Asylum-ET™

Just recently the Asylum-ET website completed it’s second phase as we added the ability for unsigned bands and artists to register for a free account so they can get started on creating their personal band page as well as publishing their music online. The website offers mp3 audio and flv video players for bands as well as Band Logs or as we refer to them Blogs for each of the bands to embed in their webpage so they may keep their fan base up to date on upcoming events, shows and album releases just to name a few things.

Unlike most labels, here at Asylum-ET, unsolicited demo albums and unsigned bands are most welcome here. If you are an artist or band Join us today. We want to hear your music and I know there are thousands more just like us!

Do you have a favorite local band? Let them know to stop by and sign up for a free account so you can join their online fan club. Fans can sign up here.

Warning: Probably nothing new to you since this is what I often do but this is a bit of a rant. Once again I find myself aggravated with our ignorance as a so-called advanced species. Recently there have been rumors of counterfeit money being circulated in the city that I live in. Nothing new there I suppose but the thing that I now find funny is the fact that a real counterfeit bill “I know that is sort of a oxy moron but anyway� a real counterfeit bill would cost upwards of twenty dollars to print, being that the ink is multi-colored, there are watermarks, a metal strip, the paper is not a normal every day stock made from wood but rather is a cloth fiber and that is not even to mention that I don’t know where the heck you think you could get plates or a press to print “real counterfeit bills�.

I know twenty dollars per bill is a bit steep but I am considering the fact that the person whom printed these bills is someone I knew from school and I know would not be able to afford it to cost any less than that since they would have had to of bought a very considerable amount of these materials to bring the cost per bill down and this well, just is not plausible.

With that said comes the real funny part. There are counterfeit one-dollar bills being passed around. I find this extremely amusing because I see one of these so called counterfeit bills, for sure they are counterfeit in that they are not real but seriously if someone is so stupid to have accepted one of these incredibly obvious fakes well then they deserve to be out the money they were worth.

Some dumb twit used a damn color printer and scanner to make these. They are extremely obvious, they do not feel remotely close to a real bill, they do not look like real bills and it goes without saying they are very obviously not real bills, they have a yellowish color to the print hinting that the bill is a result of a scanned bill, the inks should be blues and greens mixed with red, not green with a yellow hue. I am not sure if the person who printed these bills should be on America’s dumbest criminals or if the people who have accepted them should be on a new show called America’s dumbest victims. Luckily for this store I was in, they were given this bill to post as apposed to accepting it.

The thing that brings this all up and spawned this post is that this convenience store I had been in. The clerk ran a counterfeit check pen across the 4 one-dollar bills I had paid with. I could do nothing more than laugh even though my amusement was not directed at her. The thing that got me was that this is just one more thing to cut into the bottom dollar of a business in more than one way. First you must buy these special markers and it will be allot since they are using them for every single bill. These markers cost around $3.50 a piece. Add that to your daily expenses or weekly dependant on your volume of sales. The next thing is now the incredible waste of time it is causing. Imagine a line with 15 people in it who just want to pay and get home but oh wait… Now you have to wait for each and every bill to be checked and I have just tried to pay for $85 in gas along with another $15 for a quick bite to eat and a drink. I sure do hope you are not the last person in that line. This is a serious joke. Train your employees. Not kidding, if it looks like a dog, smells like a dog and barks like a dog chances are pretty darned good that it is in fact a what?

Another thing that I must mention before going is that these so called counterfeit detector pens are nothing special. They use iodine to react with the starch used in paper made from wood, which then turns from brown to black to hint that it is counterfeit. These so called counterfeit detector pens would not hold up at all against a “real counterfeit bill� since a real counterfeiter would use a higher priced paper made from what? Surely not wood! I guess you can just be happy to know that the price to make a real counterfeit is just not economical. Now I wonder if you realize that the $1277.50 a year you are blowing on those stupid pens is also not very economical but teaching an employee what to look for… Priceless!

