WordPress 2.0.4 released but…

UPDATE – This post no longer applies.

This post is obsolete. It describes two issues I had with WP2.0.4 just prior to it being released. The first is a Maxthon browser specific error, that is suppressed by default in Maxthon and IE. In IE however there is never a way that it can be shown. At least that’s what my testing indicates.

The second error was due to a zero byte Index.php files being located in the plugins directory. IF index.php is there, it replaces the dashboard upon subsequent visits. That’s a nifty trick… I put the index.php from my bubble headed boy page in there and now the wp Dashboard hosts bubble headed boy! How useful is that?!?!!

Anyway, I’m now “good” with 2.0.4 – both of these things are “non-issues” – Install away!

Well, Matt released version 2.0.4 a short while ago. I’d love to jump on the Go, download and Install Now band wagon, but frankly I am just not there yet. I’m seeing weird problems that just shouldn’t be there. Admittedly, these problems are far better to suffer though than dealing with some malicious member bumping themselves up to administrator level or doing something worse to your blog than that. Still, I would have preferred these problems being confirmed and fixed or at least knowing why they were happenning here and perhaps not elsewhere. I’m not doing anything out of the ordinary with this site at the moment.

I’ve just spent 4 hours trying to find the first problem. I am getting this error all over the post.php page:
Object expected on line 7 character WHAT???? 18410????

You’ll only see this message if you turn back on the annoying Script-Error-Popup that everyone disables because 90% of the sites out there contain errors:

IE:
Should be checked

or Maxthon:
Should be unchecked

I can often produce it upon saving a post, deleting a post, leaving the write tab, heck I even sometimes get two of them when closing down the browser.

I’ve just found that the error is never raised/actively supressed from IE7 proper. However, the Maxthon browser raises the error. If this is truly a Maxthon only issue, than I’ll just turn back off the error popup and go on happily with life. Since this error can be easily ignored, I’m not thaaat worried about it anyway. I am a little concerned that it could be masking other behaviour…

The other issue is a bigger deal, but I’ve heard from two people who don’t see this bahaviour. My dashboard tab/button points to
/wp-admin/admin.php?page=index.php
and therefore only displays this when I click on it:
la la la la Don't Worry.  Browse happy, la la la

Look Ma! No dashboard!

Sooo, I’m still investigating. When I have found the reason for these, I’ll make another post describing the really quick way to download and install these upgrads…

But till I get this isolated, please excuse the dust and any weird behavior… though for now, I am off to bed…

Thanks

How to suspend random computers at your office via cellphone

Rickard Liljeberg has posted a video of the feature in action at his office. Their victim computer of choice was the Dell GX520 and they were having random shutdowns that Dell support could not explain. Kudos for him giving credit to coworker Chris for researching the problem and sysadmin Ben for putting 1 and 1 together and coming up with two.

I was alerted to this by a friend at the office who regularly reads The Register. When he saw an article referencing the Dell Gx520, the computer we use at all of our sites, it caught his eye. We have hundreds, if not thousands, of these computers in the field.

Apparently, certain cell phone can trigger the circuits that suspend a Dell computer. The phone in the video appears to be an older analog phone. So, I’m not quite as worried about this as I might otherwise be. We haven’t had a rash of call about random shutdowns. In fact, I’d originally decided not to log an issue on this as we don’t use the suspend feature. However, if the phone is triggering the circuits, software and bios settings probably do not matter.

Dell’s response to The Register was:

Communication devices do sometimes cause interference with other communication devices. The level of interference created may depend in part on the model and condition of the phone.

Dell systems are designed to operate in line with industry standards for power and electro-magnetic shielding. We recommend to customers who are experiencing interference to avoid using mobile phones within one foot of the system. We encourage customers to contact Dell directly if they have other concerns.

It looks like Rickard has posted the video on the public Google video site. So, I can show it here too.

Here it is in action:

WordPress 2.04 Beta 2 includes a vital security fix.

