One of my favorite tools has been updated. It alludes to the possibility of integrating Writer with a couple of services and technologies I have been looking at integrating, Flickr and Lightbox. I was almost motivated enough to try my hand at writing a plugin a while back. The most obvious change is that the interface has been revamped. I have looked but I cannot find how Lightbox gets integrated. The Insert Picture dialog has a web interface. I will check out the web interface to Flickr shortly.
Picks and Pans for pfSense packages
Recently I installed the pfSense firewall and now I have started to check out some of the packages that make pfSense such an interesting firewall platform. Without going into too much detail here is my impressions on several packages.
- NMAP – It kind of worked for me when I accessed it via the web server. It locked up the pfSense web server a couple of times. It worked fine for me via the command line and the Command page.
- NTOP – I had not heard of this package before but I was impressed. It had lots of information about my network. Some of the information was actually useful. I am keeping tabs on my son’s Internet usage. With all of this info I kept expecting the computer utilization of pfSense to go through the roof. It did not. Whew!
- SNORT – I did not get this package to work. It installs but the service does not start and it had problems downloading rules. I am guessing the rules issue might be related to the fact that the package was version 2.7 and the current rules are 2.8. I saw in a forum where several people were having problems running the package on pfSense. I manually uploaded a rule to see if I could start the package. It still did not start. Since I did not see any log messages, I decided it was not worth proceeding. It is hard to debug problems when you have logging turned off.
- EXEC.php – This goes under the name of Command. It gives you the equivalent of a command prompt and it is for those of us who do not want to crank up SSH for every little thing. It is not a “package” and its disclaimer says it is not supported. However, it worked better for me than the supported packages. Go figure! I used it to verify that NMAP was working. It was a helpful tool to work with SNORT, too.
- Internet Explorer – You need a SVG viewer plugin to view the traffic graph. I used Adobe’s version. The drop down navigation menu is quirky with IE. It opens and closes before you select an item. In IE the navigation menu is blocked by the traffic graph. I might try and fix this.
More Thought on numbers used once(i.e. nonce)
Although I still believe what I wrote in which I said that the use of wp_nonce in the last steps of the WordPress Automatic Upgrade plugin is an unnecessary precaution, I am puzzled why it did not work. According to Mark’s post on nonces, it sounds like in theory this "number use once" should still be valid if you are forced to log in again. Here is what he wrote.
They are unique to the WordPress install, to the WordPress user, to the action, to the object of the action, and to the time of the action (24 hour window). That means that if any of these things changes, the nonce is invalid.
I guess that if we work through the logic, the only thing I can see that has changed is that the user has logged in again. I must conclude that it is identifying the user by something other than the username. Hmm… This is a puzzle.
WordPress › WordPress Automatic upgrade « WordPress Plugins
I have been using this plugin for almost a year. When it works it is great! When I upgraded to WordPress 2.5 I started having a problem with the final two steps, reactivating the plugins and going to the final page. Before I could activate the plugins I had to upgrade the data base. Then I had to log back in to the blog. At this point the automatic plugin was lost and gave me a screen with "Are you sure you want to do this?" All the plugin could do at this point was to clean up the installation. I had to manually activate my plugins.
Today I figured out that if I remove the wp_nonce stuff at the end of the line I could get the automatic upgrade plugin to continue. Wp_nonce is a security feature. I think it is primarily used with forms but it can be used with links. About the only source on this function is the Writing Secure WordPress Plugins post by David Kierznowski. I think when I have to log back into WordPress, wp_nonce thinks I am breaking in and slams the door shut. From a plugin design standpoint I am not sure there is a need for this type of security at this point since all I want to do is activate my plugins and get my log report. I guess I will comment out lines 392-394 so the plugin will work.
Cutline 1.3 Released | Cutline Theme for WordPress
I upgraded to WordPress 2.5.1 today and my old theme broke. I have been looking at Cutline for some time but I have not been motivated enough to commit the time. Today I had the motivation. I am really pleased that I had it ready to go in about thirty minutes.
WordPress 2.5 Secret_Key Vulnerability
Wow, I did not know about this security feature in 2.5. I did not have the ‘SECRET_KEY’ defined since my WordPress sites were upgrades. Since I prefer to follow the Secure WordPress recommendations and missed that section in the paper, I added a random key to all of my sites. The key does not cause any ill effects. Read the original post, WordPress 2.5 Secret_Key Vulnerability, for more details.