I do want to be clear though that I am not suggesting that we dumb down the checking for these bills but what I am suggesting is that we look at the cost and for what? If a counterfeit bill is passed at your store it is going to be passed with other bills that are legit in hopes that it would be overlooked. If it is such a good counterfeit that even a partially trained eye can’t tell then we end up with it in our deposit. The chance of us getting a frequent supply of these fakes is zero to none. We will find out it is counterfeit when the bank checks our deposits. The total we lose out would be what, a few dollars. Weigh that against the aforementioned yearly cost, or heck even one month’s cost. Was it worth it or is it worth it to simply train your employees. Now this does nothing to stop the bills from passing hands but there is much to be done there as well that does not involve you spending more money or wasting precious time. You know when the bill was passed within a maximum of what 12 or maybe even 16 hours. You have surveillance tapes. You turn in the appropriate tapes to the police and then you go about your normal business. A few cops watch the tape(s). Weed out the ones who pass credit/checks as well as those who don’t pass a bill of the amount the fakes were and out of the 200 customers you have 20 suspects. Process of elimination is what this is called right? It works so use it!

The person who printed these bills is in prison now and I don’t envision parole any time soon. I do know this can happen any time and anywhere so as I mentioned before train your employees to spot fakes. If you can’t feel or see that it’s fake then your little pen just is not going to do the trick anyway.

I will now give a list of things I look for when accepting money. Bills $20 and higher will have a metal band in the left side, have obvious layers of colors with individual lines forming patterns in them that you can actually feel as raised edges on the surface. Newer bills stick together annoyingly due to these raised edges. Older bills are not as detectable with this method in which is equally helpful. If a bill is crumpled, folded many times and so on yet still has stiffness it is an obvious fake. Take a piece of printer paper and run an alignment test on it with a laser printer. Cut the paper in four. Take that printed pieces of paper and fold and crunch them for a bit randomly. Unfold and straighten them using a table to flatten them out even. Hand them to your employees and have them feel the paper and how stiff it still is. This is due to the starch used to make the paper. Cloth fibers are just not like this.

Another thing you will want to do is to take some of the printed test paper and a few authentic new and old bills and put them together. Rub them over each other. Feel the difference? The concept here is that I assume that you still count the money and therefore must actually touch it so I implore you to encourage your employees to use just two of their senses being site and touch while counting and add a little actual thought to the process. These are all things we should be doing anyway and the government has given us all these nice little tweaks to our currency for just this purpose so why then are we not using them? I would still suggest using your pens on higher valued bills but checking every single bill regardless of its value is seriously flawed. Why not just have a dispenser that requires a credit card only and be done with it if you can’t get a decent employee. I’ll build you such a machine for as little as 33 x my est. 1-year cost for those pens. You pay a single employee that within 1 to 2 years. Ponder on those thoughts… Comment on it if you want. Maybe give us a few tips back that you would use to spot a facsimile/fake.

This was the first time we have got involved in pyrotechnics in a long time since permits, location and firemen are all needed for a show like that. This time everything fell right into place perfectly. We photographed and filmed the fireworks display and I have put it together into a nice little video for you all to check out. Maybe the next time we do something like this we will have it a little more planned out but this was a pretty spectacular show for a birthday party. The complete show took almost 4 Gigabytes of video and 50 Megabytes in JPEG still images before being edited to fit the time of one audio track.
Editing of the audio, video, images and rendering took close to 4 hours. Hope you enjoy, I know we did but next time I am wearing a hardhat… I got rocked in the head with a spent casing wizzing out of the sky as I stood a few hundred feet below the launch site filming. No worries, luckily it was nothing serious. Gave me a slight headache for a few Before I show the video though I must stress that this was done with permits, firemen and proper location. Do not try to do this yourself unless you know what you are doing, hired professionals or whatever it takes to make sure you are safe and have acquired proper permits, etc. I have known professionals who knew what they were doing that have lost body parts or worse due to slight oversight and or slips so now with that said enjoy the video.

We now have a new toolbar for you to use in your ie or firefox browser that will enhance your experience while at our site and away from it. A few things the asylum-et toolbar has to offer are direct links to key areas of the asylum entertainment website, quick search from google, one of our websites and a number of others search sources, current local weather, a player for asylum entertainment’s Top 20, Latest Albums, Entertainment news, Browser privacy features and more.

First off I would like to say that this laptop has been a complete joke since the beginning.
When I purchased the laptop I asked the fellow at Staples if it included a restore CD because I intended to install WinXP Pro on it. He said that it did and that would not be a problem and claimed to have done the very same thing himself. I paid a little over $1000 USD for the laptop.

