to R.G

newperson · April 18, 2016, 03:02:35 PM

hi,
you have a dead 404 link on the
Quick and Dirty test oscillator
link
for your site.

PRR · April 18, 2016, 05:38:17 PM

On page:
http://www.geofex.com/buildfx.htm
Link:
"A quick and dirty audio test oscillator"
Destination URL:
http://www.geofex.com/FX_images/q&dosc.pdf
Result:
HTTP Error 400.0 - Bad Request
ASP.NET detected invalid characters in the URL.
Requested URL http://www.geofex.com:80/FX_images/q&dosc.pdf
Physical Path E:\Inetpub\Clients\geofex.com\wwwroot\FX_images\q&dosc.pdf

Dumb guess:
You changed server software. The new software does not like the ampersand in the URL.
(Idiotic, because IIS will accept other invalid syntax and serve whatever it likes.)

Fndr8875 · April 18, 2016, 05:53:24 PM

geofx isnt up anymore, this had been talked about a ton. just do a google search for that tutorial, u sound like ur an IT guy, so am I, there are a ton of mirror links ppl have put up who archived the stuff.

lars-musik · April 18, 2016, 06:13:41 PM

I can access most of geofex.com just fine.

The link you are looking for is archived in the waybackmachine internet archive (for example from last year) here: http://web.archive.org/web/20150409052402/http://geofex.com/FX_images/q&dosc.pdf

This archive is a good thing to rember and/or bookmark. If you discover dead links in the internet, always try to paste the URLs here first: https://archive.org/web/

R.G. · April 18, 2016, 06:29:41 PM

Thanks for the tip. I just had to resurrect the site from another hacking attempt that scrambled some of it. There's probably more scrambled than I thought.

Good guess about the ampersand. I probably ought to change that to a literal "and".

Fndr8875 · April 18, 2016, 06:36:11 PM

my mistake, i never used geofex until i got interested in building pedals. I new the Escobedo stuff was taken off there, and thought i had encountered bunch of broken links , and heard something that yahoo had taken it down.

karbomusic · April 18, 2016, 08:39:04 PM

Ampersand usually isn't legal. It is a delimiter between variables being passed in the query string where query string is everything to the right of the question mark...

fooblah.com?varA=1&VarB=2&VarC=3

To avoid any confusion just replace the ampersand with %26 in the link which is the HTTP escape code for ampersand, IF the ampersand is actually part of the file name.

Even better to just remove the ampersand from the file name if it exists though.

PRR · April 18, 2016, 11:56:46 PM

Ampersand legality is a grey-zone.

In this case it is not essential. The file is not about ampersands.

"q+d" seems cute but different systems mangle the plus sign differently.

"q-and-d-osc.pdf" or "quick_and_dirty_oscillator.pdf" are legal and more intelligible when we run across them later in our files. 6-char filenames went out with TOPS-10 and FORTRAN. (I know, FORTRAN will never die.)

stallik · April 19, 2016, 02:37:07 AM

URL encoding the address ( replacing the char with %xx) is the normal way of avoiding these issues. The trouble is, not every browser/ software does the URL decode in the way you expect. Also, strings of text passed to a database can incurr secondary rules so +1 to simplifying the name in the first place.

gtudoran · April 19, 2016, 07:26:05 AM

@R.G - i would stop using IIS (Internet Information Server) on a public site. Or i would use it with a proxy module ... using IIS is like drinking poison and expecting for your enemies to die....

karbomusic · April 19, 2016, 08:37:58 AM

Quote from: gtudoran on April 19, 2016, 07:26:05 AM
@R.G - i would stop using IIS (Internet Information Server) on a public site. Or i would use it with a proxy module ... using IIS is like drinking poison and expecting for your enemies to die....

Not really, it just needs to be current and updated. Not sure I'd feel good running IIS on windows 2000 for example but newer/updated should be just dandy. And maybe not use FrontPage.

Chances are he is being hit by exploits in the admin/FrontPage code that are years if not decades old and likely not even related to IIS.

stallik · April 19, 2016, 02:16:56 PM

Hmm. Everyone has their own way of doing things. RG, we're just grateful for the resource. If they want to hack you, they will. No matter what you set before them. The issue as I see it is that if your web content is redundant and useless, they will often leave you alone. If it's valued and attracts traffic, the appear to think it's fair game. You're stuff's good therefore, you are a target. Sad.

Still doesn't hurt to build a few walls though...

Hatredman · April 19, 2016, 03:23:13 PM

Quote from: stallik on April 19, 2016, 02:16:56 PM
Hmm. Everyone has their own way of doing things. RG, we're just grateful for the resource.

I totally agree with that, I am more than grateful for Geoex and all that RG has done for the community.

