Silver Glimmer

Author: dennis

  • Email On Phones and Other Devices

    We often get questions similar to this one:

    I have been struggling to send and receive mail consistently since acquiring Apple/Mac products. Would you please see attached reference sheet and make sure I have filled everything in properly.

    In order to provide a clear answer, I want to ignore the form.  All you need to do is select protocols and then provide the necessary information for them.  The form lists all the protocols, then separately lists port numbers and settings.  This is incoherent.

    The entire process is going to be much easier if understand what the protocols are and why you might select each of them.  The configuration follows on from there.

    Recommended settings (for the impatient)
    Server, both incoming and outgoing:  mail.YourDomain.com (use your domain name)
    Incoming protocol: IMAP Port number: 993 – SSL/TLS – accept all certificates
    Outgoing protocol: SMTP Port number: 587 – start TLS – accept all certificates
    Login: full email address – Required

    Our servers are 100% standards compliant and will immediately work with any device which uses standard values as defaults.  This means all you should need to do is select a protocol and then accept all the offered values.  Unfortunately, many times devices fail to offer a value or offer something bizarre.

    Email has 2 entirely separate parts. Interacting with a server which contains delivered email is one part.  The other part is sending email.  There is nothing in common between them other than the term and file object, “email”.  As you can see just above, I am suggesting IMAP for handling emails delivered to you and SMTP for sending.  First we will discuss delivered email (email waiting for you), then we will discus sending email.

    Common Email Protocols

    A protocol is a set of rules which defines how computers communicate with each other.  It’s how each machine knows what to expect from the other.  It’s easier to follow descriptions like this when you have some idea what the acronyms stand for.

    IMAP – “Internet Message Access Protocol”
    IMAPS – “Internet Message Access Protocol” – Secured (encrypted)
    POP3 – “Post Office Protocol” version 3
    POP3S – “Post Office Protocol” version 3 – Secured
    SMTP – “Simple Mail Transport Protocol”
    SMTPS – “Simple Mail Transport Protocol” – Secured
    SSL – “Secure Sockets Layer”
    TLS – “Transport Layer Security”
    DNS – “Domain Name Server (or System)” – name to address translation
    DNS MX – An entry in the DNS system which provides email routing information.

    The Internet is all about connectivity, so there is a seemingly endless list of acronyms and protocols.  If you are interested in understanding more about how things work, read the page titled, “The Internet – Technical Basics” above.  Understanding goes a long way to making things easier.

    The potential exists for the setup process to be simpler than it is in practice.  There are clearly defined standards for a client machine to connect to a server, request a particular protocol and even switch over to an encrypted connection.  Our servers support this.  Often,  the programmers who wrote the device software were too ignorant to take advantage.  Even if the programmers got it right, the documentation and support people remain clueless.  We are stuck doing it the hard way.  Apple devices, known for excellent user interfaces, remain strangely ignorant.

    Picking up email

    To interact with a server which has your email, there are many options.  The 2 common choices are IMAP and POP3.  Both can be used encrypted or not encrypted.  That makes 4 sets of settings.  That may sound complicated, but it’s actually simple.

    Once your computer (the client machine) makes a connection to a server, it requests a particular port number.  The port number selection is what tells the server which protocol you want to use.  If you tell your client software to use IMAP with a POP3 port number, it’s not going to work.

    1) IMAP – not encrypted
    Protocol: IMAP
    Port number: 143

    2) IMAPS – encrypted “secure IMAP” – I suggest you use this.
    Protocols it uses: IMAP, IMAPS, SSL, TLS
    Port number: 993

    The IMAP protocol is more advanced and has many more options than the POP3 protocol.  In a default configuration, your device  (even a web browser)  will first see only the header values.  Headers in email parlance are the metadata, From, To, Subject, delivery and other information describing what an email contains.  The actual content is not displayed or downloaded until you explicitly ask for it, for example by clicking on it.  By default, email will stay on the server until you remove it.

    When you use IMAP, email can be organized into folders.  In a default configuration you generally get an Inbox folder, a Sent folder and a Trash folder.  You can add new folders and move email from folder to folder to keep it organized.