Well the laptop does not come with a restore CD but rather a restore from hard drive with some 3rd party software. I guess this is typical now because the makers are to cheap to include a disc and they anticipate your having to buy a new hard drive with OS installed. They also refused to sell me a restore CD when I called the company so eventually I was able to get everything running as intended but what a process and to know that I have now voided my warranty by installing a different OS was not comforting. A week later the price dropped 300 bucks and I asked for the difference from Staples. They declined due to the OS being upgraded. I then demanded that Staples refund me the difference or I would return the entire $3800 worth of merchandise I had bought the very same day along with the $1000 laptop. Oh no sir let us help you out. A few weeks after that the optical drive started to fail and about a week after that would not do much more than beep at me. So now I was stuck with what I had and there was nothing to do about it unless I wanted to put more money into it and replace the drive.

Recently I picked up an external lightscribe optical drive and decided to go ahead and try to install a new OS. I chose Suse 10.3 since I have been happily using it on my host for about a year now.

First I downloaded openSUSE-10.3-GM-i386-mini.iso and burned it to a CD. I next booted from this CD and started on the install. I selected all the general settings. The screen for the network setup caused me a little grief. After messing around a bit with a few options I decided to not use the Wifi just yet so I hard wired the network connection. I selected HTTP and then entered the ip address and directory location of the repository for the install. See the opensuse website for more details.

The rest of the install process was straightforward except for the one thing I must make note of. The Averatec 3200 had WinXP Pro on it and I was not ready to just wipe it out altogether even though I was aware that this very well could destroy it I figured it was a chance I had to take. While in the partition screen, I selected to resize the Windows partition to 20GB, which was the default that the Suse installer chose for me. That worked out just fine and Windows still boots as expected.

After the installation was completed we want to make sure that everything is up to date so make sure that we have internet connection and then open up a terminal program (Shell – Konsole) and start Yast like this.

user@host:~> su
Password: <your root password>
user@host:~> yast

When the Yast Control Center opens up select Software > Online Update and press Enter.

Once loaded you should see a few or more updates available. You will want to look them over and select the applicable ones for your install by using your spacebar to select them. You will know an item is selected when a + plus mark appears next to it. Once you have selected what you wish to update tab to OK and press Enter. One thing differs at this point from what I was use to on my host and that is when the update finishes it returns to the main Yast screen which on my host you must press Finish.

Next while still in Software we use the down arrow and select Software Management to add any additional software packages we wish to use. If there is a specific package you want to find you may tab to [Search] and press Enter. Type in at least part of the software packages name. For example I want to install an irc client so I type in bitchx or irc even.

Using the up/down arrows select bitchx and press the spacebar to select it. You can go through and do the same for any other packages as well before Accepting and installing otherwise you can just repeat the above steps.

When you have completed your tasks in Yast just tab to [Quit]
When back in the terminal type exit and then enter.

Compatibility issues and other notes:
So far there are no issues that I have noticed except that the VIA S3G UniChrome Pro IGP display adapter has a minor bug that does “NOT

We have recently really pissed off some folks with our willingness to tell it as it is and as a result we have seen a serious increase in the amount of Spam related traffic. It could very well be coincidence but that is highly doubtful given the IP addresses of the offenders. Just the same we have investigated the traffic and found that the majority are attempts at email forgery where a Spammer tries to send email with our domain as the return address so it would seem to have come from us.

Well even though we never forwarded the messages on to the return addresses that had been supplied which would have discredited us and eventually caused bans against our domains we decided to implement a bit of a defense against this insolence. We recently implemented something called SPF. For those that are not familiar with SPF it stands for “Sender Policy Framework”. SPF is a fairly new method of determining the validity of email being sent. It checks the emails and makes sure that the sender has a valid SPF record in DNS and if not drops the email and gives the offender a notice describing their violation and what to do in the event that they are trying to send legitimate email.

Installing the packages needed and configuring SPF was a rather simple task but at the same time it has proven to be a bit of a double edged sword. By using SPF we gain the protection against forged emails like Spam, Fraud, Worms and Phishing but at the same time it is still fairly new and not everyone uses it or in the case we are going to discuss they do not use it properly. We have seen that this poses a bit of an issue in that we have found emails from legitimate services such as technorati that get dropped.

The way the technology works is that 2 parties are required for successful messages to be sent. Each party (domain) publishes an SPF record in their DNS zone for the domain. When one of these domains tries to send an email to the other the receiving domain checks to see if the message complies with the sending domains policy and if not is then considered a fake. Depending on what has been specified in the SPF record the messages can be sent anyway, bounced, dropped and so on. Due to what is considered attacks against our server we have decided to drop all messages that appear to be forged leading us to the technorati issue.