Expanding a RAID1 array with bigger disk drives
Problem: You have an existing RAID1 array and now you need more disk space. You have purchased two identical 300 GB disk drives to replace the existing 147 GB disk drives. What is the quickest way to replace the disk drives with the least amount of down time?
Answer: This week I ran into a situation this week. The easy part of the answer was to replace one disk drive with a new 300 GB drive and let the RAID controller synchronize the drives. Then you replace the last 147 GB drive with the 300 GB disk drive. The hard part of the question was whether you could partition the remaining disk space into a logical volume without rebooting. The answer is yes. It took about a two and half hours to mirror the first disk. During the first hour Exchange was really sluggish. The next hour and a half the response time was okay. It took about an hour and a half to mirror the second drive. The response time was okay during the entire mirroring operation. When the mirroring was complete I used the Compaq/HP disk array software to check the disk drives. My research on Internet said that it was unlikely that the disk array software would show the disk space that was not part of the existing RAID1 array as being available. I was mildly amused to see that it showed that 292 GB was available(i.e. 146 GB per drive). I used the disk array software to create a 146 GB RAID1 volume. When I went into Disk Management I could see 146 GB was available to be partitioned and formatted. Except for the first hour of mirroring this whole operation was pretty painless and did not require a reboot.
ISS X-Force Database: icmp-timestamp(322): ICMP timestamp requests
A PCI audit point I saw recently recommended that servers not respond to ICMP timestamp requests. For externally based web servers this probably means asking your host provider to implement a rule on their router to block ICMP packets type 13 or 14 with a code of 0. I haven’t tried this but this should allow normal maintenance packets(e.g. ping) and prevent echo tests using timestamp requests.
A PCI audit point I saw recently recommended that servers not respond to ICMP timestamp requests. For externally based web servers this probably means asking your host provider to implement a rule on their router to block ICMP packets type 13 or 14 with a code of 0. I haven’t tried this but this should allow normal maintenance packets(e.g. ping) and prevent echo tests using timestamp requests.
Description:
The target computer responded to an ICMP timestamp request. By accurately determining the target’s clock state, an attacker can more effectively attack certain time-based pseudorandom number generators (PRNGs) and the authentication systems that rely on them.
Platforms Affected:
- Apple, Mac OS
- Cisco, IOS
- Data General, DG/UX
- HP, HP-UX
- HP, Tru64 UNIX
- IBM, AIX
- IBM, OS/2
- Linux, Linux
- Microsoft, Windows 98 Second Edition
- Microsoft, Windows 2000
- Microsoft, Windows 2003
- Microsoft, Windows 95
- Microsoft, Windows 98
- Microsoft, Windows Me
- Microsoft, Windows NT
- Microsoft, Windows XP
- Novell, Novell NetWare
- SCO, SCO Unix
- SGI, IRIX
- Sun, Solaris
- Wind River, BSD
Remedy:
Configure your firewall or filtering router to block outgoing ICMP packets. Block ICMP packets of type 13 or 14 and/or code 0.
ISS X-Force Database: icmp-timestamp(322): ICMP timestamp requests
.htaccess changes can break LiveWriter
Recently I changed some of my sites to not use the "www" on the front of the URL. It was a little tricky but I got it working right. The first part is to change WordPress to use shorter URL. The second part of the change was to modify the .htaccess file. I found that the post, Comprehensive URL Canonicalization via htaccess for WordPress-Powered Sites, helped me the most. I checked it in a browser and everything looked fine. Much later I tried to write a post in LiveWriter and it did not work. It gave me the following error message.
blogger.getUsersBlogs method received from the weblog server was invalid
After a little debugging I figured out I could get rid of the problem if I refreshed my account settings for the web sites with the new .htaccess file. I guess LiveWriter is picky about the web site URL.
Server 500 error, Codeplex, and ISA 2004
I recently tried to visit Codeplex and got a an error page with a Server 500 error. It did not take too long to figure out that there was a configuration problem on my firewall, ISA 2004. There were several proposed fixes but the one that worked for me I found on a Techarena forum and it said to either turn on or off the HTTP Compression filter. I turned it on and it worked.
