Secure Apache configuration for WordPress & SSL

Apache runs nearly 50% of all active websites

Apache runs nearly 50% of all active websites

Recently I moved the hosting for keithRozario.com from a regular hosted platform called WPWebhost to my own Virtual machine on digitalOcean. The results have been great, but the migration process was a bit tedious and took some effort.

I thought I’d share my Apache configurations, so that if you’re thinking of hosting your own WordPress site on an SSL server, you’ll at least have a solid base to start off from. I’m by no means an expert here, but this is what makes sense to me, and if you have any feedback please let me know in the comments.

So let’s start. Continue reading

The new and improved keithRozario.com

New Website

Welcome!!

keithRozario.com has a new look, and I can hardly contain my excitement.

The blog still retains all its previous content and more glorious content will be on its way, for now take a moment to savour the brand new theme which hopefully is cleaner and easier on the eyes than my previous blogs design. Also enjoy my complementary TLS connection (notice the httpS connection instead of just http) which means you now have a fully encrypted tunnel from your browser all the way to my new server in Singapore, and to round things up, the blog should be much faster now that its hosted it’s own dedicated server.

This blog started one slow day at work more than 4 years ago, when I decided to buy the keithrozario.com domain for my birthday (yes I give myself birthday presents), and from there I decided to host my own blog on an awesome web hosting company called nearlyfreespeech. Nearlyfreespeech are super awesome, and you can see why I love them herehere and here.

But Nearlyfreespeech was pretty bare bones, they expected you do to a lot of stuff on your own, which I didn’t have the skills or inclination to do, so 2 years into starting the blog, I moved a WpWebhost. WPWebhost bill themselves as a WordPress hosting service, which I took to mean they’d look after all my wordpress hosting headaches, but alas I was still expected to perform my own updates and troubleshooting–which really didn’t make it any different from the 101 other hosting providers that didn’t bill themselves as WordPress hosting.

So I decided to make a switch.

I wanted to get back full control of my blog, and I truly wanted to setup a website with SSL. I’ve been a long proponent of SSL, as you can see from my previous posts here, here and here, and so it didn’t make sense that I was preaching SSL on the one hand, but not implementing it on my blog.

But there’s a problem, implementing SSL isn’t as straightforward as you’d think it would be, but in order to practice what I preach, I bit the bullet, took a couple of hours out of my day and just went ahead and hosted did just that.

Part of the difficulty in implementing SSL was that most hosting providers don’t give you the SSL option (at least not cheaply), so you’d normally have to buy your own server and implement SSL on your own from the ground up. Implementing SSL was a one-time thing, but maintaining your own server takes more time and effort than most bloggers are willing to sacrifice.

This meant I’d spend a teensie bit more time on the administrative task of running the server, rather than focusing on writing content for the blog, and for most non-tech bloggers it really doesn’t make any sense. But I AM a tech blogger, and I’d like to take myself seriously (even if no one else is)

So I got got an account at DigitalOcean.com,  they’re a pretty decent cloud provider currently making waves in the cloud computing arena (see what I did the puns there). They’re cheaper than Amazon, and products are more clearer and cleanly priced, if you wonder what clean pricing is, just try to figure out how much hosting on Amazon will cost you, and then you’ll know.

Spinning up an Ubuntu Instance of WordPress on DigitalOcean took me less than 60 seconds, but migrating all the stuff from my older blog, and fixing all the errors and issues that were piling up since I started this blog took much longer.

Let this be a lesson to you bloggers, avoid using short-codes, and avoid installing too many plugins on your website. Less is better, and ultimately a lot of plugin related features aren’t needed anyway.

DigitalOcean

In any case, for $5/month, I get to host my website on my on server, which has 1 CPU Core, 512MB of RAM and 20GB of SSD space–you could opt for more power by jumping to $10/month, but my blog with 30,000 unique visitors a month is getting by just fine on this small machine. Plus since the resources all belong to me, I get better performance than my time with WPWebHost where I was a shared server.