We noticed email being sent from technorati that is getting dropped. We contacted technorati right away to inform them of the issue. We did not hear back from them and do not expect that we will until they fix their SPF record. After having thought about it for a bit we decided to look into it a bit further by checking their SPF record and what we have found is that the record does not include the server IP that they are sending email from. It does include a range of IP addresses but this one they are using is not close to being included. We then contacted them one more time to inform them of our new findings and suggested a fix.

It has only now been about 24 hours since contacting them but we have not seen a fix yet and notice yet more messages from them are being dropped. This is a bit unfortunate but their email is not important enough for us to change our decisions with the implementation of our sender policy. It is a bit disturbing that such a well known website has a miss configure like this but everyone can make mistakes. We just hope for their sake that it does not go on for to long especially since they are listed as one of the most frequently used domains that have implemented SPF.

Before I finish up. We highly recommend that if you are not already using SPF you do so immediately to protect yourself, your domain, your reputation and your users from damages that could very well be irreversible. Just remember that getting yourself blacklisted is the easy part.

Hello folks, a few weeks back we had some issue pop up with Big G and their Adsense program. We have not spoken out about this for fear of Big G taking action against us by banning us from search results or whatever have you but have since seen so many things that cause disgust on the big G’s part that we wont sit idly by and watch.

After speaking with a great number of webmasters about this we have found that 9 out of 10 have had their accounts disabled and any earnings they had made zeroed out by Big G with no explanation other than vague pages leading to what “may or may not

I was just looking at our last addition to the downloads section and I see in the upgrade to the new site the download section broke. All you would see when trying to download a file was a white page with the files name :/ That was a simple fix but I want to apologize to anyone who had been trying to download one of the files. All is back to good now

About a week ago we had noticed the image server we were using for the album art covers was failing. Looking into it we found that the image server must be under a high load and there really is not too much we could do about that since we do not own or control that server so we decided to add a new image server of our own to even out the load from all the album art covers. During the process though we had to shift the load somewhere since the image server was down about 80% of the time. I set up a small private server that handled the image requests until we could get this all worked out.

The setup of the new image server went rather smoothly except I could not decide which would be faster, archive 3.8 GB, upload it, unpack it or to just upload the un-compressed images eliminating 2 steps. Well now 3.8 GB uncompressed uploaded via ftp was the initial choice. Now keep in mind I have what “Comcast” calls 12MB connection speed. This was sold to me as 16MB+ but that’s another story. I pay almost 100 bucks a month for that. So anyway we started the ftp transfer. A day and a half later not even 20% complete :/ Kind of expected that though.

A friend of mine presented me with an option that he said should work out nicely “IF” I were using Linux/Linux like he. Well my friend is a very Linux minded fellow but I thought well we both know I have a Win/Lin setup but he knowing me presented the idea anyway since I have a habit of converting Linux type operability to Windows machines.

Well this idea of his turned out that converting or altering anything outside of a few config files and permissions was not even necessary. We set up RSYNC to synchronize the directories and files from my home/private server to the new image server that now had been partially uploaded via the ftp. RSYNC worked beautifully. The job still took longer than I would have preferred (16 hours including setup time) but completed without issue.

Everything I was finding for setting up RSYNC appeared as though I would need a client and server to make it all work. Turns out that was not even the case. I already had SSH setup on both the host and at home. I had been using putty to connect to SSH and this would have to change but yet again not an issue. Cygwin is also something I have been using for many years now and with it you can use SSH. So I had to create a new key pair.

After making the keys I then needed to put the public key in place on the host

scp id_rsa.pub user@host.com:~/.ssh/new_key

which is secure copy [public key] [you]@[yourhost]:[your home dir]/.ssh/[the new key]

Once this file was on the host I then log into the host and su to root. (Turns out to be an issue later). So now I then ran a few commands from within the ~/.ssh directory.

cat new_key
cat new_key >> authorised_keys

This added the new key to the authorized keys file.

Back at home open up Cygwin, try to ssh hoping that this time our key pair is used right because we want to be able to run bash scripts locally to take care of automatically synchronizing sites we need this to be done without any password hint added so we are never prompted to login which would cause our script(s) to fail. This is another place I failed at first creating this extra password hint when generating the key pair was not wanted.

Anyway with the keys done proper I was able to ssh to the host with Cygwin and not be prompted for a password. Looking good, Success so far

Next I don’t want to go and attempt syncing the remaining 80% of the images just to find it did not work so next we perform a little test.

