Rusty's Blog

Usually.

Oh, the world is far from perfect, and this really isn’t a significant’ step along that path, but hopefully it simplifies things in the long term.

About a month and a half ago, or two months ago, one of The New York Times advertisers was hacked. Their servers were used to propagate some windows specific virus or another. I don’t know that this is the source of the infection that afflicted my dad’s computer, but I do know that his computer did get infected with a virus of some sort.

I’ve heard some people claim that they can clean up any infected Windows computer. Whether I believe them or not, Is not important. I certainly won’t make that claim, and more specifically I won’t make such a claim of being able to do that over half a continent.

There were three choices. 1 my dad could take his computer to a shop some place and have them clean it up. Best buy would certainly be willing to help him. for a fee. If you think about it, the fee involved almost puts him at a place where he could just as easily give them the computer as a gift, and buy a netbook in place of it. And he is curious about netbooks, more on that later.

The second option was that he could send it to me. I could see what I could do, which probably was not a whole lot, and I could send him back his computer with the possible effect that I just gave him back an infected computer. I’m not a big fan of that.

Or I could introduce him to Ubuntu.

I took advantage of a program that has been essentially a part of Ubuntu from day one, but which is changing this next release, which allowed me to go to a web page and get a copy of Ubuntu shipped to my dad for free. This took a couple of weeks, but he was more than happy to use the local public library a few times, and he waited. If he had shiipped the computer to me, he probably would have waited longer anyway. He booted up the CD, and decided to install Ubuntu on his laptop.

The first time he used the free space on the end of the hard disk. Ubuntu will install in as little as 2 gig of space, but that doesn’t leave any room for doing updates, etc. In any case he had a chance to try Ubuntu for a week, and decided he liked it. From what I’m reading in my e-mail from him Yesterday, it sounds like he went ahead and reformatted the hard drive and is now running Ubuntu only. He has decided to put off buying a netbook for the time being.

Before anyone starts claiming that he’s in little better of a position now than he was before, I’ll note that actually he is in a better position. He’s installed for himself a distribution of Linux. I don’t think he ever installed Windows himself. He didn’t need help from his internet provider to get in the internet once Ubuntu was installed, he did under windows. If things go wrong, he can always re-install from that CD now, compared to having to send a computer to a shop, that is a significant savings for him.

Is it possible to get a computer virus under Ubuntu? Sure. Ubuntu supports Wine, and as a result can run many Windows specific programs. Of course Windows specific Viruses are a sub-class of windows specific programs, and many will run under Wine. However the default install of Ubuntu does not include Wine the last I checked, so that’s not exactly a tremendous vector for him. Likewise the default install does not include Flash, so that vector is tentatively out. About the only thing that’s left is Linux specific viruses. There are a couple on the loose, but they seem to be targeting servers rather than desktops, and the default install of Ubuntu desktop does not include server software (A couple of peer-to-peer apps, but not servers.) So for the time being that’s not a significant worry. We should have time for me to walk him through getting a decent anti-virus installed and running. We’ll see.

And no, my experience with having a hacked WordPress blog doesn’t impact this either. That was primarily specific to versions of wordpress, and did happen on multiple platforms.

About half a year ago my dad picked up a story from some place where the theme was ‘just enough is enough.’ The idea was the same as you might find in a kitchen, in a car, or any of a wide variety of areas, but it is reasonably easy to explaine to many computer users with the idea of the netbook. And that idea is if the computer you use does the things you need it to do, then it is sufficient for your needs, and you don’t need to go beyond it. If all you need to do is stuff you can do using google docs, google, bing, amazon.com and other online resources, then it doesn’t suggest you need a computer that will run the latest games. It suggests that you very well may be able to get along on nothing more than a netbook pc.

I’m personally inclined to think that my dad has taken that to the next level. If that’s all you need to do, and the computer you have will do it, there’s no need to go out and buy another computer, not even a netbook. Getting Ubuntu on his computer gave him the tools to do all that he is looking to do. So it is enough.

No I am not suggesting that this solution is perfect for you specificaly, or anyone else. I learned a long time ago that there are a large number of variables involved in getting the appropriate sollution for each person. And while ‘just enough’ is enough for my dad, I go through a lot more resources each day computer wise than he uses in a month. Ubuntu works for me as well. It might work for you, or it might not.

When or how will I know for sure that Ubuntu works for my dad? When he convinces my sister to switch.

Well, I’m close. You probably can’t easily tell, but I’ve updated the core blog software for my blog.

Both ‘about time’ and ‘good thing’ apply. In the process I did find my blog had been hacked.

I use WordPress as my blog software here. The edition I was using was one of the last releases that did not have a built in update button. The last couple of releases, 2.8.4 and 2.8.5 have been ‘hardening’ releases. These are versions that make it harder for hackers to break into your wordpress blog and do things like delete previous posts, add or delete users, or even edit posts.

