Configuring a website with Rackspace.com is much different than setting one up with a shared hosting service such as Dreamhost or GoDaddy.  I could write more about this, but it’s not really productive.

Anyways, here are the steps I went through:

1. Buy a domain.

2. Configure Google Apps

3. Set up a Rackspace.com Cloud Server Account

4. Set up your server on Rackspace.com

5. Set up DNS on Name.com

6. Log in to your server as root, install everything

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} !^domain.com$ [NC]
RewriteRule ^(.*)$ http://domain.com/$1 [L,R=301]

# compress text, html, javascript, css, xml:
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript

Just add some AJAX to your <head> section:
<script type="text/javascript">
function request(query){
if (window.XMLHttpRequest){xmlhttp=new XMLHttpRequest();}
else{xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");}
xmlhttp.open("GET","query.php?q="+query,true);
xmlhttp.send();
}
</script>


and create the new page query.php with the following content, replacing the default values where necessary:

<?php
$dbhost = '#REPLACE THIS#';
$dbuser = '#REPLACE THIS#';
$dbpass = '#REPLACE THIS#';
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
$dbname = '#REPLACE THIS#';
mysql_select_db($dbname);
$query=$_GET["query"];
mysql_query($query);
?>

Using this code, you can make whatever kind of SQL queries you want from other sections of your site. Be careful however, unless you sanitize your database inputs you leave yourself open to some huge vulnerabilities.

1. Change your logout url:

   $logoutUrl = $facebook->getLogoutUrl(array( 'next' => ($fbconfig['baseurl'].'logout.php') ));

2. On your logout.php page, add the following code:

   setcookie('fbs_'.$facebook->getAppId(), '', time()-100, '/', 'domain.com');
   session_destroy();
   header('Location: /');

This should correctly logout your users.

• Weekly on Thursday and Friday forever
• Once a month on Friday for 6 months
• Every other Friday
• Every third Friday of the month

Also, it needed to be able to handle exceptions and extensions to existing recurring events, and the events could not be purely virtualized instances, since other objects would references event id numbers as a way of collating data collected. After all this, a set of three tables seems appropriate, with Event, EventModel, and EventException objects.  Each Event is an instantized version of EventModel, and once instantized will remain forever in the database.  While this is not best practice, negative infinity in our case is relatively manageable for now.  In the future, implicit grouping of data according to a index-less key may be used.  EventModel, which contains all the attributes of a single event, plus meta data relating to recurrences acts as a prototype event for recurring events.  To normalize the data a bit, even non-recurring events will be stored as EventModels.  This will aid in data manipulation later.  The EventException object belongs to a third table, which stores individual event exceptions.

In practice, a daily cron script will create events for that day based upon the rules in EventModels.

When viewing events, the easiest way is to view EventModels, with sub-grouping of recent and upcoming events associated with that EventModel.

Of course, I’m not an actual programmer or computer scientist, so suggestions are welcome.

Now, there seems to be a similar menace facing Facebook, especially it’s chat feature. I recently received a message from a friend on Facebook with the text: “Sam See who views your profile @ x.co/WkdW?95031″. Upon visiting my newsfeed, I noticed a new event invitation to “How to see who viewed your profile!!” by the same person. Interested to see how this was spreading, I visited the link provided (in a secure browser of course). Looking at the site, apparently you are supposed to paste in a JavaScript file into your address bar, which executes and tells you who views your profile. While this is of course impossible, it was interesting to see what exactly was going on. Opening the JavaScript file, I discovered a bunch of code I can’t claim to understand.  However, some was kind of simple, and I shall attempt to explain it.

var randomnumber=Math.floor(Math.random()*99999);
var chatmessage = '%firstname% See who views your profile @ x.co/WkdW?'+randomnumber;
var postmessage = 'My Top Profile Viewers: \n\ %tf% - 1136 views \n\ %tf% - 983 views \n\ %tf% - 542 views \n\ %tf% - 300 views \n\ See who views your profile @ http://x.co/WkdW?'+randomnumber;
var redirect = 'http://aafv8vni.info/final.php';
var eventdesc = 'Hey everyone, \n\ fb now lets you see who viewed your profile! to enable this feature, go here! - http://x.co/WkdW?'+randomnumber;
var eventname = 'How to see who viewed your profile!!';

