner. It’s not being a poor sport or anything like that. If somebody beats you up, you’re not going to congratulate them. That doesn’t make sense to me. I’m a competitor. That’s what I do. It doesn’t make sense for me to go over and shake somebody’s hand.”

I’m not sure, but that could be the biggest load of crap I’ve ever heard. The dude was being sore loser and he knows it. After that I refused to buy his shoes for my son ever again. I wasn’t going to be apart of creating that monster. ESPN, NBA executives and more importantly this cyber culture created this gigantic jackass. He can be insulated from the world on Facebook and Twitter, so he doesn’t have to face the ramifications of his actions. The man singlehandedly crushed the hopes of an entire state and did so on an international stage.

His logic in doing so was flawed and just a smoke screen. He wanted to win right away…please, his previous team had the best record in the league the past 2 years. Plus the Chicago Bulls actually had a whole team waiting for him. He just didn’t want the pressure anymore, so he slithers off to Miami. Look, I know he is only 25 years old and that he will make mistakes. But he is a super rich megastar that has a TEAM of advisors. How many of us had a team advising us when we were coming up? Oh yeah, it was our families. They were there to tell us when we were going off the right path and help us get back on it. Now all you have to do is turn to social media to have a bunch of “friends” validate your every move.

I LOVE sports and the Internets, but not all of the creations that spew from their loins. We have to remember that words and actions hurt people. Hurting them on TV, web or radio doesn’t damage them any less. And after hurting people then turning to your new city to be instantly praised sends the wrong message. LeBron James will not learn from this, because we won’t make him. You will forgive and forget because he entertains and everyone loves a winner. Well, I love the Chicago Cubs and will continue loving them for the next 100 championship-less years for reasons that LeBron’s fans would probably never understand.

LeBron James has 405,000 followers (and counting) on Twitter, so he doesn’t need me to be apart of the lovefest. We are all “witnesses” to this phenomenon of our own making, and we should all feel ashamed. I just hopes he gets the values he’s lacking in Miami, but I doubt it.

Possibly Related Articles:

1. Ashton Kutcher – Ascent To ‘Twitter’ Stardom – 1 Million And Rising

Ok, umm, huge rumor: Google to launch facebook competitor very soon “Google Me”, very credible source

For those who do not know, Kevin Rose is the founder of popular social news site digg. He has a somewhat spotty track record when it comes to rumors, so it may be worth taking his tweet with a grain of salt even though the idea may initially appear to be plausible.

While many would argue that Google is already competing in the social networking space with Orkut, the reality of the situation is not quite so black-and-white. Unlike Facebook, Orkut is not very popular in the United States, mostly having been adopted by South American internet users for whatever reason. A lot of the interactivity on Orkut is overrun by “brazilian mobs” on a frequent basis, causing people to feel uncomfortable with the service. The somewhat lawlessness of Orkut generally scares people away, in addition to the lack of truly compelling, unique features.

If Google really is launching a home-grown social network – Google Me – then it will be quite interesting to see how they pull it off. Would such an application make use features seen in other already-released Google products, such as Gmail, Google Profiles Wave, Buzz and Picasa?

What I would expect, and even hope for, is to see Google marry its many disparate services in to a single, unified social networking application. Rather than having yet another inbox – like on Facebook – integrate Gmail for such functionality. Use Buzz for the activity streams, synonymous with the Facebook news feed, offering both posting and mere reading. Wave could be adopted to be similar to groups while Picasa could be used for sharing photos. Google Profiles could be the very foundation for building a profile on Google Me. Google already has the making of the fundamental social networking building blocks but has not coupled the features into one application.

If packaged together in a unified, simplistic, intuitive interface these seemingly distinct applications could be forged in to one and work together as a true social networking platform similar to Facebook.

“Google Me” is an intriguing idea, and if executed correctly could be a very cool product. I look forward to this rumor turning out to be true. If it is true, expect the times to be quite interesting, especially if Google has been courting online social game companies like Zynga whose relationship with Facebook is on the verge of disaster as these companies seek less reliance on Facebook.

Are you interested in the prospect of yet another social networking site?

Possibly Related Articles:

1. Facebook And Twitter Harming Our Brains?

Also in case you thought that the Gulf of Mexico is in Mexico and thusly is of no concern to you, it’s not. Well, it is, but it’s also partially in the good old USA. Specifically, it’s off the coast of Florida and Louisiana. Of course, since it’s in USA waters, the result is a global public uproar placing BP under the intense scrutiny of the global media and population. Everyone in the world thinks that BP has screwed them over and now feels that BP owes them something, meaning everyone has BP under a magnifying glass.

And I mean, magnifying glass. Everyone in the world can keep themselves updated in real-time on everything that BP is doing to fix the problem. Despite a very, very spotty safety record, this was apparently the straw that broke the proverbial camel’s back. So much so that BP is going over the top to show that they’re doing everything that they can to fix the problem, including using cheap labour courtesy of American criminals. Even though they claim that the accident wasn’t their fault at all (!), they’re trying to make amends by making their efforts as transparent as possible.

The result is an amazing use of technology to keep BP operating under a microscope. I mean, seriously, I knew that the technology was possible, but I didn’t think it could be implemented so widely and cheaply.

The following are the top 10 websites that, with the impressive abilities of technology, will keep you updated on everything (and I mean, everything) about the spill, BP, all related topics – and ultimately provide the fodder with which the world will judge BP for their actions:

1. BP has set up a website dedicated to showcasing minute-by-minute details on what they’re doing to fix the problem. You can also sign up for SMS alerts at BP’s Deepwater Horizon Response website.
2. Just to make sure they’re being completely transparent, BP’s live feed from Remotely Operated Vehicles lets you keep an eye on their activities from 5,000 feet below the surface just in case you think that they’re pulling anything funny (this one kept me pretty occupied for a while)
3. The EPA is making sure you know exactly how much BP has polluted the Gulf with up-to-date air, water, sediment and waste management data
4. In case that wasn’t enough, the EPA is letting you use their aircraft, the ASPECT, to show you where the oil is, with a step-by-step guide on how to use the aircraft to find it
5. BBC has conveniently provided an interactive guide showing BP’s efforts to stem the free flow of oil into the Gulf as well as the spread of oil to date
6. Reuters has kindly informed the world about the laws that can be used to prosecute BP, whether or not they will be used, and explores the possible future scenarios for the corporation http://www.reuters.com/article/idUSTRE6520O420100603
7. National Geographic has set up a dedicated news page exploring the environmental impact of the spill as it happens
8. USA’s Office of Response and Restoration also has a “one-stop shop for spill response information”, using a web-based tool to map the spread and trajectory of oil
9. The CDC has jumped on the bandwagon making sure you know how the oil spill will affect your health, whether through exposure to the oil dispersants or the heat
10. And of course, the God of the internet, Google has a Crisis Response website dedicated to the spill to keep the world updated

Ain’t technology grand?

Possibly Related Articles:

1. Rumor: Google to Take On Facebook With “Google Me”

The new specs on the iPhone 4 are pretty sweet, as the device heralds the same speedy architecture powering another recent Apple addition – the iPad. Although the iPhone is powered by the designed in-house A4 chip, Apple leaves that out of their standard literature. Their goal is for consumers to stop being concerned with the inner-workings of these computing devices, and to assume they are fast by nature of the company producing the products.

Put another way, because Apple has designed and is selling these devices, consumers should understand the products to be high quality, high speed computers, allowing users to perform the work they need without fear of being slowed down by processor speed bumps.

Through the use of the A4 chip Apple has managed to squeeze additional processing power and better battery life out of the new iPhone. Improved performance is what consumers look for when purchasing new computing devices, especially portable devices requiring recharging, so this is a no brainer.

The iPhone 3GS is already a fairly quick product, but its speed pales in comparison to an iPad. The latter just feels faster, with its instantaneous browsing capabilities – undoubtedly a goal Apple has for the iPhone 4.

According to Apple, the iPhone 4 offers the following features:

• 6 hours of browsing via 3G
• 10 hours of browsing via Wi-Fi
• 10 hours of video viewing
• 40 hours of music listening
• 300 hours standby
• 40% Improved talk time

All of the aforementioned are better than the current iPhone 3GS but nothing extraordinary. These updates are merely incremental. If you were hoping for kick ass battery life then you are not going to be happy with the new device. The iPhone 4 is still just as power hungry as its younger brother 3GS, offering only slightly improved battery consumption per the specs. Actual field testing once the unit is available for purchase will be interesting.

The updated video recording and editing capabilities of the iPhone 4 and iOS 4 appear to be the most exciting additions. Not content with mere video recording and simple editing, Apple upgraded the device to be capable of shooting 720p video – high definition video normally only seen in dedicated video cameras like the Flip SlideHD.

Cisco has to be fairly concerned about these updated iPhone capabilities because it almost renders their entire Flip line of camera obsolete.

What should be obvious to most people is that recording video in 720p, and subsequently editing such video, has got to be taxing on the processor. This normally translates to substantial battery life being eaten to complete these tasks. If the iPhone 4 is capable of pulling off both without major hits to the battery life then that will be an immense achievement. I remain skeptical and expect the unit to drain the battery considerably.