In a future post, I’d show you how to setup the SSL on digitalocean the ‘proper’ way. For now though, thanks for stopping by, and you have any bugs/comments on the new design, fire away in the comments below.

The WhiteHouse Petition, and what it means

We the PeopleThe US Government host a really cool website called “We the People”, that let’s users petition the US Government for various things. It’s a cool website, because you get really cool request on it.

For instance, in 2013, more than 34,000 people petitioned the US government to  “Secure resources and funding, and begin construction of a Death Star by 2016″, which triggered a response from the Government that was one part Star Wars Fanboy-ism, and one part Science lesson.

Those were exceptions though, the vast majority of petitions are political in nature, with the most popular petition requesting the US Government to formally press charges against 47 Members of Congress for their role in under-mining a nuclear agreement with Iran.

So it was natural that the former US Ambassador to Malaysia, John Malott create a petition to “make the release Anwar Ibrahim a top priority for US policy towards Malaysia”. This Petition was then picked up by the likes of Lim Kit Siang and begun garnering significant attention from the Malaysian online community. Continue reading

The day they censored me

internet censorship

Last week was a pretty exciting week for me–it was my first time on TV.

A TV show called VBuzz that was hosted on a Astro Channel 231 called me to be a guest to talk about Cyber Security, obviously I make it point to try new things and let’s be honest….how many of you would turn down a chance to be on TV? I mean this is Television, if you’re on it you must be good right?! Even if it is a Tamil channel, and it’s on at 9pm, I thought this would be exicting…and it was!

Anyway, they scheduled me in for a show on Tuesday, and I happily took some time off work to go down to their studio and all was really great. Until….

The first thing they told me was that I couldn’t talk about the recent MAS hack, because they were afraid. The Obvious question I had was–afraid of what? Apparently, MAS was a Government Linked Company, and they couldn’t talk bad about a GLC for fear of losing their license. Now I had no intention of talking bad about MAS, just trying to help people understand what happened in the hack, but they were still afraid. So OK, you can still have a 15 minute conversation about cyber security without talking about MAS…no problem.

So I got my ‘HD’ make-up on, because High Definition recording captures so much detail of your face, that they need special make-up for it. I found that quite amusing, plus I never knew so much effort and co-ordination went into making a production like this.

We started off with ‘easy’ topics like cyber criminals and hacking incidences, and the conversation was light and flowed pretty well, but then (according to plan) we veered into cyber warfare, which was a topic I was deeply into over the last few weeks. And out pop-ed a question like “What can governments do to ….” to which I responded that “Governments were the biggest perpretators of the crime“. This didn’t sit well with the producers or the writers, and at the end of the show we did a re-take of that bit, censoring out a my statement, which I maintained wasn’t just true, but totally consistent with the entire show. Continue reading

Jho Low uses Gmail? Why emails can’t be considered evidence

15197804185_d4a1f3d9b3_mAs the 1MDB fiasco begins to simmer over the political stove, I wanted to inject some technical information into this discussion, specifically around emails and how they’re almost useless pieces of evidence.

Just to make sure everyone’s on the same page, here’s some context.

In early March 2015, sarawakreport.org, a website run by investigative journalist Clare Rewcastle-Brown together with the London Sunday Times, published an article on controversial deal done by the 1MDB fund. At the centre of the deal was a man named Jho Low, who masterminded a sophisticated ‘wheeler-dealer’ that pocketed him $700 Million, all of which (at least according to sarawakreport.org) was siphoned from 1MDB, a Malaysian sovereign wealth fund.

Honestly, I don’t understand the financially complex deals that sarawakreport.org was trying to explain to lil ol’ me. So I’m just going to take her word here, that all the documentation that was produced leads to the conclusion that Jho Low masterminded the “Heist of the Century” by stealing $700 million through shady back door deals involving 1MDB and a company called PetroSaudi. But then of course, the question becomes, can you trust the documentation.

Reading the article you get the sense that the e-mail trail presented forms the backbone of the entire story, and if the emails themselves are not true then the entire story is untrue as well.

In either case though, let’s get straight to the point, and say that e-mails by themselves are quite useless. Continue reading