One of the most famous incidents of this nature is the blog that Robert Scoble writes. Apparently whomever has been compromising or hacking into wordpress blogs decided that that might be a good blog to do some rather offensive things to, such as delete all the blog entries for him.

For the most part my wordpress update was smooth. The thing that has been of concern was backing things up. I’m a big fan of ’simple’ and the first thing that I could see when looking at the instructions for backing up the wordpress database was that they were not ’simple.’ Granted I didn’t look far enough into the process. Once I did I saw that there was a 1 line command I could use to do the job. No installing extra software that I hadn’t worked with before, etc.

As I was re-enabling a plugin, a new feature showed up that I hadn’t seen before. Checking what the feature gave me, I ended up ’spotting’ a user I didn’t recognize. So I went to ‘Users’ and Hmm. there sure are a lot of users here, and none of them appear to be this user.

I actually suspect that the bigest use of the hacked admin account has probably been to create users that can then be used to authorize users at places that ‘check’ to see if you have a valid account some place. In any case I certainly didn’t recognize any of them, and since I do not allow people to create accounts for themselves, away they went.

But no, that didn’t delete the hidden account. That was going to take a little bit more work. For that I ended up having to do a bit of searching. I ended up at http://reports.graymattergravy.com/2009/09/06/remove-hidden-admin-users-in-wordpress/ where the writer has very sucinctly demonstrated how to delete a hidden admin user.

Will that be the end of it? I don’t know. It should be harder to break into the new version, but if someone broke into this, it’s possible that they (or someone else) broke into another system I use. Fortunately (theoretically) much of the underlying code that the wordpress software ran on should be up-to-date, and hopefully reasonably secure, but there are a few things I will have to check out now.

All of the users, except the stray admin users, that I deleted were ’subscribers.’ As one of the questions in the deletion process went, I was asked if I wanted to delete their submissions as well. Yes.

I have at least one person who reads and occasionally comments on my blog. I was concerned that their posts may have been lost. They were not.

The remaining item I have to deal with is getting google analytics hooked up again. I’ve had a bare bones hit count running against my blog for a while. It’s racked up what I consider to be a respectable count of reads of my blog. However I really didn’t have a way of knowing anything interesting about the readers. Hopefully that will change shortly.

…90% to go.

I posted a half humorous note on my facebook page Friday (or was it Saturday morning?) that had a list of tasks I wanted to do this weekend. Asside from a bit of formatting, I’ve gotten what I think should be the most important part of the list done.

One of the problems I have at work is that I can’t exactly launch any IM client and start chatting with people. I have a few philisophical problems with the Microsoft Communicator client at work. But am happy to use it for the most part. The biggest issue I have is that you can’t update contact information to display a custom identifier for someone. If it isn’t published in the domain the way you want it to appear, too bad so sad. Oh, I understand some of the reasoning behind that. No labeling your boss the ‘idiot in charge’ and stuff like that. But if there are two John Smith’s in your business, it can take significant additional knowledge to confirm that you have selected the right John Smith to send a message to. If you know that one of them preferrs to be called Jonathan, it makes sense to be able to put that in an alias for the user in the IM client. But that’s locked out at the moment. I’m not holding out a lot of hope that it will change either.

However that’s still not the significant issue for me. The real issue is that I can’t connect to the resources I would like to. Particularily my own jabber server.

So I have had to come up with a kludge. And the first half works for now.

The kludge is that I have put together a monitoring client for my jabber server that attaches as one of my resources, and simply collects each IM that I receive, and tosses it into a tab separated values file. (I’ve had issues with comma separated values in the tool that I use to read the messages, so rather than fight with them, I’ve set up the tool to work with me.

The other issue I’ve had over the years or so has been that I’m never really sure what happens to an IM sent to me while I am away, or if I get something and the client dumps for some reason. This way I should get a reasonably comprehensive copy of my IMs while I am otherwise occupied. In theory I could set up the client so that at any time I could pull up a list of messages on another session, sort of using it as a secretary within jabber. Who knows, I may just do that at some point. Not tody though.

On top of that I needed a way of displaying those messages. I have that now too. I was able to use some of the code I wrote a while back. Ok, I basically grabbed something out of a php tutorial at some point, and I’ve been re-arranging things ever since. In any case I revised the code again, and now I can view the contents of the capture file. Basicly the tool I’m using displays the contents of the formatted text file in a table.

Things ain’t quite perfect yet. The script crashes out on unicode character issues, which I’m not sure I have a good way to get arround, but until it dies, I can at least see most of the messages I get.

The second half of that list should be easier. Well, the actual sending of messages will be. However I am not building the sender code without adding some security wrapper to the system. That URL will need authentication before it should accept a message to send. The reality is that I need to build the authorization and authentication system in such a way that it can not easily be spoofed. One of the problems with the easiest sollution I can come up with is that I don’t know if there is a way to maintain authentication without adding some sort of SSL or https sollution to the mix.

