All posts by onlyconnect

internet, security, software, web authoring

Detailed look at a WordPress hack

Angsuman Chakraborty’s technical blog suffered a similar attack to mine – the malicious script was the same, though the detail of the attack was different. In my case WordPress was attacked via Phorum. Chakraborty offers a detailed look at how his site was compromised and makes some suggestions for improving WordPress security.

In both these cases, WordPress was not solely to blame. At least, that is the implication. Chakraborty thinks his attack began with an exploit described by Secunia, which requires the hacker first to obtain access to the WordPress password database, via a stray backup or a SQL injection attack. Nevertheless, Chakraborty says:

One of the challenges with WordPress is that security considerations were mostly an afterthought (feel free to disagree) which were latched on as WordPress became more and more popular.

I have huge respect for WordPress. Nevertheless, I believe its web site could do better with regard to security. The installation instructions say little about it. You really need to find this page on hardening WordPress. It should be more prominent.

Technorati tags: ,
internet, software

Is Adobe spying on you?

2 Comments

Abode is on the defensive after users complained that their premier software package Creative Suite 3 is collecting usage stats in an underhand manner.

On the other hand, Adobe’s John Nack reports that the content being tracked is content delivered from the internet, such as a Live News SWF, and online help which really is online, not just local files.

The other part of this story is that Adobe is using Omniture for analytics, and Omniture has chosen a deceptive url for its tracking stats, specifically 192.168.112.2O7.net. That’s not an IP number, it’s an URL – note the capital O used where it looks like a zero.

Breach of privacy? Case not proven. Anyone running a web site should track stats for all kinds of reasons; I used them recently to investigate a break-in. When desktop applications call internet resources, they are acting like a web browser, and users should expect that they leave a digital trail. It is not as if CS3 calls the internet secretly – I think most of us can figure out that a live news panel is doing more than showing files installed by setup.

Unfortunately once you start browsing the web it is difficult to know exactly what resources you are calling and from where. What users see as a single web page typically has ads from one place, maybe images from another, and often slightly sneaky tricks like invisible images or scripts put in place solely to track usage. Now desktop apps are doing the same thing; it is not different in kind though it is true that neither case is transparent for the user.

That’s no excuse for Omniture using a silly URL that is the kind of thing you would expect from spam sites or misleading emails that want you to click malware links. Omniture’s URL is designed to look like an internal IP address which would normally be safe. That’s beyond “not transparent”; it is deliberate deception, albeit easy to spot for anyone moderately technical.

Should Adobe offer an option to turn off all non-local content? Possibly, though not many users would want to do so. There is a simple way for users to protect their privacy, which is to disconnect their machine from the Internet.

The big unknown is how these stats are used. Does Adobe check for the same serial number being used on multiple machines concurrently? Does it link usage stats to registration details? Does it check which apps in the suite are used most, and use that for contextual marketing to specific users? There is probably a privacy policy somewhere which explains what Adobe does, or does not, or might do. Unfortunately users have to take such things on trust. Occasionally companies slip up, even with good intentions – you may recall the day AOL released search logs for 500,000 users naively thinking they were not personally identifiable.

This problem is not specific to Adobe. It is inherent in internet-connected applications including web browsers. That said, Adobe should beat up Omniture for its shady URL, and do a better job informing users what kind of data it is collecting and how it is used. Which is pretty much what Nack says in a second post – except he says security when this is a privacy issue. Not the same thing.

Technorati tags: , , , ,
microsoft, windows

Why I haven’t seen the best of Bill Gates

1 Comment

I’ve been covering Microsoft for enough years to have seen and heard Bill Gates on numerous occasions. But I’ve not done so for enough years to have seen the best of him. I gather from other journalist friends that until maybe the early nineties, Gates was excellent value for the IT press, showing his technical side and chatting in-depth about some of the details of his products. Note this comment from Joel Spolsky:

Bill Gates was amazingly technical. He understood Variants, and COM objects, and IDispatch and why Automation is different than vtables and why this might lead to dual interfaces. He worried about date functions. He didn’t meddle in software if he trusted the people who were working on it, but you couldn’t bullshit him for a minute because he was a programmer. A real, actual, programmer.