John Gruber has some very interesting observations about the iPhone 4′s screen:

It’s mentioned briefly in Apple’s promotional video about the design of the iPhone 4, but they’re using a new production process that effectively fuses the LCD and touchscreen — there is no longer any air between the two. One result of this is that the iPhone 4 should be impervious to this dust-under-the-glass issue. More importantly, though, is that it looks better. The effect is that the pixels appear to be painted on the surface of the phone; instead of looking at pixels under glass, it like looking at pixels on glass. Combined with the incredibly high pixel density, the overall effect is like “live print”.

The effect described is not something you can really visualize in your head – it has to be viewed firsthand. I am looking forward to playing with an iPhone 4 solely to see how the new glass looks, and to see if it truly does appear to be pixels on the glass.

Ultimately, the iPhone 4 is one sexy beast. The new industrial design is quite sexy and the new features of the device are worthy updates. If you were solely looking for increased battery life then forget it – the iPhone 4 is not much better off than the iPhone 3GS. If you want advanced video shooting and editing capabilities in addition to a more powerful processor then the iPhone 4 is a winner.

As for me – come June 24 I will be in a Softbank shop snatching up a black 32GB iPhone 4. My old 3G has no qualms about showing its age, and is in a dire need of being replaced. It has faithfully served me for the past two years, but its time to finally move in to the big leagues for yours truly.

Lastly, I wanted to mention the iPad. The unveiling of both the front-facing camera on the iPhone 4 and the Facetime feature in iOS 4 made me pause. As I tweeted earlier today, if iPhone 4, or more apropos iOS 4, offers Facetime and it is usable only via Wi-Fi, then why is the iPad devoid of a front facing camera?

Will Apple be releasing updated iPad hardware sooner rather than later, this time following the same design conventions offered in the iPhone 4? Translated – will there be an iPad with a front-facing camera, to be used with Facetime, offered in the near future, such as prior to the Christmas buying season?

If you were on the fence about the iPad then surely waiting is the smart option at this juncture.

Possibly Related Articles:

1. Pragmatic Thoughts About Apple’s WWDC Product Releases

Outside of the obviousness of how utterly irresponsible Apple is behaving with their lack of professional administration of the App Store, I have to wonder why Google Voice is not allowed in the U.S. App Store and the other international App Stores. One logical explanation is that Google only submitted the official GV app to the U.S. App Store since Google Voice is currently only available for U.S. consumers. That still does not explain the perceived authority AT&T has displayed over the entire U.S. App Store.

I have never seen this information published anywhere, and a few quick web searches did not really yield a solid answer, but is the U.S. App Store intended solely for U.S. consumers who posses a valid U.S. address?

For example, are U.S. expatriates living in non-English speaking countries supposed to be forbidden from the U.S. App Store, thus forced to use the App Store tied to the country the live? If this is not the case, which I suspect, then why is AT&T allowed to dictate what applications are available to international consumers not using AT&T as a mobile provider?

Customers of SoftBank in Japan using GV-enabled applications do not interfere with the AT&T network whatsoever. Why does AT&T get to make the availability determination for the whole of the U.S. App Store even when the potential traffic will not travel through their network?

Another point I am interested in is the partnership between Apple and AT&T. Is the entire U.S. App Store somehow tied to AT&T? Think about that for a moment – if it is, then there is potential collusion and anticompetitive behavior taking place. Not as if that ever happens, right?

I wonder if one of the contractual obligations between Apple and AT&T is that AT&T gets some form of right of first refusal for all applications submitted to the U.S. App Store. Essentially, when AT&T deems necessary, they merely ask Apple to pull an app or disapprove a submission and the app is banished from the U.S. App Store. Based on the treatment of GV, the pulled GV-enabled applications and the SlingPlayer app, one certainly has to wonder if this is a possibility.

I have been quite disappointed since Apple started acting so irrationally with the App Store back in the first place. But now I am severely dismayed and wonder if this is even fixable. Apple, with its peculiar and secretive nature, will undoubtedly remain tight-lipped and never publicly comment on the issue.

The only good news to come out of this is that the FCC is looking in to the GV rejections. The agency sent letters to Google, Apple and AT&T, querying all three companies on the issue. Hopefully there is reconciliation, and the type consumers require – allowing GV-enabled applications in to the App Store.

Possibly Related Articles:

1. The iPhone App Store is One Huge Joke

Updated – August 12, 2009: Added correspondence from the RSA Anti Fraud Command Centre and SliceHost Support regarding a take-down notice and trademark infringement claim. This little article has apparently generated some interest and visibility by an NFCU “security” contractor.

Updated – August 15, 2009: The saga appears to have come to an end as the RSA AFCC responds to SliceHost after TechMiso stipulates the content was not infringing. The attack dogs are ostensibly caged for now.

As web browsers have matured throughout the years their ability to quickly and easily identify secure web sites has gotten exponentially better. Years ago the only way to determine if a genuine SSL connection was established was to look for the lighted “lock” icon in both Internet Explorer and Netscape.

Fast forward to today where all current major browsers display the SSL connection status in the browser location bar. For example, Firefox 3.5 uses the leftmost side of the location bar to visually present the validity of the certificate presented by the server. If a valid Certificate Authority can verify the authenticity of the certificate, if company information is present in the certificate and if the fully qualified domain name on the certificate matches the one in the address bar then the background color of this area is green to let users know they are essentially safe from a potential phishing attack.

Any other combination of the above will result in a different background color, alerting to a probable security issue. At this juncture users should not attempt to login because there is a high risk for their data being stolen or misused.

But even with all the security controls offered by browser vendors, nothing can stop people from forsaking security for convenience. In this case, Navy Federal Credit Union (NFCU) does just that – it offers customers the ability to login to their web based banking system from their unsecured home page. How many users merely enter their credentials in the form provided without ever thinking twice about whether the site they are visiting truly is NFCU?

Even though the web browser does not display any sign of a secure connection or an authentic connection to navyfcu.org, rest assured most users make use of the convenient form on the home page. This is a huge security risk because it is ripe for phishing. By allowing users to login to an online bank from an unsecure, unverified site, those same customers could be tricked in to entering their credentials from just about any domain.

To their credit, NFCU does offer the ability to enter login credentials from a secured page. By clicking the home page “sign on” button with an empty form users are then redirected to an SSL-enabled page where they are assured the site being visited is in fact the authentic NFCU web site.

Even though the NFCU home page is unsecured and offers the ability to enter details on a potentially phished page, the form data is in fact submitted via secure means. So although users may use this less-than-secure yet convenient method of logging on to NFCU, their credentials are secure – assuming they are entering the data from the authentic site.

But the secure transportation of data to NFCU is not the issue in question. The issue is the complete and utter disregard NFCU displays for the potential for their customers to be phished by malicious attackers seeking to gain access to NFCU customer accounts. Any bad guy could easily copy the entire contents of the NFCU home page and everybody would be none the wiser because NFCU fails to follow industry standard security best practices.

The best solution to this issue is for NFCU to completely remove the login form from their home page and replace it with a huge “LOGIN HERE” button which, when clicked, takes users to the secure login page. It is easy to implement, can be done in a mere 5 minutes and is exponentially more secure than the current method. Additionally, this mitigates the potential risk from any phishing site because users will be able to identify NFCU via browser security controls.

Alternatively, NFCU can do what Chase has done and merely secure their home page via SSL, redirecting all http visitors to their https site. This approach essentially provides the same level of assurance the previous method does, but in a different manner. Assuring users they are visiting the authentic NFCU home page rather than some mirrored version being run by malicious attackers is the ultimate goal.

The NFCU web site has been run like this for years. Considering today’s climate, I find it very peculiar they continue to take on such liability and allow their users to be potentially phished so easily. While I am amazed to a degree, since the average user does not entirely comprehend these issues in full it does make sense to see NFCU allow this vulnerability to persist.

If your bank is doing anything similar, ensure you take the necessary steps to protect your login credentials from being phished. Otherwise, if there is no other recourse, close your account and contact the bank to explain why you will no longer conduct business with them to their lacking security controls.

Update 1 – July 19, 2009. It seems this article generated some interest from the RSA Anti Fraud Command Centre, a company “under contract to assist Navy Federal Credit Union in preventing or terminating online activity that targets, or may potentially target Navy Federal Credit Union’s clients as potential fraud victims.” It seems they are not too happy with the spirit of this post, which is pretty peculiar considering that we are pointing out a pretty serious, long-standing security flaw with the Navy Federal Credit Union web site. Here is the first email I received from the RSA Anti Fraud Command Centre:

Dear Sirs:

RSA, an anti-fraud and security company, is under contract to assist Navy Federal Credit Union in preventing or terminating online activity that targets, or may potentially target Navy Federal Credit Union’s clients as potential fraud victims.

RSA has been made aware that a domain name, which abuses Navy Federal Credit Union’s trademark, has been registered with you. This domain http://techmiso.com/2434/navy-federal-credit-union-web-site-operating-with-security-issue/ not only violates Navy Federal Credit Union’s copyright, trademarks and other intellectual property rights, but may also become a host to a phishing attack, or other fraudulent scams against the bank and the bank’s clients.