This is a ’solved problem’ you may be saying. Use https or ssl. Not so fast. First of all I need to build the platform so that I can get such a solution through the firewall at work. Not necesarily trivial, however that on it’s own is not a serious problem. The greater problem is that to use the appropriate ports on my server, I need ot abandon features that I very much do not want to abandon. so not so easy.

The next obvious sollution is to use gpg to encrtype the user credentials and then base 64 encode the encrypted credentials and send that off as a cookie that can be asked for at any time. The problem here is that with the exception of a user on a public internet server, the encrypted credentials could be used by anyone on a nat traversing link. Capture the cookie with airsnort or the like, and you suddenly have everything you need to look like me to my server. So that’s not a solution I’m happy with.

I suppose I could implement a variation of a kerberose solution. Point the user at a third party location for logging in using a ssl or https session there, then that system provides a token back to the local web server that is provided to the user’s workstation in a cookie that is only good for a few minutes, and the user needs to re-authenticate again if they exceed that time. A varriation would be to only allow the user to post if a persistent authenticated secure session exists with the third party server. (separate tab or window that could be minimized) One possible variation would be to build in open-id/open-auth. I’m already using that at one level for this blog, however I’m not sure that either have a system that works well with passing arround jabber credentials securely.

I don’t think I’m going to get that part of the solution implemented this weekend.

Oh well.

…or things not to do while blogging.

Ok, this isn’t strictly things not to do, there are things that can be done as well in the list.

1. Never blog in anger. – If you must rant, and at times you may decide that you have too, let your anger settle down first. You never want to have to go back and say ‘I really shouldn’t have said that, I can see that you might have taken it personally now, and you’re a person I would rather didn’t take that personally.’ Spend time, do the research. If you write something that could be taken personally, make sure that it’s the thing you want to have taken personally.
2. Try to be creative and complimentary about things. – ‘Due to the high concentrations of energy in the supersized meals at various Scottish named fast food purvayors, the average american is now walking around with more stored energy than at any time in American history.’
3. When being critical, come to the point, and don’t flower it up. – We’ve all seen them the movie review that just goes on and on about pretty much the entire movie, and ends with a ‘don’t bother to see it.’ statement at the end. The only real effect of the review is to use up that daily quota of words that the review has to get written. If you’ve seen this variety of review from a movie critic in the past, save yourself some time and go to the final paragraph.
4. A ‘good’ blog is focused. This applies to the over-all blog that is being maintained. I’m not saying that my own blog is any sort of an example of this, pretty much about as contrary as you can envision. But then as you might expect, I don’t claim that this is a ‘good’ blog either. I tend to write about whatever comes to my mind. At times that may be of interest to you, at others, probably not. If you are hanging on every word I write, you’re being even more obsesive than I am about my writing.

Who knows this may be a recurring theme.

Since I started blogging with word pad, I have been somewhat currious as to how many times my page is being read. Surely I’m not the only one. Well, apparently as far as the WP people and community is concerned, it’s not all that important. So today I added a couple of functions to my users.php include to be used by my template’s footer.php file to display a rudimentary hit count. And when I say rudimentary, it’s pretty basic. No bouncing balls with the number, no per article counts, etc. All it does is display and update a bit of text you will see at the bottom of most of the pages here in my blog.

It’s not something I am going to advertise all that much. First of all the counter file is written into the function which means it is not easily re-configurable. It also means that it will probably be broken the next update I do to the blogging software. Variations on the theme include referencing a record in a database, keying off the story title in the requested URL to give article specific counters.

If I were doing this in python rather than php, I would probably just have one function. The process is open a file for read and write. read the content of the file. (which should be a number.) display the number. (which may include additional text wrapped around it, such as ‘Viewed :” “times.”) increment the number, and write it back into the file. I might be able to do that within php all as one function, but I figured that if I used an existing pair of functions, it would simplify things a bit. Additionally I can write a script at a later date to reference the write function and reset the counter to 0 at any time. Say perhaps any time I add a blog entry.

Well, time to get some cleaning and re-aranging done.

-Rusty

June was a rather busy month, and I didn’t get all that much written down. I learned a bit, here and there, and some of tha tmay be interesting to others. That said, these are a few of the things I would like to write about over the next couple of weeks.

• Building a video screen for under $50 – I can do it for a lot less now, but I’ll explain more later.
• writing an information kiosk tool from ’scratch.’
• High speed hardware replacement – I had a laptop that decided that a shower was not in it’s best interests.
• Field Day – I’m an Amateur Radio Operator, we do some strange things
• Riding – this is actually going to be several posts
• Dogs
• Friends and relationships – I’m not currently in a relationship, though there are people I’m interested in, so who knows.
• Toys – not necessarily kids things

There are some things that I won’t be talking about. Work is at the top of the list. I may be using some of the skills I have developed at work, but this blog is not some place I want people to rant about the company I work for, or how far behind we are in this or that.

Hey that looks like a ‘lot,’ but really isn’t. Time to get going I think.

~Rusty