Locking down Apache Web Server

Written by  on July 23, 2009

I was just looking through a security audit of some sites, and half of the complaints include “the ability for people to know your underlying technology”. For those who are using Apache 1.3 or above (and using a distro that has configuration files in /etc/httpd/conf.d), you will find this solution helpful. Simply create a file called /etc/httpd/conf.d/0-security.conf with the below content:

ServerSignature Off
ServerTokens Prod
TraceEnable Off
<Directory />
<LimitExcept POST GET HEAD>
Order deny,allow
Deny from all

Save it, restart httpd and you are “more” protected… a few notes:

  1. This assumes that your application will only use GET, POST or HEAD. If your application is fancy (or you don’t know your app, then you might want to get rid of the LimitExcept directive)
  2. If your application (or application container such as PHP, Python or Java) generates additional HTTP headers that identify their technology, then you might want to use mod_headers to them.
  3. Anyone with an ounce of network knowledge would know that you can figure out the underlying technology by probing at the TCP layers (nmap with the OS fingerprinting option is very handy). So don’t let auditors fool you – you can’t hide unless you have a security device in front of your servers that remove traces of OS “uniqueness” in layer 3.

Nokia N97 – you are finally here…

Written by  on July 5, 2009

One of the great joys of being a gadget guy is to shamelessly spend money on shinny new gadgets… so out of a whim (and impulse), I search high and low to find my beloved Nokia N97 and sourced it from a store in Mississauga. Here are my first impressions:

  • The box: simple, elegant, relatively compact, and “mostly” environmentally friendly (bonus points here – the box is black and without the plastic shine, and still looks sleek… remember, the person just paid over $700 for an expensive electronic toy)
  • Phone: surprisingly light and solid. The keyboard slide movement is smooth and without any creaking noise – it feels like closing the car door of an expensive luxery automobile rather than a Chrysler K-Car! However, the battery door is purely plastic and prying it open to put in the battery is not a fun experience. If you use too much force, you’ll break every plastic tab from the cover, rendering your phone backless.
  • The power-on: it’s Series60 – what more can I say. You have to embrace the fact that you are booting up a computer rather than a phone. If you expect the phone to power up and be able to dial a number in 10 seconds – give up on owning a smartphone right now! (On a side note: if you think you have power off your BlackBerry by clicking on the icon on your home screen – you are sorridly mistaken. That power off is merely a suspend to save power – it doesn’t shut down the phone. You are better off pulling the battery out)
  • Guided setup and first impressions: Finally Nokia paid attention to the finer details of the whole-phone experience. I must say it rivals the G1 in terms of ease-of-use. I plugged in my SIM card into the phone, powered on, and within a minute I have a working phone. They even loaded all the useful software (such as Nokia Maps with all the maps, Facebook, Reuters, and a Guitar Hero imitation) into it so I don’t have to hunt it down on the Ovi Store – which I’ll get to my gripe in a second.
  • Overall: if you are a Nokia fanboy like myself, then this is the ultimate phone! It’s the most speedy Nokia phone yet, and it does everything an iPhone, Palm Pre, and G1 will do – and then some.

My gripes about the N97

  • Ovi – Who is running the Nokia marketing department? Good concept, terrible name, and badly executed. The Ovi Store is often down (or not accessible if you are not using your 3G connectivity), the prices are in Euro (I know, this is a European company with their user base in Europe), and the browsing app is not snappy at all. They should take a page from Apple iTunes App Store or BlackBerry App World and build a usable app. What got me more upset is that I have to download and install Ovi Store app initially – another 500KB of over the air download.
  • Web browser – great, you now show me a full-screen experience, but some very important features take too many screen tapping to access. For example – to go to the previous web page, you have to click on the “show menu” icon at the bottom right, click the “back” button, and then click on “select” button. I just want to go back to the last page – is it so difficult to ask for? Also, you’ll notice that your browser will mysteriously quit (probably due to out of memory or browser crash) – it happens to the iPhone Safari browser too, but the frequency is a bit too high (about once every 40 pages or about 10-15 minutes of web browsing)
  • E-mail – when will Nokia give a native HTML viewer for e-mails (it’s nice that you can click on the HTML attachment to see the message, but it’s not right)

I still love this phone – and it will take a lot for me to switch to the next good phone.  Though my HTC Dream is being shipped this week, as part of my renegotiation efforts with Rogers (and lowering my bill by $50/month). Anyone want a brand new HTC Dream?