    Within each folder, but not visible to you are 2 sub folders, “new” and “cur” (for current).  Email is delivered to “new” and as soon as you first see the headers, it is moved to “cur”.   Some devices show you only what was in “new” in the Inbox.  Generally, you can change what they show you.  When you connect later and don’t see what you saw earlier, nothing has disappeared from the server.  Your email software is simply not showing it to you.

    To delete mail from the server when using IMAP, you need to purge or “empty the trash”.  We commonly see accounts go over quota because the owner never emptied the trash.   Permanently deleting email is a 2 step process: delete then purge.

    3) POP3 – Post Office Protocol – not encrypted
    Protocol: POP3
    Port number: 110

    4) POP3S – Post Office Protocol – encrypted
    Protocol: POP3S
    Port number: 995

    The POP3 protocol is much older and much simpler.  In the default configuration, all email is downloaded to you when you connect and then deleted from the server.  On a phone or other small device, you almost certainly want to use IMAP.  You don’t want to get stuck waiting for a big attachment to download over a slow link.  Using IMAP you can defer looking at those emails until you are using a larger and probably faster device.

    That’s receiving. Sending email can be done using IMAP, but that’s not widely used. Our servers support it, but I suggest you use SMTP.  It’s simpler.

    Sending Email

    Protocol: SMTP – I suggest you use SMTP for sending.
    Port number: 587 or 26

    The standard port number for SMTP is 25, but many service providers block port 25. They do this because it is easy to set up a mail server and start sending spam everywhere.  There is apparently an endless supply of people who believe they can make money this way.  As a work-around, our servers listen on additional ports.   Port 587 is the “mail message submission” port, which is the standard work-around.   Some poorly written and non standards compliant software (notably Microsoft Outlook) cannot be configured to use port 587.  This is why we listen on port 26 as well.

    Long ago, sending email using an encrypted connection required connecting on a separate port number.  There is outdated documentation floating around which describes how to do this using port 465.  If you encounter references to port 465 in email client documentation or elsewhere, you are reading about antique software. Don’t use it.

    For BOTH Receiving and Sending

    Your login name is your email address.  You MUST log in.  Inexplicably, some client software assumes that you do not need to log in.  If you have problems sending, this is the most common cause.  Find and check a box labeled something like, “My server requires authentication”.

    The server to connect to is mail.YourDomain.com in all cases. Replace “YourDomain.com” with your actual domain name.

    Incorrect Default Server Names

    It is very common for email client software (running on your device) to make bad assumptions about server names.  It may offer defaults like IMAP.yourDomain.com or SMTP.yourDomain.com.  Unless explicitly created (by you) via DNS zone file setup or editing, they do not exist and will not work.   Sometimes DNS MX values are looked up and offered.  A DNS MX record specifies where to route mail to get to your account, but is not necessarily where email is finally delivered to you.   Do not use MX values.  They will not work.

    Certificates

    Encryption certificates serve 2 purposes:  to verify the identity of what you connected to; providing encryption keys.   The name on the certificate is that of the server, not mail.YourDomain.com.  This means you must override the warning (or check a box) to accept the certificate.  You could purchase a certificate and have us set it up for you, but there is no necessity to spend the extra money for this.

    Occasionally we move accounts from one server to another.  Your email client will continue to connect to the correct server as long as you use mail.YourDomain.com.  You can use the server name to avoid the certificate warning, but this would cause a problem the next time your account is moved to a new server.  By then the problem is likely to be a mystery and require detective work to solve it.

    Using an encrypted connection provides a slight security enhancement. I dislike this because people tend to think it is doing more for them than it is. It’s a false sense of security.  If you have a reason other then not providing your password over a clear connection, please read this:  https://blog.deerfieldhosting.net/encrypted-email-or-is-it/

    We use a separate mail server to provide better performance and redundancy.  Email is delivered there and held for 3 days so that it is available to you even if your hosting server account is unavailable.  You can use web based email on it if you need to.

    Backup Mail Server

    This is a highly summarized overview.  If you have questions or comments, please ask them!

  • Encrypted email – or is it?

    We are often asked about certificate warnings which pop up in email clients.  When an account is moved to a new server, there is a new certificate and a new warning often appears.  In answer to a question about this:

    It’s safe to accept the certificate.  We moved your accounts to a newer faster server a few days ago.  We had been using a wildcard certificate, but that was causing problems for people running software too dumb or too conservative to work with such a certificate.  It seemed like an appropriate time to switch.