But, still...

QuoteIf they want to hack you, they will. No matter what you set before them.

Not entirely correct. There's a difference in being robbed by a skilled burglar that could circumvent proper built and secured windows, and being raided by a buch of 6-year-olds from the hood because your front door is wide open and there's no one home. Not saying that's RG's case, just saying that what you set before the bad guys really matter. A lot. You will at least have less of them biting your heels.

QuoteThe issue as I see it is that if your web content is redundant and useless, they will often leave you alone. If it's valued and attracts traffic, the appear to think it's fair game. You're stuff's good therefore, you are a target. Sad.

Again, not entirely true. In fact, it's dangerous to think this way.

Most attackers (and I mean almost all of them) are demi-skilled kids that are not looking for a specific target. They seek for easy prey. They scan the internet in search of these, and traffic, value or relevance has nothing to do with it. Skilled hackers who do it for profit are rare, but pale kids in dark rooms searching the whole of the net for some thrill abound. If a real good hacker wants to break you, he or she will break you. But if you just shut and lock your front door you will at least get rid of the brats.

RG's content is indeed relevant, but that's not the point. Professional hackers want money, not exactly what Geofex has to offer. Script Kiddos want to have fun, to learn and to earn some degree of fame. And for this, any website will do. So, if you have a minimum level of security, you are safe from 99,9% of the internet delinquency.

Sorry for the rant. I work in IT and InfoSec and these things make me nervous.

karbomusic · April 19, 2016, 04:51:05 PM

Quote from: stallik on April 19, 2016, 02:16:56 PM
Hmm. Everyone has their own way of doing things.

I peeked at the source then confirmed via NetCraft that it is Server 2003/IIS 6.0 running Front Page Extensions. FPE aren't very secure at this point in time so all combined would make this server somewhat of an easy target, hence the multiple hacks. Meaning web security is akin to working with high voltage in electronics (minus the death part), it's not safe to assume something this outdated is going to be safe minus the security knowledge to keep it up to par.

I wholeheartedly agree on the value of the resource but at the same time truly hate seeing RG having to deal with the type of hacking that likely shouldn't need to be occurring in 2016. I'm not saying hacks shouldn't be occurring in 2016, just betting that the ones that are occurring on his server shouldn't be; there is a high chance someone is just going down the list of "easy FPE hacks" and seeing what happens. Hope that makes sense.

PRR · April 19, 2016, 05:34:12 PM

> stop using IIS

Agree that I strongly dislike IIS.

My first webserver (long before 1999) was PWS (the "personal" version of IIS). Even in my innocence, I was stunned at how much carelessness was in it. The dot-dot hack (add dots to a URL and traverse up OUT of the website directory) was already known and not getting fixed(!). Simple CGI required arcane registry edits.

I trialed Xitami and switched-over next day. CGI was drop-dead simple, and secure. No buffer overflows (by design, not casual fix-up). URLs were well-checked. Developers were actively fixing the few minor glitches found. It was their show-piece, not a bought-in orphan like IIS/PWS. Casual critics accused Xitami of not securing the admin pages and files well, but in fact they were more secure than they looked. (I followed the mail-list for years and nobody reported these hacked.)

I'm not fond of Front Page Extensions. IMHO they just work but are not solid or SECURE. They are fine in a benign environment, not for public web. I have been tasked with migrating FPE pages to non-FPE servers and everybody was happier afterward. I don't see much of anything on R.G.'s site that "needs" FPE. (Unfortunatly, what it needs is to have decades of clutter taken out in the yard and re-stored neatly and consistently. I'm doing my basement and have a garage to sort-out after, I can't take-on R.G.'s treasure stash.)

FWIW: things change and I would not now pick Xitami, mostly because Apache has become THE! web server. If you just rent web-space without specifying, you WILL get Apache so may as well get used to it. Apache experience will serve you well with any of its cohorts. Apache configuration is opaque and not documented to dummy-level but there's help out there.

R.G. · April 19, 2016, 06:03:47 PM

Sigh. I guess I gotta go re-learn the latest levels of web authoring.

Been a while.

stallik · April 19, 2016, 06:28:48 PM

QuoteMost attackers (and I mean almost all of them) are demi-skilled kids that are not looking for a specific target. They seek for easy prey. They scan the internet in search of these, and traffic, value or relevance has nothing to do with it. Skilled hackers who do it for profit are rare, but pale kids in dark rooms searching the whole of the net for some thrill abound. If a real good hacker wants to break you, he or she will break you. But if you just shut and lock your front door you will at least get rid of the brats.