Sadly I was a little too late to see this side of Gates. Microsoft grew too big; Microsoft execs grew too distant. In the keynotes I’ve heard, he talks about the company vision and the state of computing and leaves the technical details to others to explain. He occasionally takes questions, to which he typically gives long, circuitous answers, a favourite technique used by senior execs with, I suspect, the goal of reducing the number of questions that can be asked and answered in the time available. Nonetheless I respect him for steering the company through its path from the early days of DOS through to having its products installed on nearly every desktop and in nearly every home.

What prompts this post? billg is retiring in July and confirmed this at CES:

It’s the middle of this year, in July, that I’ll move from being a full-time employee at Microsoft to working full-time at the foundation.

This isn’t news; it’s in line with a previous announcement in June 2006; even the date, July 2008, was announced then.

Technorati tags: , ,
internet, search, web authoring

Wikia Search is live

You can now perform searches on Wikia, the open source search engine from the founder of Wikipedia.

This is from the about page:

We are aware that the quality of the search results is low..

Wikia’s search engine concept is that of trusted user feedback from a community of users acting together in an open, transparent, public way. Of course, before we start, we have no user feedback data. So the results are pretty bad. But we expect them to improve rapidly in coming weeks, so please bookmark the site and return often.

I tried a few searches for things I know about, and indeed the results were poor. I am going to follow the advice.

Wikia’s Jimmy Wales says there is a moral dimension here:

I believe that search is a fundamental part of the infrastructure of the Internet, and that it can and should therefore be done in an open, objective, accountable way.

There are several issues here. The power of Google to make or break businesses is alarming, particularly as it seeks to extend its business and there are growing potential conflicts of interest between delivering the best search results, and promoting particular sites. Google’s engine is a black box, to protect its commercial secrets. Search ranking has become critical to business success, and much energy is expended on the dubious art of search engine optimization, sometimes to the detriment of the user’s experience.

Another thought to ponder is how Google’s results influence what people think they know about, well, almost anything. Children are growing up with the idea that Google knows everything; it is the closest thing yet to Asimov’s Multivac.

In other words, Wales is right to be concerned. Can Wikia fix the problem? The big question is whether it can be both open and spam-resistant. Some people thought that open source software would be inherently insecure, because the bad guys can see the source. This logic has been proven faulty, since it the flaw is more than mitigated by the number of people scrutinizing open source code and fixing problems. Can the same theory apply to search? That’s unknown at this point.

It is interesting to note that Wikipedia itself is not immune to manipulation, but works fairly well overall. However, if Wikia Search attracts significant usage, it may prove a bigger target. I guess this could be self-correcting, in that if Wikia returns bad results because of manipulation, its usage will drop.

I don’t expect Wikia to challenge Google in a meaningful way any time soon. Google is too good and too entrenched. Further, Google and Wikipedia have a symbiotic relationship. Google sends huge amounts of traffic to Wikipedia, and that works well for users since it often has the information they are looking for. Win-win.

internet, microsoft, security

Unanswered question: how’s Vista’s real-world security compared to XP?

11 Comments

Reading Bruce Eckel’s disappointing I’m not even trying Vista post (I think he should give it a go rather than swallow all the anti-hype) prompts me to ask: how’s Vista’s security shaping up, after 12 months of real-world use?

I could call the anti-virus companies, but I doubt I’ll get a straight answer. The only story the AV guys want to see is how we still need their products.

I’d like some stats. What proportion of Vista boxes has been successfully infected by malware? How does that compare to XP SP2? And has anyone analysed those infections to see whether User Account Control (Vista’s big new security feature) was on or off, and whether the infection required the user’s cooperation, such as clicking OK when an unsigned malware app asked for admin rights? What about IE’s protected mode – has it reduced the number of infections from compromised or malicious web sites?

Has anyone got hard facts on this?

Technorati tags: , , ,
linux, multimedia

Playing music over the network on an Asus Eee PC

2 Comments

I’m an enthusiast for SlimServer, so when I got hold of an Eee PC one of the first things I investigated was how to play music from SlimServer over a wireless network.

