Annual Filing Division Scam

First there was Annual Review Board. Then there was Business Filings Division. Now there is Annual Filing Division. How many more will there be? None, if LLC owners simply ignore these bogus payment notifications. Save your money, and file your Statement of Information (Form LLC-12) directly with the Secretary of State when it is actually due. The Attorney General can't help you if you've already paid. Please review all solicitations carefully so that you don't end up being a victim.

LLC Registered Agent

California's Secretary of State requires that each LLC designate a registered agent (or agent for service of process), who will accept summonses or other court papers in the event of a legal action. Failure to comply with this requirement could result in a costly default judgment. Companies operating in California are not allowed to act as their own agents, so this is yet another cost of doing business in the Golden State.

We formed our LLC using LegalZoom, whose LLC packages include one year of registered-agent service. We considered renewing with them, but they charge $159 per year (or $144 per year for a two-year renewal), which is more expensive than many other agents. For example, we received a solicitation from Patel & Alumit, who charge only $50 per year.

The Secretary of State provides a list of private service companies, which is too lengthy to serve as a useful starting point, but can be used to verify that a company can legally serve in this capacity. I found this blog post and this site to be good places to start a search. We selected InCorp Services because of their price guarantee, track record, and Web offerings (i.e., entity management system). They charge $99 per year, but they will match the price of any other registered agent in the same jurisdiction. I called their 800 number and confirmed that this is, in fact, the case. Bonus: If you register through this site, the first year is free!

After hiring a new registered agent, you will need to notify the Secretary of State by filing an updated Statement of Information (Form LLC-12). If you file the updated form outside the normal filing period*, the $20 filing fee is waived, which was the case for us.

_______

*The normal filing period for an LLC occurs every other year during the calendar month in which its original Articles of Organization were filed and the immediately preceding five calendar months. For example, we filed our Articles in October 2008, so our next filing period will be May through October 2010, during which time we must file a new Statement of Information to comply with the biennial requirement.

Business Filings Division Scam

Different name, same scam. The payment notice we received from Business Filings Division is virtually identical to the one we received from Annual Review Board six months ago, with the following exceptions: The address and phone number are in Sacramento instead of Los Angeles, the seal in the upper-left is slightly different, the words "Please Print Clearly!" have been added, and the price has been increased from $228 to $239. If you received a similar notice, please continue reading.

For those who need a primer on the Statement of Information (Form LLC-12) and its filing requirements and cost, please review this post. The upshot is that the actual cost of filing this form is $20, and it must be filed once every two years, no later than the month in which you filed your LLC's Articles of Organization. Part one of the scam is charging you 12 times as much to fill out their form instead of the actual form. Part two is demanding payment when the Statement of Information is not actually due.

For additional information, please consult the California Secretary of State's warning about solicitations that target LLC owners.

Drupal Security, Part 3

After hardening our Web server, I revisited the subject of hardening Drupal. There are many topics to consider, but the single most important is keeping modules up to date. In the default configuration, Drupal periodically checks for available updates for installed modules; heed any warnings on the administrative status-report page by upgrading indicated modules as soon as possible. It's a good idea to subscribe to Drupal's security news email list or to follow Drupal security on Twitter in order to receive timely alerts.

The official Drupal site features a wealth of information on how to set up a secure site. The chapter on best practices and the section on secure configurations are good places to start. Once those concepts are incorporated, the next step is to install any appropriate security-oriented modules, such as login security and persistent login. There are currently over 100 such modules available, so it could take a while to determine which are best suited for a particular application. Invest the time.

Before writing any modules or adding PHP code snippets, read the chapter on writing secure code. It covers the common vulnerabilities and how to correctly use the various Drupal APIs to avoid them. The chapter on coding standards is also useful.

Thorough testing during development is critical, and scanners can play an important role in ensuring an application is secure. Drupal modules such as security scanner and outside projects such as Grendel-Scan are available to provide automated penetration testing.

If all of this seems like a lot to absorb, then I recommend reading Cracking Drupal. In this book, Greg Knaddison discusses the various security concepts and how they specifically apply to Drupal. The book is well-organized, and features many useful examples and recommendations. I read the book as a Drupal newbie and then again after a few months of coding, and I learned something from it each time. For me, the scattered nature of the documentation on the Drupal site left me wondering if I was missing anything important; having all the information in one place, however, has given me a well-structured, coherent view of Drupal security.

Linode VPS Update

I've finally finished configuring and hardening our new Linode. Actually, "decided to stop" would be more accurate than "finished" because there is always more that could be done to improve a server's security. The law of diminishing returns definitely applies, though, so you'll have to balance your level of paranoia with the amount of time you can dedicate to the task.

As I mentioned in my previous post, installing a LAMP stack on a Linode is quick and easy. The hardening process is where the fun begins, especially if your sysadmin skills are a bit rusty (or non-existent). The biggest problem is finding information that is current, correct, and applicable to your individual needs. The official documentation for each of the LAMP components is mostly current and correct; however, reading through hundreds of pages to find the parts that are applicable to your situation is definitely time-consuming—even for Evelyn Wood graduates. At the other extreme, there are thousands of Web sites that offer applicable configuration advice, but finding ones that are both current and correct is a real challenge. In most cases, my solution was an amalgamation of various approaches drawn from individuals' documented experiences, which I checked against official references and corrected or improved where necessary.

For me, the hardening process followed the Pareto Principle: I completed about 80 percent of the process in about 20 percent of the time. Completing the final 20 percent was often tedious, occasionally frustrating, and dragged on and on. Nevertheless, I am glad I stuck with it. The time invested now will hopefully save us much more time in the long run.

Being in charge of your own security is one of the drawbacks of using a VPS or dedicated server because of the extra work required; however, it is also a benefit because you can go far beyond the security offered in most other types of hosting services, which must accommodate a wide range of applications and configurations. It's a trade-off that depends on many variables, so you'll have to evaluate your own situation carefully. Just don't fool yourself about how secure your server really is.