    Email client software often sets up TLS (encrypted) connections by default.  It makes people think sending stuff via email is secure, adding yet another misconception to the rampant ignorance.  It’s not secure.  Email is a store and forward system.  That means your message may cross the network encrypted, but it is then stored unencrypted on the target mail server.  It frequently passes through many servers before being delivered.  It’s trivial for an administrator of any of those servers to keep a copy – not encrypted.

    The security of your message is in the hands of those administrators.  You will almost never even know who they are.

    Nearly it’s only virtue is that your password is sent over an encrypted connection.    It also means that when someone at the NSA wants to read it, he will have to spend a few minutes on a powerful computer to decrypt it first.  If you want more secure email, you need to encrypt the content, not just the connection.  If you don’t want the NSA or anyone else reading your email at all, you’re basically out of luck.

    Content encryption is good enough to deter most criminals and casual snoopers.  Unfortunately, a really sophisticated criminal can still decrypt it.  But you don’t need to worry about this too much unless you know that your content has a very high value to such a person.  If you make it even a little hard, they will move on.   There is no shortage of easy targets.

    The bottom line is: encrypt the content if you need security.  That said, there are better ways to transfer sensitive information than via email.  There’s no reason to allow it to have such a high profile.  Virtually all cases of hacking are the result of gaping stupid security holes, someone incompetent in charge of security.

  • Search Engine Optimization and Blogs

    This morning I was asked (slightly modified):

    I noticed our blogs show up easily and on first pages on Google searches, however our new web site pages hardly show up (except for a few) on first pages.  Is that because it’s new and hasn’t been indexed by google yet? I have noticed if I modify a blog, Google searches find the new information within a few days or even overnight.

    The Yoast SEO WordPress plugin shows many web site pages are now SEO [search engine optimized] friendly (green light status) yet they don’t show up.  I’m just curious if  there’s a logical reason my Word Press blogs get quicker Google attention than my SEO web site pages.

    Google is very good at picking off certain kinds of search engine “optimizations” and will reduce rankings when it finds them.

    When people do searches, Google attempts to differentiate when they are looking for information as opposed to looking for places to buy things.  In searches perceived to be for information, pages with the clear purpose of making sales are ranked negatively in order to drastically cut down the number of such pages returned in favor of pages with useful information.

    They try to help people find what they are looking for, not help other people sell stuff. When it comes to serving interests, they are steadfastly on the side of the searcher.  They want people to like and use their service.  As a generality, the more closely you and Google share the same intent, the better your rankings will be.

    Blogs which are written as information sources without “salesy” language do well in page listings because they parse as information. Lexicology, which studies word and phrase patterns, is an important part of how they do their rankings.  Using lexicology, it’s not hard to differentiate language meant to sell things, language trying to rank well or language meant to convey useful information.

    As part of a course I took in artificial intelligence, I did a project to classify textual information into subject, relative content usefulness and reveal biases. It used a lexical database to analyze the documents. I fed it thousands of news and information articles. About 50 people read as many randomly chosen articles as they they were willing to and then answered questions derived from the analysis. That information was fed into a neural network to teach it how to classify articles using the lexical analysis. Later, when I asked the same people to rate results returned, I was able to show statistically that the vast majority of people would agree with the choices returned on searches which included not only subject but also the information value and biases contained in the results.  I found it fascinating and a bit startling that it was so easy to do this.

    When you type in search terms, then click on results, then click on different results, Google records and uses the information to refine what it returns in subsequent searches. If you ignore the first three pages and click on the fourth page, that page may rank higher when other people do similar searches. But if you come back and click on something else without much time elapsed (meaning you didn’t like what you looked at) then the page is likely to rank lower next time. This information is collected and used in real time and changes constantly. Given the massive volume of pages analyzed and searches done, they are always going to be miles ahead of attempts to manipulate results.

    That is just one aspect of how they rank results, but it’s an important one.  And it is essentially impervious to manipulation.

    There is an entire industry devoted to search engine optimization, almost all of which is naive and worthless. Naive attempts to improve rankings are much more likely to do the exact opposite. The best way to get good rankings is to provide good content, to provide information people look for.  At this point common sense should tell you to be very careful how you link into sales pages from information pages.  If you are selling products, good product descriptions without overt sales language is probably the best way to do this.  For example, in an informational article you might say “for more information ……”.