When I stated that 'if they want to hack you, they will' I was trying to make the point that nothing can ever be considered completely secure. While I agree that many script kiddies may be looking for the easier targets, there are those who may select harder targets in order to gain esteem among their own kind.
But then, what do I know? I'm no pro in this field and am absorbing all the comments here. I've been putting web sites together for many years though only just started running my own Apache servers. Effectively, someone else has been looking after security and firewalls for me, either at the host or now, the IT dept whose firewall I sit behind. My choice to use less common languages may have helped me but really, I've probably just been lucky so far.
Good luck RG

PRR · April 19, 2016, 06:47:46 PM

> Sigh.

Agree.

Me, myself, my own taste.... I would lose frames and strictly limit tables. (The frame is mis-rendered in modern browser, and tables are IMHO begging for trouble and perpetual fixin'.)

And none (super-little) of this modern CSS stuff which gives you pinpoint control +/- browser quirks and user settings. CSS may be handy to apply 3 stock text-types (font, size). If you "cascade" more than a trifle you need a sidekick just doing spaghetti-code (that's what it is) testing and debugging.

No Java or JavaScript. Same reasons.

This isn't Wired or Apple or even YouTube. Your talents should not be absorbed in layout tangles.

One full-page Table so you can have a top or side bar.

Me, myself, my own taste.... simple list. {BR} delimited list, not even {L} tags.

For each "piece" (HTML page, standalone GIF, PDF), Title, description, and (100% legal) file-name.

Your top page has over 200 links total, so this is massive typing (or copy/editing).

FWIW: Google Space web-host can be free, "forces" a template which may be useful, and I just learned you can redirect your domain-name to their server (you must get a token from your present host to prove you control the domain). It is ultimately limiting; but that can be freeing. And they have the staff to secure it (and I assume back it up) against hacks.

http://www.customtubeconsoles.com/ is hosted on Google. Yes, Ian let the top-bar grow too wide and main text side-scrolls. But it can be very presentable.

karbomusic · April 19, 2016, 08:29:26 PM

Quote
And none (super-little) of this modern CSS stuff which gives you pinpoint control +/- browser quirks and user settings. CSS may be handy to apply 3 stock text-types (font, size). If you "cascade" more than a trifle you need a sidekick just doing spaghetti-code (that's what it is) testing and debugging.

Except CSS is no longer modern.

All in the eye of the programmer IMHO. One can totally make it a mess or undertake it as such that what RG has being a breeze (next time) instead of a complete overhaul. I can't see him not enjoying changing a single line and that change being reflected site wide. I can tell by looking at the current site that he would have liked having this option previously. CSS is something that is actually very easy to keep very simple. Do I think RG needs to take a course in it? No, but he could kill a lot of labor birds in one stone with some very simple CSS and some forethought.

QuoteNo Java or JavaScript. Same reasons.

No complaints here but an off topic academic thought... The industry is moving (is already there) to the browser receiving only JavaScript and taking the rendering load of the CPU off the server and onto the client. A concern of RGs? Nah, I can't think of a single reason he would really need much, if any; but it also isn't the devil many have been taught to believe it is; however, it's general misuse by programmers who aren't really programmers, is of the devil.

Beyond our geek coder exchange, RG really only has a static HTML site (and lots of it LOL) so he could fix every bit of this on his local machine running it out of a folder on his desktop for the most part, then simply uploading that to a web server. I think what is biting him is FPE or similar since there really isn't much to hack in a bunch of static HTML pages barring an unpatched server but doesn't appear this is a server he has to maintain. I'm also a bigger fan of using the web server you know verses hoping one is always best, I know (as in close to and involved with indirectly) sites with >300 million users running on both IIS and Apache with nary a hack; it's all in the skills of the admins and the security philosophy of those who own those servers; both of which are often lacking.

Transmogrifox · April 19, 2016, 11:16:13 PM

Quote from: karbomusic on April 19, 2016, 08:29:26 PM
with >300 million users running on both IIS and Apache with nary a hack; it's all in the skills of the admins and the security philosophy of those who own those servers; both of which are often lacking.

As much as I harbor contempt for Microsoft and I am easily swayed to believe any fault attributable to IIS, you really identified the security issue at its root.

Unfortunately most don't have the money, nor assets of equal value to protect with the kind of investment necessary to facilitate active server administration. I guess there's the pitch for web hosting services who charge an affordable monthly fee to host your site, and in return they administrate the network and keep your server applications up to date.

And in reality RG's livelihood probably doesn't rely on geo so if he gets hacked it's a nuisance but it doesn't mean thousands of compromised financial accounts or loss of substantial revenue while he rebuilds his business, etc...

It's like the difference between somebody invading your house and stealing heirloom jewelry vs somebody who robs your garden shed and takes a hoe.

News:

to R.G