I tried SoftSqueeze but with mixed results. It seems to work OK at first, but after you hit pause a few times, or change the playlist, it seizes up. There is no error message, but it stops communicating with SlimServer and the only fix I’ve found is to restart SoftSqueeze.

You can play files directly via a shared directory, but navigation is awkward.

I’ve had the best results from SlimServer’s MP3 stream. Here’s what you do. First, open Music Manager from the Eee’s Play tab. From the Playlist menu, choose Add Stream. Enter the URL of your SlimServer, for example:

http://yourserver:9000/stream.mp3

You can use an IP number in place of the server name if you like. Click OK and then hit Play. You should get a silent stream called Welcome to SlimServer.

Minimize Music Manager, and open FireFox. Navigate to:

http://yourserver:9000

This will open the SlimServer user interface. In the right-hand pane, make sure the Eee PC player is selected. SlimServer does not know what the device is, so it will show as an IP number. Once selected, click Settings at top right and enter Eee PC (or whatever you like) for the Player Name, then click Change.

Now play some music. Just perform a search and start playing. All going well, you will hear music from your Eee PC after a short interval.

A few observations

This is a pretty effective way of using the Eee PC as a SlimServer client, but let’s just say it lacks that last bit of usability polish. In other words, only geeks are going to do this. It seems to me that there is scope for an alternative to SoftSqueeze that would offer a user-friendly way of searching and playing your SlimServer tunes via a desktop client – in other words, with no need to open a web browser. SoftSqueeze does this already, but emulating a remote when I have a full keyboard at my disposal is not my idea of user-friendly. The obvious solution would be to extend Amarok or the like.

I realise that you can copy music files directly to the Eee, or have them on a USB stick, and play them in Amarok. The problem is that you soon run into space limitations, especially if you like high bitrate sound files.

There is an annoying lag between making a selection in the browser, and hearing it. This can be solved with programming – see apparently dead projects like slimp3slave for example. 

The sound itself is decent. The Eee has an Intel High Definition Audio integrated soundcard. The built-in speakers aren’t great, though at least there are two of them (occupying space in the lid that some of us would like to see filled with a larger screen). Plug in some external speakers though, or headphones, or feed the audio output to a hi-fi, and the quality can be excellent.

PS if you haven’t installed SlimServer yet, you can get it free here.

blogging, microsoft, windows

2007: the most commented posts, and a bit of blog introspection

1 Comment

Here are the posts that received the most comments on ITWriting.com this year:

Vista display driver takes a break (220 comments)

Outlook 2007 is slow, RSS broken (173 comments)

Annoying Word 2007 problem- can’t select text (101 comments)

Why Outlook 2007 is slow- Microsoft’s official answer (95 comments)

Adobe CS3 won’t install (35 comments)

Delphi for PHP first impressions (33 comments)

Irony: Outlook Web Access more usable than Outlook (29 comments)

Audio in Vista- more hell than heaven (25 comments)

How to speed up Vista- disable the slow slow search (24 comments)

Adobe AIR- 10 reasons to love it, 10 reasons to hate it (24 comments)

Ubuntu Desktop not used in business (21 comments)

Miguel de Icaza on ODF vs OOXML (19 comments)

Visual Studio 6 on Vista (16 comments)

Microsoft Silverlight vs Adobe Flex (16 comments)

Vista vs XP performance- some informal tests (14 comments)

Slow Outlook 2007- the comments keep coming (14 comments)

This is mostly down to Google, everyone’s favourite source of tech support. The most commented posts are about problems with Windows and Office, and reflect the number of people searching for a solution who land up on this blog. Only a tiny proportion of readers actually post a comment, so the top few posts above are evidence of a large amount of frustration.

I highly value the comments, especially when they form a reply or clarification from the organization which is the subject of the post – like this one from Zoho.

A few more stats

FireFox usage has increased from 14% in 2006 to 20% in 2007.

The biggest source of incoming links is programming.reddit.com.

The five top search keywords are: 2007, Outlook, Vista, Slow and .NET.

A bit of introspection

I enjoy doing this blog and web site, though there are a couple of frustrations. One is that I have more material than I get time to write up. Another is that while the ads on the site pay for the hosting, they don’t do much more than that, and I would like to find a way to make web self-publishing viable.