The fraudulent website not only represents a misuse of Navy Federal Credit Union’s intellectual property; its purpose is to mislead the Navy Federal Credit Union clients. Our experience has shown that such sites become a host of phishing** and other fraudulent scams against the bank clients.

Please take all necessary steps to immediately shut down the fraudulent website, terminate its availability to the Internet and discontinue the transmission of any e-mails associated with this website.

We understand that you may not be aware of this improper use of your services and we appreciate your cooperation.

We specifically would ask that you also take the following actions (if relevant or possible):

Please provide us with a tar/zip file of the source code for this site, so that we may analyze it to help prevent further attacks.
If any customer data has been captured that is stored on your systems or equipment, please send us that data so that the customers to whom that data
relates can be notified and take steps to protect their credit.

Please provide a copy of any records you maintain that indicate the name, contact information, method of payment or similar information that may be useful in helping learn the identity and location of the customer for whom the website has been operated.

We specifically would ask that you also take provide a copy of any records you maintain that indicate the name, contact information, method of payment or similar information that may be useful in helping learn the identity and location of the customer for whom the website has been operated.

Thank you for your cooperation to prevent and terminate this fraudulent activity.

Sincerely,

RSA Anti Fraud Command Centre

Tel: +44(0)800-032-7751 (UK)
Tel: +1-866-408-7525 (US)
Fax: +972-9-9566658 (EU)
Fax: +1-212-208-4644 (US)
E-mail: afcc@rsasecurity.com

http://www.rsa.com

For more information about RSA’s AFCC http://www.rsa.com/node.aspx?id=3348

Navy Federal Credit Union Legal Department
contact Julie Griffin
AVP., Telecom
Tel: 703.206.3327/ 571.283.9930/ 703.919.9939
email: Julie_griffin@navyfederal.org

*”Phishing” is an e-mail scam that attempts to trick consumers into revealing personal information, such as their credit or debit account numbers, checking account information, Social Security Numbers, or banking account passwords, through an imposter’s Web site or in a reply e-mail.

At first glance I thought the RSAS AFCC email was bogus because of the what appears to be some severely lacking English skills. For an official inquiry, the email was peculiarly worded. After all, RSA surely must employ personnel capable of coherent and literate English skills. It just seemed really odd to go after TechMiso for an article designed to help point out a fatal flaw with NFCU’s web site and inform users of a smarter way to login to the banks site.

But after performing a bit of checking I was unable to find anything to truly lead me to believe this was a phishing attempt or a falsified claim. So I immediately responded to the RSA Anti Fraud Command Centre as well as Julie Griffin, the NFCU representative RSA asked me to contact, with the following reply:

Did you people bother to even read the article written at “the domain” specified in your email? Or, do you merely allow your bot to crawl the Internet uninhibited so that it may send out potentially libelous communications without verifying the authenticity of such claims prior to their transmission?

The article, which coincidentally I authored, is written about a web security vulnerability on the navyfcu.org web site. Ironic how a blog devoted to technology is improperly targeted by a business whichclaims it is under contract with NFCU for “preventing or terminating online activity that targets, or may potentially target Navy Federal Credit Union’s clients as potential fraud victims,” especially when the article was written to help shed light on a security issue with
NFCU’s web site!

Might I suggest you consider looking at the navyfcu.org web site and resolving the issue I outlined in the article at the URL cited below? More importantly, is it too much to ask that a human actually read the article before an automated bot send out emails to web site owners without verifying the validity of any potential issues?

If you have a specific claim with the TechMiso article then please kindly clarify your concern without the use of a form letter. We are more than willing to assist because we care about NFCU and its customers, hence the article we wrote which addresses our concern with security vulnerability on navyfcu.org.

TechMiso has no reason to immediately shut down because there is absolutely nothing fraudulent in use. As I mentioned, if you have an issue then please clarify what your concern is.

I look forward to hearing back from you.

Best Regards,

Scott Jarkoff
Faithful NFCU customer

I received the following response from RSA, which essentially completely ignored anything relevant.

Dear Sirs:

RSA, an anti-fraud and security company, is under contract to assist Navy Federal Credit Union in preventing or terminating online activity that targets, or may potentially target Navy Federal Credit Union’s clients as potential fraud victims.

The problem with the material on the blog is that it suggests that Navy Federal’s website is not secure.

You claim in your Blog that you care about NFCU and its customers whereas the blog you wrote only confuses and frightens the customers.

The bank has asked RSA Security to try taking the offending blog down.

It is true that the first page isn’t https secured but it is secured in different ways.

We will forward the complaint to the bank regarding the first login page.

Sincerely,

RSA Anti Fraud Command Centre

Tel: +44(0)800-032-7751 (UK)
Tel: +1-866-408-7525 (US)
Fax: +972-9-9566658 (EU)
Fax: +1-212-208-4644 (US)
E-mail: afcc@rsasecurity.com

http://www.rsa.com

For more information about RSA’s AFCC http://www.rsa.com/node.aspx?id=3348

Navy Federal Credit Union Legal Department
contact Julie Griffin
AVP., Telecom
Tel: 703.206.3327/ 571.283.9930/ 703.919.9939
email: Julie_griffin@navyfederal.org

*”Phishing” is an e-mail scam that attempts to trick consumers into revealing personal information, such as their credit or debit account numbers, checking account information, Social Security Numbers, or banking account passwords, through an imposter’s Web site or in a reply e-mail.

Their stipulation is that the material on TechMiso suggests the NFCU web site is not secure? Uh, hello – it’s not. If you read the entire article then you will understand why we make the claim we’re making. I wonder if these people are required to pass some form of English comprehension prior to signing on with RSA.

At this point I really questions whether this was a valid claim or not. It seemed so peculiar, and lacked any legal basis, that I decided to ignore any further emails from the RSA AFCC. I ended up receiving nothing more from this supposed security company.

It was at this point that Jennifer Sadler, someone purporting to be an NFCU Public Relations employee commented on the blog post, thanking us for the post. As far as I was concerned, this was proof positive that NFCU did not have an issue with the post and recognized the issue with their web site.

Update 2 – August 12, 2009. After figuring that the “fight” with the RSA AFCC was over because I had not heard from them in almost a month, I was very surprised to see an email from SliceHost support with the subject line “Trademark Infringement” sitting in my Inbox this morning. It seems the attack dogs at the RSA AFCC have not had enough miso soup and were back for more.

Apparently not convinced by our earlier conversation, these clowns have resorted to making a trademark infringement claim, most likely on the small little graphic in the upper-right of the post. Fair use? Moron in a hurry test?

Here is the email in full:

Dear Customer,

We have received a complaint alleging that you are infringing on the complainant’s trademark rights. A copy of the complaint is attached hereto.

We have established the following procedure for handling trademark infringement complaints where our customers appear as respondents:
(1) Upon receipt of a complaint, we will forward it to you.
(2) If you agree to take down or otherwise disable access to the allegedly infringing content, we will notify the complainant. If you do not agree to so, we will require that the complainant furnish us with the following information:
a) Federal trademark registration numbers the complainant relies on for his rights in the trademark(s) at issue. The trademark(s) must be registered on the principal register and registrations must be issued and active (not pending, not expired, cancelled, or abandoned).
b) The owner of the furnished trademark registrations as it appears on record with the USPTO. The name of the complainant must appear as the registrant of record.
c) The complainant must submit a statement attesting that, to the best of his knowledge, you do not have any implied or express permission from the complainant or his authorized parties to use the mark(s) nor do you make fair use of the mark(s).
In the event the complainant is unwilling or unable to supply the information, as outlined above, we will not provide assistance.
(3) If the complainant is able to satisfy the above information requirements, we will advise you that the complainant’s asserted rights appear valid and serve you with a 30-day takedown notice. In the event of non-compliance within the 30-day period, and absent any legal process served by you on Rackspace, precluding Rackspace from carrying out the takedown, Rackspace will be required to proceed with disabling access to the allegedly infringing content.

Please be advised that in the event Rackspace has to comply with the takedown demands, and you believe that the complaint is unsubstantiated, Rackspace recommends that you consult with your attorney regarding options relieving Rackspace of such responsibility.

Thank you for your attention to this matter.

Regards,
Renee Graves
Rackspace AUP
——————————————————-
Dear Sirs:

RSA, an anti-fraud and security company, is under contract to assist Navy Federal Credit Union in preventing or terminating online activity that targets, or may potentially target Navy Federal Credit Union’s clients as potential fraud victims.

RSA has been made aware that a domain name, which abuses Navy Federal Credit Union’s trademark, has been registered with you. This domain http://techmiso.com/2434/navy-federal-credit-union-web-site-operating-wi
th-security-issue/ not only violates Navy Federal Credit Union’s copyright, trademarks and other intellectual property rights, but may also become a host to a phishing attack, or other fraudulent scams against the bank and the bank’s clients.

The fraudulent website not only represents a misuse of Navy Federal Credit Union’s intellectual property; its purpose is to mislead the Navy Federal Credit Union clients. Our experience has shown that such sites become a host of phishing** and other fraudulent scams against the bank clients.