I think I had turned off the compression filter in ISA 2004 SP1 days. According to Lazyadmin HTTP Compression started working in SP2 and he has recommendations for configuring it in his post, Enabling HTTP Compression in ISA 2004.
BlogSecurity » Blog Archive » WPIDS v0.1.2 officially released
Recently while upgrading my WordPress blogs I installed WPIDS 0.1.2. WPIDS is a Intrusion Protection System, which is based upon the Intrusion Detection System PHPIDS. It is a nice plugin for those curious about WordPress security. In theory this should improve the security of my blogs.
For the last couple of days I have been monitoring its log. So far I have not found any false positives. It looks like it is blocking some comment spam. Most of my comment spam is caught by Akismet.
I am kind of fascinated with this plugin. If the developers are looking for ideas, it would be nice if:
- It would tell me if there is a new filter available. I am not sure how often the filter is updated but with a little modification the plugin could update the file directly. WordPress would like updated plugins to be updated on their web site. An updated the revision number for the plugin would appear in the plugin panel. In a perfect world the use could then update the plugin automatically.
- The search stats button overlaid the standard report onto the admin page for the plugin. It is not very useful in this format.
- It would be nice if the report said why the bad request was blocked. I have several blocked requests showing something called “__utmz” in the tag field.
- It would be nice to download the report as a csv file.
- It would be nice to have a summary report by type of blocked request.
WordPress 2.5
I installed WordPress 2.5 last Saturday on all of the blogs I support. It had passed some preliminary testing on my development blog so I installed it. It is supposed to have increased security, better administrative panels, and the ability to upgrade plugins automatically. They say there are very few changes that will affect the plugins. It sounded like a safe upgrade so I upgraded. After a little testing I found that ImageManager 2.4.1 did not work at all. I am not sure when it stopped working since I do not use it often and I have alternatives.
While I was at it I did a little spring cleaning. I changed the blog to not use the www subdomain, changed the .htaccess file, changed the blog to use a more descriptive permalink, removed the register feature from the meta widget, and got rid of several old inactive plugins.
Installing Subversion? Just follow this 7 Steps « Lijin’s Localhost
Great post Lijin! Sometime ago I struggled to figure out how to install subversion on my WinXP box. The biggest difficulty I had was to understand what the folder layout for Windows box should look like. I ended up using svn1clicksetup to get a standard layout. Due to issues between Subversion and Apache 2.2, I avoided using Apache for Subversion. SVNService worked just fine for me. Recently Subversion has been supporting Apache 2.2. With a slightly modified version of Lijin’s instructions I modified my XAMPP installation to support accessing my existing repositories via Apache. Here are my steps:
- Install Apache HTTP server if not already installed. I prefer installing Apache via XAMPP.
- Install Subversion and let it update your Apache configuration. In my case I was updating to the latest version. Here is my file layout:
- Install directory – c:\Program Files\Subversion
- Repositories – c:\svnrepos
- Apache conf file – c:\Program Files\xampp\apache\conf\httpd.conf
- Since my repositories are not accessible from the network, I did not create a Users authentication file or Acesss – rights file. I can do this later if I need it.
- In the directory, "c:\Program Files\Subversion", create a etc directory and place another file called subversion.conf with the following data.
<location repos> DAV svn SVNPath C:/svnrepos </location>
- Add
Include "C:/Program Files/Subversion/etc/subversion.conf"
to the Apache conf file. - Restart Apache and test the repository access.
- I cranked up my favorite browser and went to http://localhost/repos. I saw my project directories.
- I created a new directory in the My Documents folder and checked out one of my projects using TortoiseSVN and the http://localhost/repos/project1 URL. It worked.
- Next I created a test file and added it to repository. It worked, too.
Installing Subversion? Just follow this 7 Steps « Lijin’s Localhost
Opera@USB : EN & PortableApps
Okay, Markus said I shouldn’t do this but I installed Opera@USB on my USB drive and renamed a few files. I wanted Opera to appear as a menu item in the PortableApps Menu. Here is how I did this.
- First I created a directory under the PortableApps directory called, OperaPortable. You can name it anything you like.
- Next I installed the USB version of Opera into this directory.
- Finally I changed the extensions for operausb.exe and gsr.exe to com and changed the extension for opera.com to exe. You should see the pretty opera icon now.