This first part was very simple.  Apparently it just creates a random link, and spreads it three ways: chat messages, wall posts, and events.  The event creation is something I haven’t seen before and was kind of interesting.  Also, for those interested, the values provided are hard-coded into the script, which means they are completely fake.  This was assumed, but it’s nice to know for sure.  I’m not sure what the random number is for, maybe the author is doing some cool social network analysis on people who click on links like this.  The redirect goes to a pages that links to several surveys that allow them to “verify your identity.”  This is probably just more ways to spam you and make money.

The rest of the code is very obfuscated due to variable and function naming.  Some parts to note are that the author left debug functions intact and uses unique URL identifiers for each instance.  I’m not sure if this is for tracking purposes, but it could open some cool doors for network mapping of gullible people.  The funny thing is that it doesn’t actually harm your computer (that I know of), and only tries to spread itself.  This could just be the beginning of something bigger, but for right now the worst part is the embarrassment and cleanup of your Facebook profile.  The code itself is not very intriguing, since XSS is a commonly known information security vulnerability affecting many sites on the internet.  However, since the script relies on a victim actually pasting code into the URL bar once they are on Facebook, this scam is easy to avoid.

Full Code

<?php
while(1){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://34st.com/wp-content/plugins/wp-polls/wp-polls.php");
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$id=rand(11,13);
curl_setopt($ch, CURLOPT_POSTFIELDS,"vote=true&poll_id=3&poll_3=$id");
curl_exec($ch);
curl_close($ch);
header('Location: http://getmeep.com/curl.php?loop=true');
}
?>

Timeline

• Thursday, before competition – Meet up with Matt, go over idea, get introduced to Twilio API
• Friday, 6pm – Watch intros, get theme, meet the team (Fred and Vincent), then leave to go DJ
• Saturday, 10am – arrive to start coding, hungover.
• Saturday, 1pm – basic ideas and framework fleshed out
• Saturday, 10pm – so many bugs!
• Saturday, midnight – start website component
• Sunday, 4am – mostly done, still fixing bugs
• Sunday, 10am – nap on hammock
• Sunday, noon – demo to judges individually
• Sunday, 2pm – demo for 2.5 minutes in front of audience
• Sunday, 4pm – MEEPME announced as Grand Prize winner!
• Monday, 4pm – start social media blitz for Student Choice Award
• Following Monday, 12:15am – MEEPME wins Student Choice Award!

Next stop: Wharton Business Plan Competition and Philly Startup Weekend!

Media

www.youtube.com/watch?v=nnyaOXn_HY4

www.youtube.com/watch?v=W4DGTf0fvRQ

First thing, download all the sources. You might also want to run yum update just to be safe. Since this was a brand new VM, this required about 300MB of updates.
Currently, the “full setup” lists the following:

• openvas-libraries 3.1.2
• openvas-scanner 3.1.0
• openvas-manager 1.0.1
• gsa 1.0.1
• openvas-cli 1.0.0
• openvas-administrator 0.9.0
• gsa-desktop 0.1.0

I downloaded and untar’d them all for later. From the limited documentation on the site, I deduced that openvas-libraries should be installed first. cd to that directory.

openvas-libraries

For the cheat codes, skip to the end.

To build and install from source, the usual process is ./configure; make; make install.

To isolate errors, you should run each individually, so ./configure first.

Alright, this has to be written down somewhere, let’s check the install_readme. Apparently we need:

• libglib >= 2.12
• libgnutls >= 2.0
• libpcap
• libgpgme >= 1.1.2
• gcc
• bison
• flex

To install all of these, run yum -y install glib2-devel gnutls-devel libpcap-devel gcc bison flex. The rest aren’t in the standard CentOS repo.

Now to try ./configure. We get configure: error: "gcrypt.h not found". Now you should be seeing a pattern. Let’s fix this by yum -y install libgcrypt-devel.