    Other aspects of how they rank pages include how recently added the information is and how active website changes are. The presumption is that an actively changing site is responding to its visitors and that in turn implies attempts to provide useful or interesting information.

    I’m not an expert on this subject, but then neither are the vast majority of those who think they are or claim to be. What I do know from watching websites come and go for the last 10 years is that sites which are actively maintained and updated and have high quality content succeed far more often than others.  Blog software such as Word Press is a great way to do this because it allows you to concentrate on content rather than getting bogged down in the more technical aspects of web page design.

    Most web site designers concentrate on the look and feel.  Certainly that’s important to create good first impressions, but its the words that attract visitors and sell things.

  • Privacy and Security

    We have many emails this morning with questions about privacy and security.   Given the news over the week-end, this is not surprising.  A person with more than top secret security clearance at the NSA (the [American] National Security Agency) revealing secret capabilities is a very big deal.

    If you haven’t already heard about this, let me suggest that you get information from as close to the source as possible.  I have already observed news sources injecting bias.  Most of that is due to ignorance, but some appears to be willful.  Most reporters lack the background and will dish out what they have been spoon fed by some “expert”.  There is often a heavy bias.  Be careful what you believe.  The real story is NOT the whistle blower!  It is what he is talking about. The Guardian

    The intent here is to provide some basic information about network security.  It relates to email and your personal information on the Internet.  Network security is a huge topic.  Any opinion about what the NSA has done or may do in the future will be hopelessly naive without a reasonable understanding of what is possible.

    The recent revelations have been no surprise to people involved with computer security.  That the capabilities exist has been common knowledge for a long time.

    Passwords

    To get an idea how long it takes to crack a password, take a look at GeodSoft Password Cracking Time Calculator. The problem with this site is that it doesn’t mention what computing power is being brought to bear.  The time it takes to crack the typical password with a typical desktop computer is about 2 days using brute force methods (trying every combination).  Using dictionary words cuts that down to under an hour.

    To consider what the NSA is capable of, you can divide that by at least 1 million.  An article about passwords with more detail.

    A good password provides adequate protection against criminal activity, but this is only true for 3 reasons:  1) most criminals are stupid,  2) smart criminals have an abundance of easy targets,  3) what you have that they want isn’t worth the trouble.  If you make it hard, they will move on.  If someone smart with access to a super computer wants to know your password, he can get it.  You have no defense, unless you also have a super computer.

    SSL and TLS – Secure web pages and email

    SSL and TLS use public and private keys to provide encryption.  The source computer provides a public key which the destination computer uses to encrypt what it sends and decrypt what it receives.  It takes a lot of computing power to do this without the private key.   It is in essentially the same class as very good passwords.  For some (scary) detail please read this.

    Many years ago in a college class on computer security, the instructor described a paper written in the late 1970s by a friend of his, a mathematician.   She had used a PDP-11 to generate mathematical key signatures which could then be used to crack any encryption in existence within a few minutes.  If you don’t know, a PDP-11 had considerably less computing power than your cell phone.  When she was about to present the paper, she was quietly taken aside by some unexpected guests.  The paper was never presented anywhere nor published and she moved on to other areas of research.  It’s safe to say that the NSA and FBI know all about her work.  It’s also safe to say they have expanded on it over the last 30 years.

    SSL is excellent protection against common criminals and snooping individuals, but against the resources of a government or a consortium of smart criminals, it’s useless.

    Implications

    There are techniques which go beyond what is described above.  The simplest to understand employ rotation schemes.  They are based on the idea that if it takes 1 minute to crack a cipher, but the cipher is changed several times per second, in theory the system can’t be cracked.  In practice, it boils down to the attacker simply needing several thousand times the computing power of the target.  Too hard for criminals, relatively easy for governments.  The NSA can protect its secrets.  Individuals can’t.

    Most likely you will see news stories about who has and has not given unfettered server access to the NSA.  Google, Yahoo, Facebook and Microsoft, just to name a few, are loudly proclaiming that they have not.  Given that the NSA has no need to be “granted” access, this is completely irrelevant.  If they want access, they have it.  It’s as simple as that.

    Over the next few days you will hear various assertions being made about the safety of your personal information.  You need to listen carefully because there are no absolutes.   It is impossible to fully deliver on guarantees.  Every case is relative.