Dealership repair shops… trust them if you like to donate money to the rich! (Re: solution to Passet/A6 2.8 cylinder misfire)

Written by  on January 10, 2009

This may sound like a rant, but there’s a silver lining to my tale:

A year ago I experienced a persistent cylinder misfire on my poor 1998 A6 2.8, and so I go to my trusted mechanic friend at a VW dealership and got the advice to buy new spark wires and ignition coils.  In I went, and all the stuff were putted in, the car ran just fine for 8 months.

October came, and car decided to misfire again (the dreaded P300-series error code from the OBD2 readout), but my mechanic friend is no were to be found.  As my luck ran out (ie. the dealership closed down), I resorted to the evil act of bringing my beast to the Audi dealership for an official diagnostic.  November came, and I dropped my car off at the Agincourt Autohaus dealership – the reset the error codes from the computer and declared the car worthy of driving.  This was in fact the biggest mistake I have ever made!

December came, and as I return from the company Christmas party, the car finally smoked and gave out at the intersection of 16th Avenue and Woodbine Avenue on a cold Friday evening, I desperately called everyone from my family to the Audi dealership to figure out what I needed to do.  First thing in my to-do list is to call a towing company to get this car OFF the busy intersection.  Audi is nice to include a hazard sign in the trunk so that the oncoming traffic can safely ignore the sign and honk at a car that is smoking…  6 towing companies later, and Cardinal Towing came to my rescue promptly and professionally.  At least my towing experience has been extremely pleasant.

Now, you must think by towing your car to an Audi dealership (this time, Uptown Audi) with a real problem, they would know what to do right?  Wrong!  Once again, they misdiagnose the car and said I had burnt spark plug wire, and that my problem with the misfiring cylinders were to replace the spark plug wires, plugs, and clean the injectors and throttle body.  $1300 later, I said to myself, they know what they are doing – I dropped the car when it was completely dead so they MUST be able to find the problem.  Sadly, within 12 hours of getting the car back (and with only 15 km added to the odometer), the misfire returned.  Brought the car back, and this time I got a quote for $4800 to replace two catalytic convertors, 4 oxygen sensors and 6 exhaust nuts.

Any reasonable person would rationalize – why would you want to throw in so much money to a used and old car?  On the other hand, if I don’t repair the car, I can’t extract the other 50% of the value of the car (no one would buy the car in the current condition).  Out of desperation, we found our old mechanic friend who suggested another person who may be able to save us – but only in January , which brings us to our interesting conclusion to this post.

January 3rd came, and car went into the shop for the catalytic converter replacement – we were told (and have seen) the old part would have burnt up the car if we didn’t repair it.  What we didn’t do was to tell the mechanic about the history of the car and why we are doing these repairs, and so another 200km later, the symtons returned.  I call the mechanic to ask him to conduct a thorough diagnostic on the car, and turns out the ignition coils were defective again.  What made me more mad was that if Agincourt Autohaus properly diagnosed the car intially, we would spend $550 on the repair ($327.30 for the ignition coils at VW/Audi dealer, 1 hour install and standard $95 diagnostic fee) rather than the $2800 catalytic convertor replacement.

The moral of the story:

  1. Don’t trust Audi dealers, they are crooks.  In general, don’t trust the dealers unless you know the mechanic personally.
  2. Don’t allow dealers to tell you want you need to repair until you see the damage.  Our desperation in getting a working car caused us a lot of money.  Dealers are evil.  (Unfortunately, most repair shops are evil too, so I you just better do a lot of research on the net)
  3. Trust your instinct – if the car reports a cylinder misfire – triple-check all of the ignition electronics (ignition coils, spark plug and wires) and replace the part if suspect.  Our lack of trust (and assumption that 1-year old part cannot be defective) caused a much bigger repair bill than needed. Audi A6 2.8 / VW Passat 2.8 ignition coils tend to get destroyed quickly for some reason.
  4. Genuine VW/Audi parts are actually better and more reliable.
  5. Lastly, don’t trust the dealers.  They are evil, very evil.  I know, I said it before.