Next time I started the PortableApps menu I had a pretty little Opera icon next to a title that said "Opera Internet Browser". It could not been sweeter. I went to my web sites and they looked fine. The only way I have been able to crash Opera so far is to go to the acid3 test. 😉
DISCLAIMER: I do not use Opera on a regular basis. Your mileage may vary!!!
Opera@USB : EN : download your free version of mobile Opera:
Automated WordPress Hacking Tool Cached by Google
I just finished checking my WordPress sites with both a dork and a FTP. Google says that there 29,000 infected sites. I guess that I was left out of the party since my WordPress sites are at the most recent stable release.
Cyberinsecure recently posted details of an automated WordPress hacking tool that is doing the rounds. This malicious worm or program appears to create the directory, "wp-content/1/" as well as spam comments:
The blogs are most likely attacked by some kind of automated tool since the amounts of spam are too big to work manually on all those spam pages creation. It seems there are also spam comments in posts as well. Spam comments are pointing to internal infected blog pages in folder “1″ to get them spidered and to get people to visit them.
Smackdown also has a nice blog entry about this issue.
Automated WordPress Hacking Tool Cached by Google
DK
Wed, 26 Mar 2008 23:52:40 GMT
Favorite KeePass Trick
Keepass is a neat password management program but the documentation is not clear on how to set up an entry so that it will work use the same username and password with multiple web pages. As an example with the following entry, KeePass will autotype the username and password on the login screens for Yahoo, Flickr, and Office live.
Auto-Type-Window: Sign In to Yahoo*
Auto-Type: {USERNAME}{TAB}{PASSWORD}{ENTER}
Auto-Type-Window-1: Yahoo! Mail*
Auto-Type-Window-2: Connect to workspace.office.live.com*
Weird, wild, wonderful Windows "Workstation" 2008 | InfoWorld | Analysis | 2008-03-17 | By Randall C. Kennedy
For the self-reliant, a third Windows desktop option emerges: Build your own “Frankenvista” on Windows Server 2008
I guess the transformation is nearly complete. Windows Server 2008 has almost completely embraced the Linux model of one code base for servers and workstations. It is the incompatibilities that drive you nuts. Support for third party software has always been the struggling point. Now if they can make Windows Server 2008 as the Software Assurance upgrade for Vista Business. As Darth Vader said:
“Your skills are complete. Indeed you are as powerful as the Emperor has foreseen.”
BlogSecurity » Blog Archive » WordPress Scanner
Last night I used the WordPress Scanner on two of my blogs and I got this message.
dangerous-check-[0] PHP configuration file found in http://www.somewebsite.com/
I guess it is complaining about the fact that I have a php.ini file. I guess there is a security implication I am do not know about. I googled php.ini and security and I did not get any hits. Can anybody provide me with some insight on the security issue?
The LinkedIn Blog: The Engineering component | LinkedIn Company Profiles
Last week I revisited LinkedIn and updated my information. It got me thinking. I know my favorite head hunters like LinkedIn, but is this an effective way to network people for charity purposes? This week a board member working on a grant required some demographic data on each board member. I guess the donor wants to know a little more about us before they give us a chunk of cash. I realized that the data I just finished updating on LinkedIn was most of the data she needed for the grant. I decided to save a PDF version of my LinkedIn profile. It did not work right. So I did it the hard way. I took a few minutes to cut and paste together the profile, print off a PDF, and email her the copy. About half of our board members are already on LinkedIn. Hmm…
The LinkedIn Blog: The Engineering component | LinkedIn Company Profiles
Exceptional Performance
I ran across this page in one of the blogs I read but I do not remember which. I installed YSlow to check out my web sites. It was an easy check. The rules I consistently failed were rules 3 and 4. I came back here for the explanations. Implementing fixes for these rules can be complicated. I will look into them when I have both the curiosity bug and the spare time.
Rules for High Performance Web Sites
The Exceptional Performance team has identified 13 rules for making web pages fast. Each rule is discussed in the Developer Network Blog articles listed below.
- Make Fewer HTTP Requests
- Use a Content Delivery Network
- Add an Expires Header
- Gzip Components
- Put CSS at the Top
- Move Scripts to the Bottom
- Avoid CSS Expressions
- Make JavaScript and CSS External
- Reduce DNS Lookups
- Minify JavaScript
- Avoid Redirects
- Remove Duplicate Scripts
- Configure ETags
- Make Ajax Cacheable
Download YSlow for Firebug