Please take all necessary steps to immediately shut down the fraudulent website, terminate its availability to the Internet and discontinue the transmission of any e-mails associated with this website.

We understand that you may not be aware of this improper use of your services and we appreciate your cooperation.

We specifically would ask that you also take the following actions (if relevant or possible):

* Please provide us with a tar/zip file of the source code for
this site, so that we may analyze it to help prevent further attacks.
* If any customer data has been captured that is stored on your
systems or equipment, please send us that data so that the customers to
whom that data

relates can be notified and take steps to protect their credit.

* Please provide a copy of any records you maintain that indicate
the name, contact information, method of payment or similar information
that may be useful in helping learn the identity and location of the
customer for whom the website has been operated.
*

We specifically would ask that you also take provide a copy of any records you maintain that indicate the name, contact information, method of payment or similar information that may be useful in helping learn the identity and location of the customer for whom the website has been operated.

Thank you for your cooperation to prevent and terminate this fraudulent activity.

Sincerely,

RSA Anti Fraud Command Centre
Tel: +44(0)800-032-7751 (UK)
Tel: +1-866-408-7525 (US)
Fax: +972-9-9566658 (EU)
Fax: +1-212-208-4644 (US)
E-mail: afcc@rsasecurity.com

http://www.rsa.com

For more information about RSA’s AFCC

http://www.rsa.com/node.aspx?id=3348

[49450]
—-
Slicehost Support
support@slicehost.com

What a complete and utter set of lies by the RSA AFCC! NFCU needs to settle these attack dogs down. What is there to gain by going after TechMiso other than a hot, steaming bowl of miso soup goodness?

I opted not to remove the content and promptly responded to the good folks at SliceHost with the following:

Hello Renee,

Thank you for the email and for contacting me about the trademark complaint submitted by RSA.

I do not agree to take down or disable access to the content specified in the complaint because I stipulate there is no trademark infringement taking place. The content is not an attempt to mislead NFCU clients but, rather, to inform them about a serious long-standing security issue with the NFCU web site. I already rejected the entire claim when RSA contacted me directly.

The article in question displays an image depicting a small portion of the NFCU web site, specifically the account access login form, and is in no way infringing on any NFCU trademarks. The article delves in to a long-lasting security issue with the NFCU web site and does not make any attempts to misrepresent NFCU or its trademarks. Our use of any potential NFCU marks under this claim are fair use.

More importantly, the infringement claim does not pass the “moron in a hurry test” at all. Any user visiting the content in question will surely *not* be confused in to believing they are at an officially sanctioned NFCU web site. For more information on the “moron in a hurry test” please visit http://en.wikipedia.org/wiki/A_moron_in_a_hurry

As I already mentioned, I have been in contact with RSA regarding this matter. They emailed me directly and I responded saying we will not remove the content because there is no infringement, misrepresentation or attempt to phish NFCU clients. In fact, an NFCU representative that RSA asked us to contact ended up commenting on the blog post, offering thanks for pointing out the security flaw.

In any event, thanks again for the email. Please let me know how you would like to proceed at this point.

Best Regards,

–
Scott Jarkoff

http://techmiso.com/

It should be interesting to see what type of response this generates. I am very interested in pursuing this and seeing how far the rabbit hole leads and where we end up.

Update 3 – August 15, 2009. I had not had an opportunity to update the site yesterday due to a very busy day at work. The latest actually arrived in my inbox Friday morning, August 14, 2009. The most recent email I sent to SliceHost, in response to the take-down notice RSA sent our hosting provider, seems to have convinced RSA to back down. The wonderful folks at SliceHost support sent me the following concise email:

Hello Scott,

I just received the following response from the complainant.

I will go ahead and close the ticket at this time. We will continue to monitor the incoming complaints and will let you know if something arises. Thanks for your cooperation in this matter. If you have any further questions or concerns, please feel free to contact us!

Kindest Regards,
Renee Graves
Rackspace AUP

—————————————————————————————————————
Dear Rack Space Team,

Please disregard the shut down request email below.

Best Regards,
RSA AFCC

I am very glad to see RSA has opted to stop fighting such a pointless battle. They would have made better use of their time and energy working to reconcile the issues with the NFCU web site rather than attempting to silence a blog aimed at helping inform their customers (incidentally, I am an NFCU customer so I care about this stuff) of a long-standing security issue.

I want to thank the SliceHost Support Team for their kind, professional and very helpful assistance with this issue. In this day and age, it is nice to have a provider who comprehends these types of issues and does not automatically act to disable a web site without allowing their customers to first respond to the take-down notice. This is a testament to their excellent customer service, and clearly depicts why SliceHost is one of the most popular web hosts these days.

Possibly Related Articles:

1. Hacked Twitter Accounts Highlight Need To Be Security Conscious

In a recent announcement on The Official Google Blog, Google says they are ramping up a new hopeful in the OS market — Chrome OS.

If Chrome OS runs with speeds anything like Google Chrome (the browser), then Microsoft is staring up the nose of a 300-pound gorilla.

Web surfing in 3 seconds? Google has this to say:

Speed, simplicity and security are the key aspects of Google Chrome OS. We’re designing the OS to be fast and lightweight, to start up and get you onto the web in a few seconds.

Google is banking on their vision of web-everything. No more local data on your workstation. No more backups. Lower hardware compatibility problems. Portability. In other words, park everything you have on the internet:

They want their data to be accessible to them wherever they are and not have to worry about losing their computer or forgetting to back up files. Even more importantly, they don’t want to spend hours configuring their computers to work with every new piece of hardware, or have to worry about constant software updates.

Google is promising us security, speed and functionality with Chrome OS. These are all areas of daily computing that in some way or shape have given us all lousy experiences with Microsoft.

With cloud computing taking a firm hold on the internet and broadband speeds bouncing higher and higher, there’s little reason why Google’s vision can’t come through to reality.

Just imagine-
Flip your computer on and in a few brief seconds be on the web surfing, checking email and plowing through your daily computing needs. Insane concept, but now closer to reality — thanks to Google.

Microsoft, however, isn’t just sitting idle on the secure browser sidelines watching all this Google hype go down. They’re chalk-boarding their own game plan for a ‘multi-principle OS’ code named, Gazelle.

This takes the browser [or OS?] wars to an all new new level in the tit-for-tat software battle. Gentlemen, choose your operating weapon.

Possibly Related Articles:

1. Google Chrome Offers Extension Sync

Did that person seem to complete work effortlessly? Were they ultra-productive in the work environment?

Could you accept this person into your personal realm? Or did you feel threatened? Were you ready to develop this new relationship or did you quickly throw up your defenses?

Inside most [if not all] IT team environments there exists a competitive atmosphere among staff members. Whether rivalries are obvious or hidden, healthy or toxic, they exist.

You generally see two types of people — those that are willing to work together on projects and then those that rather isolate themselves on self-fulfilling tasks while repelling their team or worse yet, repelling their bosses.

Team-

To win in a competitively staffed IT environment, your most successful bet is to adopt those around you regardless of your skill set or theirs. Always strive towards being a positive force on your IT team by showing your motivation to teach — or showing your willingness to be taught.

Being negative in any fashion will get you nowhere.

I’ve seen it happen before. The IT tech that sits at her desk, plugging away at her computer and failing miserably to integrate with her team. This person’s best effort to interact is a carpet-burning route back-and-forth to the company fridge and Coke machines.

I’ve watched a network engineer talk to and treat fellow staff as if those people were 3-year olds in kindergarten. Granted, his attitude is more likely a fear rooted deep within himself. And likely an unfounded fear of becoming obsolete or pushed back to second place.

I sense from watching folks that react negatively in a challenging environment that they have rarely been effective in their own lives. They have likely developed a strong pattern of trying to manipulate others for their own success. Quick to judge and reluctant to budge.

Have you ever prematurely judged someone? Maybe as they just stepped off the plane? Maybe you thought their ego was massive when you barely even knew them?

Egos-

Egos are easy to misread in the IT arena. Naturally, all technical staff have a varying degree of technical knowledge which sometimes incorrectly translates to an ego. If IT folks didn’t have technical knowledge they of course wouldn’t be in IT. It’s this technical knowledge that tends to blind folks into believing they are superior or maybe even inferior. When in fact it’s an individual’s knowledge that makes the team diverse and successful.

It’s well known that people with large egos often have low self esteem. In turn, low self esteem is most noticeable in people who need constant praise to continue functioning in their lives. In other words, those who are egotistical need to be stroked and stroked often. The cold truth is that there’s little to NO time for stroking in an IT environment. The satisfaction of getting the job done in high tempo operations is a stroke in and of itself.

Large egos often manifest themselves through low self esteem. In turn, folks with large egos often produce poor levels of job performance. Egoists also tend to cry foul more than others. This type of self-suffocation can kill an IT environment — where self-motivated and ultra-performing staff are most desirable.

Winning-

Focus on your team and scrap your ego. One of the most difficult things to accomplish as an IT careerist is introspect. Assess yourself, your performance and your skill set. Size yourself up and gauge your effectiveness as it relates to your surroundings. Constantly tweak your approach — both technical and sociable. Complacency kills.