    Data Mining

    This is the process of detecting patterns in data which have implications and then searching for other occurrences of the same patterns.   It goes beyond seeing who a terrorist was in phone contact with.  When an organization follows standardized procedures, their activities generate patterns.  For example, a terrorist sleeper cell might be detectable from phone and Internet records without any advance knowledge of the individuals placing or receiving the calls, just from their frequency, duration and places of origination and termination.

    The problem is that the target organization can be anything.  That includes a group of individuals who might be seeking political change.  Having identified such a group, counteracting it by co-opting its goals is a common political strategy.   So is discrediting the individuals involved.  Information is power.

    Those are the facts.  You can choose to believe or not believe how far the NSA has gone.  You can choose to trust or not to trust the government of the United States.

    It is a historical fact that no significant weapon ever developed has gone unused.  Even nuclear weapons have been used without being fired in the same way a gun pointed at someones head is a weapon being used.  I personally think it would be naive to believe that it’s all a mirage or that these capabilities will never be abused.   It’s instructive to remember G. Gordon Liddy and why the American government has a division of power.

    The question is what to do about it.  Would you be interested in enhancements to protect your email privacy?  To protect your on-line privacy?  The integrity of your information on our servers?

    You may be interested in learning more about The Tor Project

    Please comment.  If you are uncomfortable doing so in public, do so in private.

  • Some Security Questions

    This morning we had an email asking about setting up a secure web site.

    [note color=”#a5f0fc”]I want to set up my own private “cloud backup” because the one I bought into and set up was a big ripoff and I’m pissed at them. My problem is that my own websites are not secure, get hacked, etc.

    I wondered if I bought a SSL certificate, would that make one of my domains hosted with you be totally like Fort Knox or just no difference at all, except more outgo (expense) for that particular domain.

    Is there ANY solution to get super safe online storage whatsoever? [/note]
    There is no such thing as a totally secure web site. As far as that goes, there is no such thing as a totally secure server either. This applies to everyone everywhere. Always. The only computer which is totally secure is one which is OFF.

    Having said that, it is quite possible to have and maintain a web site which can be characterized as “safe”. You only need to do a reasonably good job of security and it is extremely unlikely that you will ever get hacked. The miscreants who do these things don’t need to go to great lengths to find exploitable web sites. If you just make it hard for them, 99% of the time they will simply move on.

    Your web sites do seem to get hacked at a greater rate than our other customers. I suspect that this is because you buy and install so many php scripts.

    It is the basic nature of PHP that it is insecure.  If you simply write code, it will be vulnerable.  Having written it you need to go back and with a very sophisticated understanding of how compromises are engineered, bullet proof it.  99.9% of amateur programmers lack a sufficient understanding of security to do this.

    Probably more than 50% of professional programmers lack the skills as well.  It’s hard.  Take Word Press as an example.  It is written by the best.  Yet every few months new vulnerabilities are found in it.

    Since the advent of broadband and computers typically always on, the number of computers connected to the Internet which are (in varying degrees) compromised is presently estimated to be about 35%. In other words, more than a third of those machines is compromised. The people who do these things have gotten very good at it. The basic problem is that the design of Windows operating systems is flawed regarding security. Attempts to make it and keep it secure are band-aids after the fact.

    You need to use a very high quality virus scanner and keep it running. Because scanners use signatures to identify viruses and new ones appear constantly, it’s not enough merely to have it running. You can get infected with a new one not yet in the database. This is why you need to periodically run scans, to pick up what may have slipped through.

    Did you have in mind to use your account with us as an online backup solution? Is that what you meant by “cloud backup”?  This is against our terms of service.    TERMS

    With 5 copies of everything and the use of very expensive servers to provide fast web site service, it’s ridiculously too expensive to be used that way. We can provide such space if you really want it, but have to charge for it separately.

    Consider buying yourself a hard drive with a USB interface for backups. Unplug it and it meets the OFF condition I mentioned above! It’s also faster and easier than an online solution.

    Super long and complex passwords only provide slightly better security than one which simply has: upper and lower case; a number; a special character (like ‘#’). Don’t waste time on this. An 8 or 9 character password which meets those conditions is fine.