Quick someone call Sam!
Original image by Andrew Krespanis

Thanks to some drastic and controversial actions taken by SpamKarma creator Dr. Dave, a large percentage of the blogging populace has been alerted to a security hole in WordPress. He even went to the effort of activating a warning message that was sent out to everyone who uses his SK2 plugin. This has resulted in a lot of fear spreading amoung a huge number of bloggers. This sort of thing just spreads exponentialy. Here’s a quasi random sampling of two dozen of the first posts on it: .......................

And these were just from the English blogs that posted about this on the same day as the notice going out. The neat thing is that these are some of the most on-top-of-things bloggers out there. Those 24 blogs have some great content and gread visual styles. The are well worth perusing…

Anyway, as you can guess he’s taken plenty of heat for this, because loads of people are now searching for the hole and trying to figure out how to exploit it. Most of these people just want to protect their own blogs. Others might be searching so that they can use this exploit against others. There are certain people I would not like to be right now…

The good, the bad and the ugly

The most common fix being spread out there is to disable “Anyone can register”. The good news is that this will eliminate the possiblity of new people exploiting this issue. The bad news is that I would wager most bloggers don’t know the hearts of even HALF of their members. The ugly truth is that I bet many of the WP bloggers out there (the pajama media in particular) have members that are REALLLLLY pissed at them right now. Hey, its ugly but it happens. Now that this exploit is known, do you really trust that unknown/angry member to not go and read up on the details? Should you delete their account; so that they are even angrier the next time an exploit is announced? Don’t look at me, I can’t answer that one for ya…

Another alternative

The really good news is that Ryan Boren released the beta version of WordPress 2.0.4 on Sunday. The Beta2 version of the release includes a fix for this issue.

Here’s what Ryan said in a WP public list:

To recap, there is a bug in core WP involved that I believe I’ve fixed
for 2.0.4. This is the core API bug Dave is talking about on his blog.

I was in error before to say that this is a problem to be fixed solely
by the plugins. There are some plugins that need help beyond the fix to
the core, but the core fix should cover most plugins. Sorry for the
confusion.

And with that, I really need to get some sleep. Later all.

If you want to test the beta release, the beta2 beta3 version is available for download here:
zip
tar.gz
Please be aware that this IS a beta release and has not been tested against all common plugins and themes.

That said, WordPress 2.0.4 is under some intense scrutiny and *MIGHT* be released in just four days. You can see that for yourself here. In fact, you might want to keep that link around. Modifying that link is much easier than asking around “When will WP x.y will be out? Huh? Huh? Huh?” If there is an answer to that question, there will be a link like that, showing the date. Can you figure out what the link for the 2.1 release is?

WP 2.0.4 Status and Some Details

Many people have been running 2.0.4 for ages now, but it is still under development. There have already been a number of changes and fixes since the beta2 version. Beta2 will not be the version that is released, but you might prefer running it to turning off your membership.

This fix is important, but the danger is as all encompassing holes that existed prior to version 2.0.3. It involves an assumption, by plugin authors, that the WordPress core takes care of all security concerns. The fact of the matter is, a WordPress plugin should be written so that it is secure in and of itself. It only makes sense. This fix enhances the security around plugins. But plugin authors should still be aware that they must always make certain the logged in user has the rights to do the action the plugin is about to perform.

Likewise, WordPress bloggers should be aware that that the more powerful a plug in is, the more risk you expose your self to if someone gets to it through a security hole. This was just as true before this hole was disclosed as it is now.

You are your own blogs best protection

For example, if you really think your WordPress blog needs to be able to restructure all of your table, did you chose a plugin made by someone that looks like the have professional experience in web security or was your plugin written by a highschool senior or college freshman? I’m just asking… And so should you…

Now, there has been so much FUD that everyone is in a panic. I’m not saying that you should do nothing. You might actually want to disable the creation of new user accounts. You might want to disable some trouble users. You might want to update to the beta 2.04. Or you might just want to take a breath and realize that chances are, no one is out to destroy you or your blog – even just for the fun of it.

The fact of the matter is that there are still thousands of blogs out there running version 2.0.2 of WordPress (100,000+ results from google) and earlier despite our best efforts to get people to update and realize the serious nature of the risk. When there are published security holes allowing allowing mass deletions of posts, there are much easier targets with more bang for the buck than your WP 2.0.3 blog.