Challenges in IT present countless opportunities to excel. The sheer number of technical projects affords everyone a chance to shine and excel. Believe in yourself and believe you can [and should] always compliment your team in a positive fashion.

Are you winning with your IT team or are you on the outside peering in?

Possibly Related Articles:

1. Flaw In Defense Contracting Of Information Technology Staff

The human body was not designed to be sedentary; it was made to move.  And that is why I say that exercise is the key to good health.  Being thin and trim does not necessarily equate to being healthy.  Studies have shown that overweight, active people are generally healthier than thin, inactive people.  Why is that?  Because our bodies are actually a lot like machines.  If you don’t lubricate it and keep it moving, it will eventually cease to function.  Plain and simple.  Use it or lose it!

Unfortunately in today’s tech-oriented world, with virtual networks and remote control, you may never even have to get up out of your chair, and your toughest daily workout might only consist of walking to and from your car or an occasional meeting.  This will definitely not get you into shape.

So, what can you do?  Firstly, you need to come to a determination that you want to be healthy and not die at a young age.  If you have no motivation to be healthy, nothing anyone says will change your ways, and this is nothing short of suicide.  Fortunately, getting and staying healthy is not at all difficult.

Ultimately, some kind of vigorous exercise for at least 10 minutes on a daily basis will improve your physical condition.  It could be running, biking, racquetball, basketball, fast walking, sex, or just mowing the yard.  Anything that elevates your heart rate and respiration will help.

At work, when others are going out to smoke or eat doughnuts, you can do some simple exercises right at your desk.  Google “workout at the office” or something similar to get a myriad of easy exercises to help keep your body moving and burning calories.

Other simple and easy ideas include:

• When moving between floors, take the stairs.
• Park your car farther away so you have to walk more.
• Cut down on the amount of TV you watch, since it involves even more sitting.
• If you must watch TV, exercise while you’re doing it.  You can mindlessly exercise while you mindlessly watch your favorite, mindless TV show.

We can still be techies, play games, watch TV and be in good shape; but moderation, as well as a good exercise program is essential.

The Health Geek

Possibly Related Articles:

1. Health For Geeks

Nielsen offers very little evidence to support his claim that it is time to stop masking passwords. He essentially boils this perceived usability problem down to the basic rules of usability whereby providing feedback is one of the fundamental tenets. He stipulates displaying undifferentiated bullets in place of complex user entered codes fails to comply with this decree.

Taken at face value, Nielsen is absolutely correct – usability suffers. Fortunately, rarely are security decisions made solely on the basis of such simplistic concerns.

Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn’t even increase security, but it does cost you business due to login failures.

Considering the explosive growth of the web, and e-commerce in particular, I find the aforementioned statement a stunningly ignorant hypothesis. Surely people forget their passwords or mistype them often enough to be annoyed with login security. However, the amount of business Amazon, eBay, Apple and other businesses do online tells me that losing business due to login failures is closer to fiction than fact.

While Nielsen may be a highly regarded web usability expert, he is definitely not an authority on information security.

Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.

More importantly, there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

There is nothing theoretical about masking passwords so miscreants in close proximity are unable to see the password – this is fact. By masking the password, the scoundrel has to see every key on the keyboard and be able to determine which keys are pressed in which order.

If the password is not masked, the offender can be much further away to steal the password. All they need to do to capture the password is look at the screen, which can be done from a good distance away and without the users knowledge that they are being watched so closely.

I do not know what type of environment Nielsen is used to working in, but not all offices are designed with the personal cubicle in mind. Many businesses house a number of people sitting side-by-side with absolutely no barriers between desks to prevent this type of snooping, whether accidentally or purposely.

Skilled snooper or otherwise, the minimal amount of security added by masking passwords compared to the perceived lack of usability is a risk the majority of consumers are willing to take. In the grand scheme of security, is this issue really worth spending so much time on?

I see this train of thought every day at work. People want X, Y or Z because it is convenient, completely ignoring the many security policies implemented to protect the network from compromise. There is a tradeoff between security and convenience, with the best policy falling directly in the middle of both, allowing users to feel secure while not feeling overburdened with unnecessary and possibly arbitrary security policies.

Schneier recently posted an update to his thoughts on password masking, clarifying his thoughts on the issue. He hits the nail right on the head with the following statement.

I was certainly too glib. Like any security countermeasure, password masking has value. But like any countermeasure, password masking is not a panacea. And the costs of password masking need to be balanced with the benefits.

While usability in password entry forms is somewhat an issue, overall it is not really at a critical point where a solution is immediately necessary. Usability mostly suffers on mobile implementations such as the iPhone, where it is far more difficult to type complex passwords in to web forms. But unlike other implementations, Apple struck a good balance between usability and security.

The ultimate solution is to turn password masking in to an option with it set to mask by default. Then users who desire to see their passwords can be appeased while still affording businesses the option to implement masking on an enterprise level. Putting a complete end to masking is not the solution – alternative means of entering passwords is where we need to migrate, such as biometrics, smart-cards, etc.

What Nielsen ultimately demonstrates is that solutions to problems involving security are not cut and dry. Although his key issue is usability, the dilemma is founded in security.

While I love the discussion provoked by his call for an end to password masking, it unfortunately follows the same train of thought I deal with every single day – security vs. convenience. Which side do you err on?

Possibly Related Articles:

1. On Twply, Giving Out Your Password and Other Security Issues

It was love at first sight for my iPhone 3G and me. Ever since I scored an iPhone 3G on the first day the product was launched in Japan I have been nothing short of faithful.

About the only time you do not see me with my iPhone in tow is when I am at work, and that is only because we do not allow personal computing devices in our building due to security concerns. Trust me – if they were allowed I would be sporting one all over work!

While the iPhone 3GS, from all appearances, is an exciting product it just does not seem to be the compelling upgrade I was hoping for Apple to offer. Not only do the features seem somewhat inconsequential, SoftBank makes matters worse by charging upgraders roughly ¥2300/mo for the 32GB device. This translates in to ¥55000 for a device that is almost half that cost.

But even if SoftBank had a better pricing structure I would still not consider snatching up an iPhone 3GS. Why pay $300 simply for a faster processor, a better still picture camera, the ability to record video, voice control as well as a compass. These features do not warrant an upgrade – as I said before, the feature set is not a compelling reason for paying the exorbitant prices required to upgrade.

What I have done, and what I hope every iPhone 3G owner is doing, is upgrade to iPhone OS 3.0. That upgrade was unquestionably compelling and wholly worth the price. However, I will add that there does seem to be a noticeable performance hit with iPhone OS 3.0 on the iPhone 3G. The device does lag moreso now than previously, but it is one I can deal with until next June, when Apple hopefully offers a truly compelling reason to upgrade.

Possibly Related Articles:

1. How to Downgrade Your iPhone 3G[S] from iOS 4 to iOS 3.1.3

Every major web browser supports tabbed browsing these days, it makes it easier to maintain the websites you are visiting. Mozilla Firefox, Opera, Safari, even Internet Explorer supports tabs. Seeing that the concept of using tabs has been around for a while, you’d think it would be trouble free, too bad you’re wrong. In this case there’s a problem with Apple’s Safari, a problem that could’ve been solved a long time ago as Safari has been supporting tabs since April 2003.

When you click on a link Safari opens it as it should, however, if that link has the target attribute specified as “_blank” it will open it in a new window. Sounds normal right ? In theory it is, but the problem is that Safari is the only browser out there that opens these link in a new window, rather than in a new tab. You actually have to press and hold the Command / Ctrl button and click the link in order to open it in a new tab. It may seem something small, but it can get really annoying when you don’t expect it to behave that way. I ended up searching for my windows many times, just because I thought I lost my sites for some reason, only to find out it was hidden behind the newly opened window.

Imagine the following, you’re working on a company related project and you need to search for information. You’ll open up Wikipedia, Google and perhaps your Twitter account to tweet about the fact that you just moved your mouse 5 centimetres to the left. You found the right website on Wikipedia and you click on the link, suddenly your window with the three tabs is gone and is replaced by the website you just opened. If you don’t know that Safari opens certain links in a new window, this can be pretty frustrating. Especially if you have little computer knowledge.

Not having the right behaviour was one of the reasons I stopped using Safari and downloaded the 3.6 Alpha version of Firefox. When I did some more research on Safari a while ago, I found out that there’s a plugin called SafariStand. However, a browser with such a good rendering engine and such a big company as Apple developing it should’ve had this behaviour by default. It’s a bit like installing a plugin for your car, just to make it beep when you left the lights on and you opened the door.

Possibly Related Articles:

1. Apple’s Safari 4 Beta Is Blindingly Fast!

Update: Please see this newer article on jark.me, written by me, discussing how to install Cherokee, MySQL, PHP and WordPress on Ubuntu 11.10 Oneiric Ocelot. It is more accurate and current, and takes into account some updates to Cherokee and Ubuntu.

As an aside, TechMiso is currently operating on a 256 slice at SliceHost. If you are a SliceHost user then the following HOWTO should work without the need for any peculiar tweaks. This should work right out the box.

1. Install MySQL

# sudo apt-get install mysql-server mysql-client

The above merely installs MySQL with the defaults, which is entirely insecure out the box. Since we take security seriously we need to set a root password and perform additional security checks before proceeding. Execute the following command and follow the on-screen prompts.