    An SSL certificate merely encrypts traffic to and from a web site. It is a significant improvement in security to log in and administer back-ends using SSL. But this is not the basic problem. If there is a vulnerability in a program or script, it is as easily exploitable over an SSL connection as over one not encrypted.

    My guess is that more than 99% of site compromises I see are done using kiddie scripts.  A kiddie script is an attack script to exploit a particular vulnerability in a particular set of scripts.  They are downloaded and used by people who have no idea how they work.

    If you pay basic attention to security and keep your scripts up to date, your chances of ever getting compromised are very low.

  • Word Press Plugins

    Word Press plugins come in many flavors.  Because so many look interesting, it can be tempting to install a lot of them.  Remember – the more plugins you have active, the slower your site will run.  It can make a very big difference.   You may not notice a difference in speed, but web site traffic often consists of load spikes.  It’s when many people are accessing a site at the same time that you might see a difference.   Also, every extra plugin creates a new target for attackers.  Unless a plugin is providing functionality you regard as important, don’t install it.  Uninstall any you are not using.  Often, less is more.

    • Rule 1 – Less is more
    • Rule 2 – Keep them up to date!
    • Rule 3 – Delete plugins you are not using.  This is for security.
    • Rule 4 – Do not use plugins which are not actively maintained.  If a plugin has not been updated in a year or more, it is likely a security hazard.  I once lost a site because of this.

    Highly Recommended Plugins

    Akismet – This plugins is so useful it is automatically installed with Word Press.  What it does is filter out comment spam.  A busy site can get hundreds of such comments daily and it’s an annoyance to get rid of them.  Aksimet requires and activation key which is free for personal sites.  A donation is requested for commercial sites. 

    Word Fence – This plugin provides firewall functions and site hardening.  In just a few seconds you can dramatically reduce the vulnerability of your site.  To install it, click “Plugins” -> Add New.  Search for “Word Fence”.  After installing and activating it, you need to do some basic configuration.  After installation, a dashboard menu choice will appear.  Click on that to configure and check things.

    Database backup – Generally on our servers this is not needed as we do this automatically.  The danger with many of the settings is that they will interfere with other plugins.  For most sites, simply clicking on, “Secure My Site From Basic Attacks” is 98% sufficient.  Next, run through the options.  If you simply change everything in RED, your site will be about 1,000 times more secure than the usual WP site.  If you have a very busy or controversial site, you may want to take this further.  Most attackers are looking for low hanging fruit and there is plenty of that around.

    Anti Captcha – This plugin is invisible to users, but stops automated login attempts.

    Recommended Plugins

    Jetpack – by WordPress.com – a highly useful collection of functionality.

    Ultimate TinyMCE – This plugin adds a lot of useful editor features.  After you install and enable it, click on the new dashboard menu choice.  Some of the things which can be added are color backgrounds, fonts and styles, various buttons and media functions.  When you add features, be sure to select Row 3 or it can make a mess.

    Shortcodes Ultimate – This plugin provides many additional visual features.  Among them are tabs, dividers, drop caps, fancy boxes and too many more to mention.  Many plugins include some of these features, but this one has a longer list.

    WordPress SEO by Yoast – The developer is a senior Word Press developer so this is a really advanced plugin.  Search engine optimization is the tip of the iceberg.  It includes social media, XML sitemaps, permalink behaviors and many ways to modify a sites internal structure.  It also includes many buying opportunities which I haven’t tried.

    NOT Recommended Plugins

    Any Cache Plugin – Keeping a cache is far more likely to slow down your site than it is to speed it up.  Our servers are optimized to serve web sites.  This means that the server itself runs many kinds of cache simultaneously, mostly in memory, but also on disk in a raw form which outperforms the file system.  Memory is thousands of times faster than disk I/O.

    A cache plugin has to analyze what is being requested, generate signatures and then search on disk for those signatures.  Paradoxically, the larger the cache is, the longer all this takes.  98% of the time it would have been faster to simply generate the content from scratch, partly because doing so takes advantage of the server cache.  The pieces are usually pulled from memory rather than requiring any I/O.

    A good way to speed up a Word Press blog is to use a content delivery network like Cloud Flare.  We are partnered with Cloud Flare to offer this to you for free.  Be sure to enable railgun to take maximum advantage of Cloud Flare.  Contact us if you want to discus this.