You ARE running at least 2.0.3 right?

UPDATE

Beta 3 was released 7 minutes ago at 12:38pm EST/16:38 UTC. I’ve updated the links above to point at beta3. The only change between b2 and b3 is a minor fix I tested and improved for Ryan last night. In some rare circumstances the author link at the bottom of the posts might have been incorrect. Those of us without themes that support multiple authors would be unaffected by this change. So, there’s no real reason to get b3 if you have b2 installed already. The release MAY come sooner than I mentioned in this article. Perhaps by as much as 3 days sooner…but I wouldn’t mind another evening just to try to exploit this version.

You have been hacked! or What not to do with your 1and1 account…

Well, I had a nice post about how I was distracted from posting more Delphi code because I was playing with a new pear module I’d found called GameServerQuery. I was finishing that post by asking if anyone had gotten it to work because I was pretty sure I had everything correct but it wasn’t working. Before I published the post I noticed someone had telneted into my account and run some bash commands. And I knew it was not me…

They searched for my local ip address and an example file I used for Game Server Query. Very odd…

Then I got an email from 1and1 saying I was hacked and that “WordPress needed to be updated because it had many security holes”. Uhhhh, no it doesn’t.

Long story short – I wasn’t hacked my anyone but a 1and1 representitive and dumbing language down for the end user is a bad practice if you don’t also provide them with an explaination of what you REALLY mean.

I’ve got enough materials for four or five posts out of this whole thing, but if I combine all the detail here, this post will be 5 pages long and it won’t make any sense when read as a whole.

So, here’s a summary and some good things to know when working with 1and1.com shared host accounts –

1. They say: Don’t use your account to host a game server or simliar program.
They mean: We monitor and block outbound socket connections from your server. By doing this we lock out people looking for a cheap game server, and we protect our customers sites from several common attacks. We will allow FSocketOpen but the traffic is interupted and you will be contacted by a “Customer Compliance Operative”.

“Customer Compliance Operative”?!?!?!!? So, is that like one of the Men in Black or more like a Mafia enforcer? Will I be zapped by a blinky light and forget all the PHP code for openning sockets if I continue with this post?

UPDATE: I just found a reference that indicates that this is probably NOT 1and1.com fault.
Someone was investigating why Traceroute was not available on shared servers and discovered that socket traffic could not be accessed without root level access. Of course root level access cannot be givin on a shared server. If anyone can Confirm or Deny this, I’d appreciate the additional information…
2. 1and1 passwords should not be considered secure and therefore should only be used on 1and1. Any/all 1and1 account representatives have access to your root passwords and can login as you and for all intents and purposes impersonate you using your accounts. What bothers me most about this is that they don’t have a policy of notifying you that they have logged in as you to do something… That’s wrong…

3. 1and1 Support reps as a whole – as might be expected – have only general knowlege about the vast number of programs out there that could be running on your server. So they will look for alarm words and offer generic advice when they see one of these dangerous words. This could be considered a form of Red Zone Management, I guess. They get involved only when they need to and only know the hot topic of they day. So they will search for a file called XMLRPC.php since last year it had a hole in it. So, that means you were probably hacked. If they see WordPress, they know it had vulnerablities earlier in the year, so they can assume you were hacked. They will not research/know the versions of the files involved even if they are listed in the logs. Again, this is really to be expected. I would not want every customer support rep to be a $90,000 a year security expert. I sure would not be paying what I am paying right now for the service.

4. When working with support, if you want a good solid response help them give it to you. You can be in control of the calls and guiding the representative will make the call easier on both sides. This is true of any company any where in the world. Not every support rep will have the same level of training, the pressing calls of the moment can and will take priority to the detriment of other calls, if something is important to you trust but verify it has been done.

5. The latest version of the Pear module GameServerQuery is good and functional. The latest version is not what pear serves up. You have to retreive it manually. PhGStats is a MUCH more refined tool and produces more fully functional pages. There’s a place for both of these tools. That place, btw, is NOT 1and1.com – see point 1.