I go to the host and create a directory named test in the web root and add a few text files with random data in them. I then create a directory locally named test and put some files into it and also create a few directories inside it with files and so on. We want to make sure that
A: the newly created local directories/files get uploaded to the host.
B: the files on the host do not get overwritten unless changes have been made.

In my local user home directory I have an alias setup to a directory named scripts. Any bash file in it becomes accessible at the command line by simply typing its name from any location in the shell window. The bash file for this I named sync_serv. Below I will include the portion related to RSYNC. I am keeping the automation part to myself and leave you to write your own. This is what was left of the original code. Most of the options we had originally intended are not available on windows like –chmod=Dg=rwxs,Fgu=rw,Fo=r –no-times –human-readable –no-owner –no-group which is unfortunate but here is the script.

#!/bin/bash
rsync \
–verbose –archive –update –backup –recursive –checksum –rsh=ssh \
/cygdrive/D/test/ \
user@host.tld:/full_path_2/web/test/
echo RSYNC Completed
exit

Our test completed successfully. But wait! We do now have a few issues that must be taken care of. Permissions are all messed up. Since the RSYNC options we wanted were not available and the fact that we did this as a different user than the one who should own the files all we get is a 403 when trying to access any file that was RSYNC’ed yet the ones that were already in place are totally accessible.

So we log into the host again. CD to the web root. Then we need to do the following commands.

chown –recursive –verbose theusername.thegroupname .
find . -type d -print|xargs chmod 0775
find . -type d -print|xargs chmod g+s
find . -type f -print|xargs chmod 0644

Then all files and directories get set with the proper owner/group and default permissions. So everything in our test went well and now to perform the real SYNC. We got that going, about 12 hours later it completed with one error which I caused. Remember the test directory and that we tested the sync with it. Well that was inside the covers directory when we did this. The first time RSYNC ran on the local machine it built a list of directories and files. The test directory and its files were in the list. I deleted the directory and it’s contents after the rsync started and had built it into the list so we see this at the end.

rsync error: some files could not be transferred (code 23) at /home/lapo/packaging/tmp/rsync-2.6.6/main.c(791)
RSYNC Completed

Next for good measures we do not want everyone hot linking our album covers so we add the following in an htaccess file in the new image servers web root. This stops anyone from directly accessing the images and also from using them in their own pages. Only yourdomain.tld can access them.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://yourdomain.tld/.*$ [NC]
RewriteRule \.(png|gif|jpg)$ – [F]
ErrorDocument 403 /index.php

So some twit(or bot) attempted an SQL attack against our site. SQL Injection is a form of Code injection. There are many types of code injection. The definition of XSS includes SQL Injection as one of the methods.

This one used a crafty query in attempt to gain access to records from our databases.

http://asylum-et.com/?page_id=3&forumaction=showprofile

&user=1%20union%20select%20null,
concat(user_login,0×2f,user_pass,0×2f,user_email),
null,null,null,null,null%20from%20wp_users%20where%20id=1/*

which output this nice little bit

WordPress database error: [The used SELECT statements have a different number of columns]
SELECT count(*) FROM wp_forum_posts WHERE author_id = 1 union select null,concat(user_login,0×2f,user_pass,0×2f,user_email),null,null,null,null,null from wp_users where id=1/*

WordPress database error: [The used SELECT statements have a different number of columns]
SELECT * FROM wp_forum_posts WHERE author_id = 1 union select null,concat(user_login,0×2f,user_pass,0×2f,user_email),null,null,null,null,null from wp_users where id=1/* ORDER BY date DESC LIMIT 10

Unfortunate for this person this is not what they were after as a result since our database is not the standard WP database as well as the code not being the standard WP code but I have fixed the code so that not even this is output any more.

Please take note of this twits IP address.
88-232-152-90

I am glad that this attempt has been made because it alerted us to a vulnerability in the
wp-forum Version: 1.7.4 software. The author must have decided that sanity checks were useless because there was not a single one checking the data being passed for database queries.

If you are using this plugin you should at least go through and do an intval() on each of the $_GET variables that wp-forum has accessed directly in the queries. Hopefully the author
decides to release a security fix for their software but that wont effect us since we have
extensively altered our script to secure it. The original wp-forum can be found here http://www.fahlstad.se/wp-plugins/wp-forum