We are missing library gpgme. Yum comes up with no results for gpgme, but the script has a link to http://www.gnupg.org/gpgme.html. Download the source code, and extract it to a folder. We have to build and install this before we can get back to the main openvas-libraries installation.
Apparently you need GnuPG2, which can be installed by yum -y install gnupg2. This installs some dependencies, but g13 is still missing. You also need libassuan and libgpg-error, which can be downloaded from http://gnupg.org. Extract both, and ./configure; make; make install. Install libgpg-error first, as it is required for libassuan.

Apparently e2fsprogs-devel is required, but nothing will tell you that. Instead, the program complains about not having uuid and the development libraries. Of course, this took a little while to figure out, since uuid and uuid-devel aren’t in the standard CentOS repos. Instead, you need to install additional repos, and then find out that it still complains. Only after some clever Google searches did I find out about e2fsprogs. yum -y install e2fsprogs-devel.

To build openvas-libraries, you need cmake. Download and install cmake from http://cmake.org. To install cmake, you need to have gcc-c++, and use a different script. yum -y install gcc-c++ to get the c++ compiler. Instead of the usual ./configure; make; make install, you need to ./bootstrap; gmake; make install. Not sure if you really need to use gmake instead of make, but the output of ./bootstrap told me to.

Then, go back to openvas-libraries and make; make install

TL;DR:
Note: file versions may be out of date, please visit the homepages for these tools to get the latest versions.
# yum -y install glib2-devel gnutls-devel libpcap-devel gcc bison flex libgcrypt-devel gnupg2 e2fsprogs-devel gcc-c++
# wget http://wald.intevation.org/frs/download.php/767/openvas-libraries-3.1.2.tar.gz
# wget ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.3.0.tar.bz2
# wget ftp://ftp.gnupg.org/gcrypt/libassuan/libassuan-2.0.1.tar.bz2
# wget ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.9.tar.bz2
# wget http://www.cmake.org/files/v2.8/cmake-2.8.2.tar.gz
# tar xzf openvas-libraries-3.1.2.tar.gz
# tar xjf gpgme-1.3.0.tar.bz2
# tar xjf libassuan-2.0.1.tar.bz2
# tar xjf libgpg-error-1.9.tar.bz2
# tar xzf cmake-2.8.2.tar.gz
# cd libgpg-error-1.9
# ./configure; make; make install
# cd ../libassuan-2.0.1
# ./configure; make; make install
# cd ../gpgme-1.3.0
# ./configure; make; make install
# cd ../cmake-2.8.2
# ./bootstrap; gmake; make install
# cd ../openvas-libraries
# ./configure; make; make install

openvas-scanner

Next, to install openvas-scanner, extract the files, change to that directory, and
build it.

# wget http://wald.intevation.org/frs/download.php/754/openvas-scanner-3.1.0.tar.gz
# tar xzf openvas-scanner-3.1.0.tar.gz
# cd openvas-scanner-3.1.0
# ./configure; make; make install

Then, add /usr/local/sbin to your PATH variable by adding the following to /etc/profile, before the line that begins EXPORT PATH…
PATH=$PATH:/usr/local/sbin

openvas-manager

Next is the manager.

The manager requires sqlite and doxygen, so

# yum -y install sqlite-devel doxygen
Then # cmake .; make; make install

openvas-cli

OpenVAS-Administrator seems to still be in beta, so let’s skip that and go to the CLI.

# cmake .; make; make install

Configuring

First step is to generate a certificate. If you’re like me, you didn’t add /usr/local/sbin to your PATH, so you have to type it manually for this part.

# /sbin/ldconfig /usr/local/lib
# /usr/local/sbin/openvas-mkcert

Follow the instructions and generate your certificates.

Next, run # /usr/local/sbin/openvas-adduser to add a new user. http://www.openvas.org/compendium/adding-new-users.html has details on this. To create an admin user, give the rule default accept.

Run the NVT sync to grab the latest tests:
# /usr/local/sbin/openvas-nvt-sync

openvas-client

Guess what, you need gnutls for this. What’s that you say, you already have gnutls? Nope, apparently the CentOS repo has a version too old for the client.

Get a new version from ftp://ftp.gnu.org/pub/gnu/gnutls/ and install it.

When installing, use ./configure --prefix=/usr/ to specify the location of the installed files.

To be continued…

gsa-desktop

To be continued…