I also muse over whether the range of subjects here is too broad. I post in three broad categories:

  • Software development
  • Problem solving
  • Anything that interests me in the tech world

Most of the subscribers to the blog probably want what is in the first category, especially as it is in this area that I can supply the most original content, sourced from interviews or conferences. The problem solving posts find a different readership via Google. My good intentions to narrow the focus more towards programming fall away when I have some other topic I want to write about, though I do keep it strictly to tech-related topics.

Update: fixed the list (missed a few)

Uncategorized

Turn Me Up: an attempt to end the loudness wars

3 Comments

Turn Me Up is a new initiative whose aim is to restore dynamics to recorded music. Currently many, perhaps most new and remastered CDs and downloads suffer from excessive compression, the result being a sound that is fatiguing and lacking in dynamic range. It is a problem that is well documented, but mastering engineers feel intense pressure to make CDs that are as loud as the competition, so the situation continues.

The organization explains that:

…it’s not our goal to discourage loud records; they are, of course, a valid choice for many artists. We simply want to make the choice for a more dynamic record an option for artists…Today, artists generally feel they have to master their records to be as loud as everybody else’s.

The idea of Turn Me Up is to promote the benefits of mastering with full dynamics and to communicate this to the purchaser with a logo. This also explains the “Turn Me Up” name. This is the proposed text:

Turn Me Up!™ Certified

To preserve the excitement, emotion and dynamics of the original performances this record is intentionally quieter than some. For full enjoyment simply Turn Me Up! (www.TurnMeUp.org).

Unfortunately the site does not reveal who has formed Turn Me Up or how much support it has within the industry, though according to this story it was founded by Florida-based Charles Dye, who has mixed CDs for Bon Jovi, Ricky Martin and Sammy Hagar. Apparently a new release from John Ralston, called Sorry Vampire, which is mixed by Dye, uses the Turn Me Up text on the CD.

I’m not sure what chance of success Turn Me Up has, but it strikes me as a sensible approach and worth supporting.

linux, software

Firefox segmentation fault on Asus Eee PC after update

20 Comments

I’m writing about Eee PC right now, and after updating a clean install (no added repositories) was surprised to find Firefox failing with a segmentation fault. Clicking the Firefox icon did nothing. Running from a console got this:

/opt/firefox/run-mozilla.sh: line 131: nnnn Segmentation fault

Reinstalling Firefox and deleting the profile did not work, nor did safe mode. I found the answer here. Open a console (Control-Alt-T) and type:

sudo apt-get install eeepc-updatepack-20071126

What does this package do?

This update pack fixes SCIM for applications which were provided to ASUS as binaries. This includes Firefox, Thunderbird, Adobe Acrobat.

SCIM is the Smart Common Input Method platform.

All is now well, but I’m not impressed. Running apt-get update and then apt-get upgrade should not break important applications. Nor is it obvious how to fix the problem. This kind of thing will put new users off Linux; not good if Asus really wants to make the Eee a mass-market device.

Incidentally, if you are stuck without Firefox on the Eee and need to browse the web, typing konqueror from a console will fire up the KDE web browser.

software, software development

When good software goes bad

Verity Stob looks at feature bloat and a few other things in her piece on apps that have gotten worse over the years.

Confession: I use Paint Shop Pro too, although I have Photoshop installed as part of Adobe’s Web Premium CS3. In my case it is PSP version 5.0. PSP starts in a blink and has dead easy tools. Photoshop takes several seconds to start up and displays messages like “Initializing palettes” while it is getting going. There is nothing wrong with Photoshop, but equally if I just need to crop a screenshot quickly, I find myself using PSP and saving a few seconds.

Stob’s piece is light-hearted and unfair (I like C#) but a fun read.

I remember meeting a programmer back in the days of DOS and strict memory limits. He told me that every time he added a new feature, he had to find some other code he could remove in order to fit it in. A nightmare of course; but it prevented bloat.

It’s one of the reasons I like the Asus Eee PC. It is underpowered by many standards, but small, light, starts from cold in less than 30 seconds, and works fine for most everyday tasks.

Just another take on less is more.