# mysql_secure_installation

MySQL is now installed and should operate fairly smooth and without issue. However, if the goal is to strictly use WordPress then the MySQL daemon should be tweaked a bit in order to save on memory consumption.

# sudo vi /etc/mysql/my.cnf

Ensure the following entries have similar options set in the MySQL configuration file:

key_buffer = 16M
max_allowed_packet = 8M
thread_stack = 64K
thread_cache_size = 4
skip-innodb

The last entry is an important one and will lower MySQL memory consumption considerably.

2. Install PHP

WordPress relies upon the PHP scripting language and MySQL database storage to perform just about every ounce of its magic. For this reason it is imperative that not only the plain vanilla PHP be installed but the ability for PHP to interface with MySQL as well.

Additionally, since Cherokee is not compatible with Apache modules it is necessary to install the CGI version of PHP rather than mod_php. This is an important distinction between Apache and Cherokee. Although in most testing mod_php outperforms php-cgi, the speed differences are so negligible that most folks will never notice.

# sudo apt-get install php5-cgi php5-mysql

3. Install Cherokee

Cherokee can be installed in a variety of ways. By default, Ubuntu has support for Cherokee in its existing repositories. However, development on Cherokee is happening at breakneck speeds. Since the default Ubuntu repositories are incapable of keeping up with this type of rapid development, that leaves only two real options: compile from source or use an alternative repository. For the sake of this HOWTO we opted for the latter, since using apt is the preferred Ubuntu installation method.

The first thing we need to do is modify the apt sources.list file to point to a repository where Cherokee can be found.

# sudo vi vi /etc/apt/sources.list

Add the following lines to the end of /etc/apt/sources.list.

deb http://ppa.launchpad.net/cherokee-webserver/ppa/ubuntu jaunty main
deb-src http://ppa.launchpad.net/cherokee-webserver/ppa/ubuntu jaunty main

Before being able to download the files in the repository the security key used to sign the packages needs to be added to the operating system. This effectively ensures you the Cherokee files being downloaded from Launchpad have not been modified since they were built and that you are downloading Cherokee from a trusted repository.

To make things easy for our readers, simply execute the following command. If you want to verify the accuracy of the key then please double-check the data against that provided on this page. Otherwise, just perform the following:

# sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0x0ad0b667b67daa477f5ff89f51bb8e83eba7bd49

Now that Ubuntu is configured to read from the proper repository and is capable of ensuring the authenticity of files downloaded from said repository, we need to run an update and pull the latest list of available files. Perform an update with the following:

# sudo apt-get update

Upon completion Cherokee can be easily installed with apt, just like any other application install on Ubuntu.

# sudo apt-get install cherokee

This will complete a basic installation and configuration of Cherokee web server on Ubuntu. Test the installation by starting Cherokee to ensure it is capable of executing without issue.

# sudo /etc/init.d/cherokee start

Assuming everything went as planned then Cherokee should start. Surf to your server to ensure a basic static page can be served without any problems. If you are able to load a page in your browser then the next step is ensuring PHP parsing is functioning properly.

# vi /etc/www/test.php

Once in the editor, paste the following PHP code in to the file:

<?php echo phpinfo(); ?>

Surf to http://domain.com/test.php and presumably a PHP information page should be displayed in the browser if everything is functioning as expected. If PHP is not properly parsing the file then it may be necessary to do a little digging to see what the problem may be. During the WordPress installation phase of this HOWTO we will cover a Cherokee configuration option which may help reconcile any potential PHP roadblocks at this juncture. It might be worthwhile to place your troubleshooting in a holding pattern until that area is covered.

If you previously installed Apache and would like to run Cherokee instead of Apache then you need to ensure the latter no longer automatically starts upon system reboot. Perform the following to remove Apache from the different runlevel startup links:

# sudo update-rc.d -f apache remove

At this point the hard part is done. MySQL, PHP and Cherokee are all installed and should be completely functional.

4. Installing WordPress – Configuring Cherokee for WordPress

Cherokee is the perfect medicine for serving up a WordPress site. It is not only perfect for small sites but large ones as well, generally outperforming Apache in most respects. WordPress is not that complicated but does present a few challenges for Cherokee and will not function right out the box.

Before installing and configuring WordPress there are some modification to the Cherokee configuration to be completed. These changes facilitate ensuring WordPress is completely functional.

As with most Ubuntu-based web servers, the document root is in /var/www. For the sake of the WordPress installation portion of the HOWTO we are going to make a couple of assumptions:

• The document root will remain /var/www and not be moved elsewhere.
• WordPress will be installed in the document root as opposed to a subdirectory. Rather than install in /var/www/wordpress we are placing the WordPress installation in the document root. There is no specific reason for using either method, though the former does add additional unnecessary complication to the equation. Our intent is to keep this as simple as possible.

As mentioned in our initial Cherokee write-up, one of the exciting features of the product is the web-based administration tool, cherokee-admin. Rather than fiddling around with text files which may not mean much to an administrator new to Cherokee, the server can be entirely setup from cherokee-admin. Just about every feature of Cherokee can be set from with this beautiful utility.

Cherokee was built with security in mind so by default cherokee-admin does not allow connections from the world. The easy way to fix this is to setup an SSH tunnel using your favorite SSH client.

Mac and Linux SSH tunnels are very easy to setup. PuTTY on Windows is more than capable of handling SSH tunneling so the configuration should not be much different than the following command-line SSH client:

# ssh -L 9090:127.0.0.1:9090 domain.com

Once logged in, execute the following command to launch cherokee-admin:

# sudo cherokee-admin

Cherokee-admin should launch and present you with both a username (admin) and one-time password. Copy the password to the clipboard and fire up http://127.0.0.1:9090/ in a web browser. When prompted with the HTTP authentication dialog merely enter those same credentials. Assuming the authentication was successful, the browser should be illuminated by the beauty and simplicity of cherokee-admin.

Now that cherokee-admin is functioning it is time to configure Cherokee to handle WordPress. For the sake of this HOWTO we are going to make some minor modifications to the default Cherokee virtual host rather than setup a brand new one. Though if desired, you may configure a new virtual host with the following rules and WordPress should function just fine.

• Surf to Virtual Servers and then click on default so we can configure the catch-all virtual host.
• Once there, you should be presented with a page with seven configuration tabs. Select Behavior.
• Delete all the rules except for default and php (if it exists) by clicking the icon to the very right of each rule. Do not delete the default rule.
• Modify the default rule to force all traffic to WordPress by clicking on default and selecting the Handler tab.
• On the Handler tab, change the handler setting to Redirection, Show to Internal, Regular Expression to ^(.+)$ and Substitution to /index.php and hit Enter to confirm the modification.

If everything went as planned then the configuration should look like so:

As mentioned on the Cherokee WordPress cookbook, it is a smart idea to add a few additional rules to fine tune Cherokee’s handling of WordPress. Take a look at the following image and create a similar set of rules, carefully not changing the handler defaults once selecting the proper handler type. It is all pretty straightforward and easy to do, especially since cherokee-admin is such a good facilitator for configuring Cherokee.

Essentially, the idea is to add a List & Send handler for the following directories: /wp-includes, /wp-content and /wp-admin. If you are running Mint then you should add the same for that directory as well.

At this point, now that all the configuration changes have been prepared, it is necessary to save them and restart Cherokee so they take affect. Merely click the Save Changes button on the left-hand side of the cherokee-admin interface and if all went well you should see a message at the top stating, “Configuration saved. Graceful restart performed.”

Cherokee is now prepared for WordPress and should allow the content management system to function without issue, assuming all directions until this point have been followed.

5. Installing WordPress – Preparing MySQL

Prior to installing WordPress it is necessary to prepare the MySQL database and user permissions. It is good practice to create a database and user specifically for WordPress use rather than reusing existing ones. To perform these actions it is necessary to launch the MySQL command-line client as such.

# mysql -u root -p

Use the root password specified in Step 1 when MySQL was installed and the mysql_secure_installation command was executed. Once in MySQL, a database and user need to be created using the following commands.

CREATE DATABASE wordpress;
GRANT ALL PRIVILEGES ON wordpress.* TO wordpress_user@localhost IDENTIFIED BY 'some_password';
FLUSH PRIVILEGES;
quit;

The database name wordpress, user wordpress_user and password some_password can all be substituted with values you feel more comfortable using. At this point, MySQL is prepped and ready for WordPress.

6. Installing WordPress

Download a copy of WordPress and unzip it to /var/www. The root WordPress files should reside directly in /var/www rather than a subdirectory like /var/www/wordpress. Remember, we decided to install WordPress in our document root and not elsewhere.

In your web browser surf to http://your-domain.com and and follow the on-screen instructions for setting up WordPress. When asked, ensure you enter the proper MySQL database, user and password as specified in Step 5. Do not use the root user and password for WordPress otherwise you risk getting your entire setup owned. Who wants that?