Rogers making money from user typing mistakes (aka breaking DNS behaviour). Shame on you!

Written by  on July 28, 2008

If you are a Rogers customer, you might have noticed in the past day that when you typed in a wrong website URL (or any domain name), it claims the site exists and gives you Rogers-Yahoo sponsored advertising.  See an example here:


Brings you to:


Shame on you Rogers! Breaking RFC and annoy your customers all at the same time.

Afro-centric School in Toronto? A giant step back in equality.

Written by  on January 17, 2008

The idea of having a Afro-Centric high school being built in Toronto absolutely scares me. I know they have schools for the LGBT community because they are vulnerable, but an afro-centric school? Are we going to now run chinese-centric school because they learn better, or indian-centric school because of the need to accommodate their religion? We live in a multicultural society – not only are we learning how to tolerate each other for who/what they are, but learning to embrace and enrich each other’s live experiences for their cultural diversity. Running special assemblies, creating special credit courses, or having special groups to help cultures in trouble fitting into the school system is the correct way to deal with any issues students are running into. Running a culture-centric school is no better than what happen in USA 40 years ago!

We can’t regress on all the work we have done so far to bring diversity to Canada! Diversity is something we learn by growing up with our friends.

AskMeNow? The deceptive service that charges

Written by  on June 28, 2007

As part of being in the mobile local industry, I get press releases for new and innovative service that has just launched.  With my new “unlimited” text messaging bundle, I decide to try the service from AskMeNow.com (short code 27563).  My welcome message from them was:

For AskMeNow Help goto askmenow.com or 888-EZ-ASKME. Txt STOP to end. The service is provided at no charge but carrier fees will apply.

Yes, 3 messages and $3.75 of premium messages later, I called Rogers to figure out what the heck is this.  I ask them to revert the message, but I really wish they can charge back text message to the origin to ensure SMS applications owners take responsibility to communicate charges to the user, or else face public humiliation. 

TomTom – not quite ready for Vancouver

Written by  on January 18, 2007

As I was trying desperately to make it to dinner on time in Vancouver, I turned on my trusty TomTom GO 910 and plotted my way to Banana Leaf restaurant….

First mistake – not listen to my co-worker when he said it’s at 3005 W Broadway in Kitsiliano.  That was 5:55pm.

Second mistake – allowing TomTom to use its point of interest list to send me to the 850 W Broadway. At this point, I have already parked my car, paid $4 worth of parking to find out I went to the WRONG restaurant. Timecheck: 6:30pm

Third mistake – allowing TomTom to guide me to 3005 W Broadway in Kitsiliano!  In TomTom’s brilliance, it decided that 3005 W Broadway = 3005 Broadway = 3005 Broadway E.  That’s about 6000 house numbers away from the restaurant, and about 2 minute from the Burnaby office (that I originated from).  Frustrated and mad, I check the clock, 6:55pm.  I reluctuntly called my collegue at the restaurant, embrassed, and said I will pick them up at the restaurant to the hotel instead of eating with them.

Finally… punching 3005 Broadway E. in Kitsiliano took me to the restaurant I wanted.  Timecheck: 7:40pm.  Did I bother to pay for parking until 8pm?  Nope… nor did I care enough to do so.

Lesson of the day – trust your instinct and your friends while driving in Vancouver.  Unlike the commercial, I am not going to ask “TomTom, where’s W Broadway” again!

(TomTom will be getting a nasto-gram from me very very soon…  this isn’t the first bad direction I got)

There should be a fine against parents buying kids Grand Theft Auto: San Andreas

Written by  on January 10, 2007

During Christmas time, Jana and I decided to buy PlayStation 2 just so we can play Guitar Hero 2.  Of course I bought it for more than just that reason – I love the Final Fantasy series!  I decided to go to the not-so-local (and super busy) EB Games at Yorkdale last Sunday to pick up Final Fantasy X.  In my long line-up, there was a kid – probably 12 to 14 years old, with her mother, lining up to buy Grand Theft Auto: San Andreas.