7. Success!

Assuming all went well, and this HOWTO was properly followed, you should now have a completely functioning Cherokee, MySQL, PHP and WordPress installation. This setup is not only perfect for a server with minimal resources but any server and for just about any reason. By opting for Cherokee, you ultimately support a small yet vibrant community of exceptional developers and users who are interested in this wicked little web server.

8. Resources

• Cherokee
• MySQL
• PHP
• WordPress
• Ubuntu 9.04
• Cherokee WordPress Cookbook
• How To Install And Configure Cherokee Web Server With PHP 5 And MySQL 5 Support On Ubuntu 8.10 Server (Intrepid Ibex)
• Adding a PPA’s keys to your system

Possibly Related Articles:

1. HOWTO Use WordPress to Create a Tumblr-like Tumblelog

Web Proxy servers are an essential aspect of a solid network perimeter defense strategy. Exposing the fragile desktop client to the internet at-large by allowing direct connections to the internet is dangerous and may lead to compromise. This can be exasberated if the overall network security strategy is not sufficient. Web Proxy servers can help alleviate a number of security concerns while offering a central facility for logging and content verification. In an enterprise environment, Web Proxy servers are used to enforce acceptable use and security policies. Learn how to configure Squid to enable Active Directory authentication for an enterprise web proxy solution.

Note: This HOWTO was originally written a couple years ago on an older site of mine but I thought it would be worthwhile to share here on TechMiso. All steps outlined should continue to work as directed but there may be some small nuances requiring minor tweaking. If you run in to problems just post a comment and we can take it from there.

The 10 Legged Creature.

One of the premier web proxy servers available today is Squid. It is the most popular HTTP proxy available today, mainly because it is offers a comprehensive set of features, is highly configurable all while being open source and free. It runs on just about any Linux distribution and scales better than any other application of its kind. Plus, as I mentioned, it’s cheap!

For the sake of this exercise, Squid is being deployed to an enterprise network to act in the capacity of a web proxy. By doing so, Squid will be an intermediary for all web browsing between network users and the destinations web sites they desire to browse. When a user requests to visit a site that request will go first to Squid, which will then establish a connection with the destination, transfer the data from the web site to its cache and then pass that data back to the requesting user.

In many instances Squid will even pass the data from its local cache back to the users, both saving time and precious bandwidth. Depending on which algorithm is selected when configuring Squid will determine how Squid decides whether or not to serve the local cache to a user or whether to fetch new data.

Mayday, Mayday!

When I set out to install Squid so that it could perform Active Directory authentication I was unable to locate any single resource that could explain, in detail, the steps required in order to make this happen. What I did find, however, was a variety of instructions related to various aspects of the entire process. The sum of all the information that I discovered is contained in this document, which will hopefully serve as a means of helping someone else achieve the same goal I was aiming for.

The following are the instructions for installing Squid Proxy Server so that it performs Active Directory authentication off of a Windows 2003 domain controller. Squid is configured so that the browsers must explicitly point to it, which means that it is not being setup to function as a transparent proxy. This entire design was performed on a Dell 1650 running Gentoo Linux 2006.0.

Although the act of downloading, compiling and installing applications on a Gentoo box is slightly different than that of an RPM based distribution (like Red Hat) the same basic configuration directions are applicable. The key difference is Gentoo’s USE flag convention whereas the other distributions will force the use of compile time options (i.e. using –with-winbind) when running configure, as an example).

The following software is necessary in order to make all of this work as planned.

• Squid Proxy Server
• SAMBA
• OpenLDAP
• MIT Kerberos

Installation of this software on Gentoo is rather easy however there is a USE flag caveat. In order to ensure that the software is compiled with the necessary options to make this all work properly specific Gentoo USE flags need to be set. This can be done on the command-line while emerging the software or by modifying the make.conf file. Whichever method is selected, the following USE flags need to be set:

USE="kerberos ldap pam"

Using the command-line, emerge the software as follows:

USE="kerberos ldap pam" emerge squid samba openldap mit-krb5

If make.conf was updated to reflect the necessary USE flags then do the following:

emerge squid samba openldap mit-krb5

Once emerge is done working the lovely magic it performs it will be time to modify the various configuration files.

Squid

This is only the applicable portion of the squid.conf file required for active directory authentication. Configuring Squid for AD authentication is relatively simple so do not be surprised by the small number of configuration options.

# vi /etc/squid/squid.conf
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid Proxy Server
auth_param basic credentialsttl 2 hours
places in squid.conf
acl authenticated_users proxy_auth REQUIRED
...
http_access allow authenticated_users

SAMBA

# vi /etc/samba/smb.conf
[global]
netbios name = proxyserver
realm = DOMAIN.COM
workgroup = DOMAIN
security = ADS
password server = dc01.domain.com dc02.domain.com dc03.domain.com
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
winbind enum users = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = +
winbind use default domain = yes
encrypt passwords = yes
log level = 3 passdb:5 auth:10 winbind:5


Kerberos

# vi /etc/krb5.conf
[libdefaults]
ticket_lifetime = 600
default_realm = DOMAIN.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DOMAIN.COM = {
kdc = dc01.domain.com:88
kdc = dc02.domain.com:88
kdc = dc03.domain.com:88
admin_server = dc01.domain.com:749
default_domain = DOMAIN.COM
}
[domain_realm]
.domain.com = dc01.domain.com
domain.com = dc01.domain.com
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log


PAM

# vi /etc/pam.d/samba
auth required pam_nologin.so
auth required pam_stack.so service=system-auth-winbind
account required pam_stack.so service=system-auth-winbind
session required pam_stack.so service=system-auth-winbind
password required pam_stack.so service=system-auth-winbind
# vi /etc/pam.d/squid
auth required /lib/security/pam_stack.so service=system-auth-winbind
account required /lib/security/pam_stack.so service=system-auth-winbind
# vi /etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so

Once all the aforementioned software has been configured as depicted the proxy server needs to be added to the Windows 2003 domain. This is necessary so that the proxy server can perform authentication in conjunction with a Windows 2003 active directory domain controller.

To join the Linux machine to a Windows 2003 domain perform the following:

sudo net ads join Servers/Linux -U AdminAcct -S dc01.domain.com

If everything went as planned then a message will be echoed on the screen depicting as such. After a few moments, once the domain controllers replicate, the proxy server should show up in the OU that was specified when joining the domain. In the example above, the Linux server proxyserver.domain.com would show up in the Linux OU, under the Servers OU in the Windows 2003 domain named domain.com.

In the event that an error occurred while joining the domain check syslog for possible errors.

At this point, start SAMBA and winbindd by performing the following:

/etc/init.d/samba start
/usr/sbin/winbindd

Both of these are necessary in order for Squid to be able to properly perform active directory based authentication. Ensure that winbindd is functioning properly by issuing the following command. If all goes as planned then the following will be the response:

proxyserver ~ # wbinfo-t
checking the trust secret via RPC calls succeeded

Ensure that Squid is able to properly perform active directory authentication by testing the helper application:

/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
DOMAIN+username password
utils/ntlm_auth.c:check_plaintext_auth(292)
NT_STATUS_OK: Success (0x0)

Assuming that everything has gone as listed above, start up Squid by issuing the following:

/etc/init.d/squid start

Configure a web browser, such as Firefox or Internet Explorer, to point directly to the proxy server and ensure that browsing is possible without ever being offered an authentication dialogue box. This is testing to ensure that NTLM authentication with the Windows 2003 active directory domain controller is working properly. Confirm that traffic is being properly authorized by tailing the Squid access log file.

# tail -f /var/log/squid/access.log
1147739650.906 9969 192.168.1.203 TCP_MISS/200 4244 CONNECT mail.google.com:443 DOMAIN+username DIRECT/64.233.185.19 -
1147739672.965 1085 192.168.1.203 TCP_REFRESH_MISS/200 2321 GET http://www.cnn.com/.element/ssi/auto/1.4/pipeline_mp/live.mhtml? DOMAIN+username DIRECT/64.236.29.120 text/html
1147739673.871 907 192.168.1.203 TCP_MISS/200 3027 GET http://i.cnn.net/cnn/.element/img/1.3/pipeline/keyframes/88x49/stream1.jpg? DOMAIN+username DIRECT/64.236.24.136 image/jpeg
1147739683.229 0 192.168.1.203 TCP_DENIED/407 1745 CONNECT mail.google.com:443 - NONE/- text/html
1147739683.243 0 192.168.1.203 TCP_DENIED/407 1874 CONNECT mail.google.com:443 - NONE/- text/html
1147739693.881 10636 192.168.1.203 TCP_MISS/200 4340 CONNECT mail.google.com:443 DOMAIN+username DIRECT/64.233.185.83 -

When using NTLM authentication it is normal to see two simultaneous TCP_DENIED/407 errors. This is due to the nature of the challenge/response mechanism of NTLM authentication.

In the event that no username appear in the squid access log, or password dialogue boxes appear, then check the squid.conf file to ensure that the ACL’s are setup properly. Also ensure that winbindd is functioning, as depicted above. If changes are made to the squid.conf file then squid needs to be restarted in order for those modifications to take affect.

If everything is working as planned then ensure that Squid and SAMBA start automatically upon reboot by issuing the following:

rc-update add squid default
rc-update add samba default

Modify the following file so that winbindd is started after a reboot:

# vi /etc/conf.d/local.start
# Start the winbind daemon so we can do AD lookups in Squid
/usr/sbin/winbindd

Squid is now properly configured to perform Windows 2003 active directory authentication. Enjoy the added security benefit that a proxy server solution offers, especially since it can perform authentication.

The following resources were used in both the configuring of Squid with active directory authentication, as well as putting this document together:

1. http://www.squid-cache.org/Doc/FAQ/FAQ_long.html#winbind
2. http://info.ccone.at/INFO/Samba-2.2.12/winbindd.8.html
3. http://acd.ucar.edu/~fredrick/linux/samba3/
4. http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain

Possibly Related Articles:

1. HOWTO Configure Apache for SSL with DoD CAC Authentication on Ubuntu 9.04

When it originally launched, Linux Mint was designed to enhance the basic Ubuntu install with integrated media codecs on top of a polished graphical user interface. Through the course of its life, Linux Mint has added a host of unique features not seen elsewhere as a result of the tightly knit user and developer community. Today, Linux Mint sports one of the best out-the-box interfaces of any distribution and is definitely the most user-friendly.

So what is new in this wonderful distro?

• Software. Based on Ubuntu 9.04 Jaunty Jackalope, Linux 2.6.28, Gnome 2.26 and Xorg 7.4, Linux Mint 7 “Gloria” features a lot of improvements and the latest software from the Open Source World.
• mintMenu. Filter the application list to quickly find what you’re looking for. If no results are found then mintMenu “Suggestions” displays a set of suggestions, hopefully pointing you in the right direction. This idea is similar to what is found on the Windows Vista start menu, so it should be fairly easy for most folks to get used to.
• mintInstall improvements. Modifications to both mintInstall and mintUpdate have been made, improving both applications and fortifying stability when installing or upgrading software. The process is a breeze and can be accomplished by novice and expert Linux users alike. More importantly, screenshots of software are now available for your viewing pleasure before you perform the install so you can be assured you are about to install something desirable.
• Artwork. The default icon set was replaced, updates to the Murrina engine installed and a new alternative theme have been added to the new distro. The new default theme is simply orgasmic!

There are a host of other improvements as well. If you are interested in the nitty gritty then I implore you to stop by and read the full what’s new in Linux Mint 7 Gloria.

If you like playing with Linux then you should definitely check out Linux Mint. It plays quite well with VMware – I installed it without an issue and am thoroughly enjoying the updated distro.

If you want to try Linux Mint without going the VMware route but are a Windows user, check out mint4win – it allows you to install Linux Mint from within Windows, negating the need to repartition your hard drive.

Give Linux Mint a try because it’s an exceptional alternative Ubuntu or any distro you might consider your favorite desktop Linux environment.

Possibly Related Articles:

1. HOWTO Configure Apache for SSL with DoD CAC Authentication on Ubuntu 9.04

One of the more difficult Linux tasks is properly configuring an Apache web server – the sheer power Apache can wield is evident in the exponential number of configuration options available. Setting up Apache on Linux for SSL-based DoD Common Access Card (CAC) authentication is pure freaking magic. Learn how to configure an Ubuntu Linux 9.04 (Jaunty Jackalope) server to perform this much-needed functionality!

The Department of Defense has been slowly migrating away from software-based certificates in favor of two-factor authentication using the DoD CAC. As a general rule, DoD favors Microsoft over open source software (OSS) because of the support channels. It is for this reason most DoD web servers use Microsoft IIS – configuring CAC authentication on an IIS web server is relatively simple.

The following guide makes a number of assumptions. Namely:

• You are fairly skilled at Linux administration (ie. this is not your first Linux install, much less Apache install).
• Ubuntu Server 9.04 has been installed and patched with all outstanding security patches.
• Apache and OpenSSL have already been installed.

This guide is not designed to explain how to get Apache and SSL installed on an Ubuntu 9.04 (Jaunty Jackalope) server. What it covers is enabling CAC authentication on an already running Apache server on top of Ubuntu 9.04.

These steps cover Ubuntu 9.04 (Jaunty Jackalope) and should work without issue on a fresh installation of Ubuntu, Apache and OpenSSL without customization. If you have modified the defaults then you are obviously skilled enough to make the necessary determinations about how to make this work in your environment.

Incidentally, while this HOWTO was written with Ubuntu 9.04 (Jaunty Jackalope) in mind, most of the steps should work on any Ubuntu release or any other Linux distro. Just ensure you account for the nuances of your distro when modifying the files specified below.

HOWTO – Configuring Apache for SSL with DoD CAC Authentication on Ubuntu 9.04

1. Login to server via SSH or console.
2. Open up a web browser and surf to http://dodpki.c3pki.chamb.disa.mil/rootca.html to see the links to the three DoD Class 3 PKI root CA certificates.
   # wget http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_1024.cac
# wget http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.cac
# wget http://dodpki.c3pki.chamb.disa.mil/dodeca.cac

3. The files downloaded directly from DISA are not in a format comprehensible by Apache and thus need to be converted to the Privacy Enhanced Mail (PEM) format. PEM is a Base64 encoded DER certificate in text format and is sometimes represented as a CRT file. Perform the following commands to convert the P7B files to the PEM format.
   # openssl pkcs7 -inform DER -outform PEM -in rel3_dodroot_1024.p7b -out rel3_dodroot_1024.pem -print_certs
# openssl pkcs7 -inform DER -outform PEM -in rel3_dodroot_2048.p7b -out rel3_dodroot_2048.pem -print_certs
# openssl pkcs7 -inform DER -outform PEM -in dodeca.p7b -out dodeca.pem -print_certs

4. To force CAC authentication Apache requires a single file containing all CA certificates. Perform the following commands to merge the root files in to a single file.
   # cp rel3_dodroot_1024.pem dod-root-certs.pem
# cat rel3_dodroot_2048.pem >> dod-root-certs.pem
# cat dodeca.pem >> dod-root-certs.pem

5. Install the certificates in the SSL subsystem.
   # cp rel3_dodroot_1024.pem /etc/ssl/certs/
# cp rel3_dodroot_2048.pem /etc/ssl/certs/
# cp dodeca.pem /etc/ssl/certs/
# cp dod-root-certs.pem /etc/ssl/certs/

6. If you have not already created a private key to be used by the server then perform the following to do so.
   # openssl genrsa -out your-server-name.pem 1024
# cp your-server-name.pem /etc/ssl/certs/

7. Create a Certificate Signing Request (CSR) based on your private key in order to request an official server certificate signed by the DoD root CA.
   # openssl req -new -key your-server-name.pem -out your-server-name.csr
   • Organization Name: DISA ou=PKI ou=DoD
   • Organizational Unit: U.S. Government
   • Common: fully qualified domain name (ie. server.domain.mil)
   • Country: Blank (may have to use two spaces)
   • State: Same as Country.
   • Locality: Same as Country.
   • Surf to https://ca-17.c3pki.chamb.disa.mil/ca/ to formally request an official certificate signed by the DoD root CA. Follow the proper links to request the server cert using the .csr file from the previous step – it will be necessary to paste the contents of the previously saved file in to the respective form field during this step.
   • Note: Based on your agency or affiliation with DoD you may be required to perform additional steps outside of visiting the DISA certificate request process. Check with your Local Registration Authority (LRA) for further details.
   • Once the server certificate is issued, copy the entire contents of the certificate and paste in a new file (ie. your-server-name.crt) on the server.

   # cp your-server-name.crt /etc/ssl/certs/

8. Configure Apache for SSL using the DoD certificate chain and to authenticate a DoD CAC using the following configuration options.
   # sudo vi /etc/apache2/sites-available/default-ssl
   Ensure the following configuration options are set.
   SSLVerifyClient require
SSLVerifyDepth 2
SSLCertificateFile /etc/ssl/certs/your-server-name.crt
SSLCertificateKeyFile /etc/ssl/certs/your-server-name.pem
SSLCACertificateFile /etc/ssl/certs/dod-root-certs.pem

9. Restart Apache and test configuration to ensure CAC authentication is taking place.
   # sudo /etc/init.d/apache2 restart
10. Surf to https://your-server-name.domain.mil/ to ensure you can establish an SSL connection with your server and that you are prompted for your CAC personal identification number.
11. Automatically redirect all regular port 80 requests to the SSL-enabled Apache vhost.
    # mv /etc/apache2/sites-available/default /etc/apache2/sites-available/default-original
# sudo vi /etc/apache2/sites-available/default


    Paste the following in to the file:

    <virtualhost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
</virtualhost>


12. Restart Apache and you should be good to go!

At this juncture you should have a completely working Apache and SSL enabled Linux web server designed to force-authenticate a user via their CAC. There is no fallback mechanism for authentication – no user will be asked to provide a username and password. If the CAC authentication fails then the user is not allowed to view the site. It is as simple as that.

Hopefully this HOWTO helps someone out there in DoD IT-land. There is not a lot of information on the web about securing Apache for CAC authentication. Piecemealing this HOWTO together was quite troublesome but fun nonetheless!

Possibly Related Articles:

1. HOWTO Install Squid Web Proxy Server with Active Directory Authentication