For those who don’t know what GTA:SA is, this game is the only game rated Adults Only by the ESRB rating, and apparently retailers will get fine $5,000 for selling adults only game to a minor.  So of course when the kid ask for the game and pay for it, the first salesperson warns the parents that this is for adults only and inform them of the possible game play (have sex with hookers to get money).  The mom wanted more clarification, so the second salesperson comes and first read the back of the ESRB warning to the mom, then proceeds to tell her the more explicit details.  Remember – there are at least 10 people lining up to pay for items, plus another 20 people in this crammed store, listening to the events unfolding!  The mom caved to the kid’s wishes and bought the game anyway!

I am sorry – there should be a law against irresponsible parents buying violent, adult video game for kids.  As if we don’t have enough shootings out there, we now have to contend with kids wanting sex with hookers and stealing cars before the age of 16?!  While I am not here to pass judgement on the mom who decided to expose the kid to this kind of video game, but if we fine the retailers for selling the game, smokes, or porn to kids under 18, the parents should be fined for explicitly allowing the kid to play the game, knowing full well the consequences of his/her actions.


Of LCDs, Plasmas and Projections

Written by  on December 18, 2006

Over the past few months, I have a few people asking me about what is better – LCD, Plasma or Projection TV of any sort.  Here’s my take:

  • I hate rear projection TVs – it’s prone to alignment problems (even today), viewing angles, and richness in colour.  Though I have to admit the new 3 LCD technology such as the JVC DLA and the Sony SRXD is making this problem go away.  I will get to DLP in a few secs.
  • Front projection – I remember calling them the 3-eye monster!  It’s not so bad if it doesn’t generate so much noise and have a light bulb replacement cost associated.
  • LCD TVs – it used to be expensive, now it’s cheap but depends on the brand and resolution.  I got lucky to have purchased an Acer AT3705-DTV TV which doubles as my giant monitor.  All LCD TVs in my opinion should have VGA, DVI-HDCP, HDMI, and of course the standard component and composite inputs.  DTV/CableCard is not in Canada yet, so complaint to your local MP/CRTC rep get Canada in the digital TV age.
  • Plasma – aren’t they so pretty?  They were great when they came out, since LCD screens were so expensive to manufacture.  Now?  The only difference is the richness of the colour and viewing angle – even then it’s not so significant.  You will be able to buy a bigger Plasma panel cheaper than LCD panel due to the different manufacturing methods – at least for the next year.

Here’s what I think of DLP – thanks Texas Instrument for creating the underlying technology, Digital Micromirror Device, but why the colour wheel?  I guess back then it was too expensive to put 3 DMD chips in a single projector and have it combined through a prism.   Did economy of scale get in the way of innovation?  DMD is a much better technology for light transmission (since it’s reflective and not translucent), and no visible refresh since each pixel is a micromirror – it’s your ultimate no-ghosting image system.  Having the colour wheel spinning at 180 times per second is just anonying, since I can see the vertical bars when I move my head side-to-side while looking at a DLP projected image.

Fido is losing money on me / Sierra Wireless AC860 on Vista!

Written by  on November 26, 2006

Along with my Windows Vista installation, I have managed to hack the Sierra Wireless AC860 card into my spanking new laptop.  I have spent this entire weekend (ok, not quite the weekend, but I need the literary flair) re-installing Vista, and after trial and error got the wireless card running on the machine.

There’s a secret with this wireless card – the 3G watcher isn’t 100% compatible with Vista.  The folks at Sierra Wirelsss posted a knowledge base article that walks you through how to install the 3G connection as a Dial-Up Connection (DUN). This is what I would have done if I had a 1900/850 HSDPA phone. After this step, launch the 3G Watcher, select the DUN connection and watch it fly!

Hence my post – Fido is losing money on me.  I just racked up 30MB of transfers in under 5 minutes.  Imagine – even at $0.01/kb at pay-per-use, my bill would have been $300!  Too bad for unlimited North American roaming – it’s just $50/month for the kind of abuse I’ll be putting this guy through.  Even if Fido capped the speed to 48KB/sec (as compare to Rogers’ 150KB), the latency is so much lower than EDGE.  We can definitely proclaim that Canada (Toronto) has a real metro-wide wireless Internet network!