More on each of these topics later…

Now Reading – Recently Completed – The Worthing Saga by Orson Scott Card

Originaly posted here.

The Worthing Saga

By Orson Scott Card

The Worthing Saga

You can view this book’s Amazon detail page here.

Tags:

Started reading:
17th Jul 2006
Finished reading:
24th Jul 2006

Review

Rating: 7

The Worthing Saga is a series of short stories and novels that tells the story of an empire’s death and rebirth. It is the story that began Orson Scott Card’s career. This book includes stories as published in 1978 and continuing through its release in 1990. The audio version includes readings by both Emily Card and Orson himself.

This book, the Worthing Saga, includes both The Worthing Chronicle and a grouping of short stories. The Worthing Chronicle is a grand unifying story that combines both the novel HotSleep and many of the short stories that were worked into the Worthing Chronicle.

Those stories were not rewritten for this book, but appear in close to their original format. So, the do not all quite align with the saga, but that’s OK. They are entertaining none the elase. They were written as independent works and published in magazines and in part in one or two novels (Hot Sleep and Capital). OSC decided to publish them as-is without removing inconsistencies for the Worthing universe is after all a story about memory, its truths and its lies.

This was my second reading of The Worthing Chronicle. I don’t normally do short stories, so it was a difficult book to read the first time through. I don’t think I ever finished it. Too often short stories ends before the author can fully explain the characters and I read almost exclusively to hear people’s stories – even if they are fictional people.

In the end – though I will say that the Worthing Chronicle was a more craftily interwoven story, I enjoyed the HotSleep version of the story much more. HotSleep rings true to me where as Chroncicle is perhaps told in a more technical correct manner.

I do recommend you read both Hot Sleep and The Worthing Saga, but you should read HotSleep first. It delves more deeply into every character in the story and helps you understand the Worthing Saga in a deeper way.

Unless you have a really good used book store around you (my favorite was flooded two years ago and never recovered a REAL shame), the only place you will find Hot Sleep is attached to the second issue of OSC’s magazine The Intergalactic Medicine show. You can buy each issue for under $3 and you get MORE than your money’s worth.

Visit it at: http://www.InterGalacticMedicineShow.com

IMPORTANT: Attention Doctor Who & Douglas Adams Fans

I’ve just noticed that BBC7 – the British radio station that simulcasts on an Internet stream – recently re-aired the Doctor Who episode series “Shada”.

Shada was originally a never made six episode series from 1980 when Tom Baker was starring as the fourth Doctor. And who wrote many of the episodes starring Tom Baker (including this Shada)? Why none other than the late great Douglas Adams of Hitchhiker’s Guide to the Galaxy fame. Shada was actually Douglas’s last contribution to the Doctor Who TV universe. And finally on New Years Day 2006, it saw (heard) the light (sounds) of day in the shape of made for radio drama aired world wide on BBC7. And this week it was rebroadcast – DON’T MISS IT!!! One word of warning, the plot has been transposed to take place during the eighth incarnation of the Doctor – Paul McGann. Oh – and K9 is there too! 🙂 It’s funny, Shada Episode One starts with The Doctor (McGann) giving with a brief description of the scenes from The Five Doctors when he was in a different incarnation (Baker). It’s just strange. (I guess you had to be there….)

Paul McGann as The Eighth Doctor

Parts of this episode were filmed with Tom Baker but it was never completed. In fact, if you’ve seen the movie “The Five Doctors” all of the Tom Baker scenes in that movie were original footage made for the Shada episode. “Shada” was first aired over the Christmas holidays last year.

I know it is late notice but today and tomorrow, you can go to BBC7’s “Listen Again” page and scroll down to the 7th Dimension section at 18:00 to see the listing for Shada. It requires Real Player, but you can just click the “Listen Again” link or icon.
http://www.bbc.co.uk/bbc7/listenagain/sunday/

On Sunday, you can still cheat and listen to the show by connecting directly to the RAM file any time right up till 11:59:59pm London time. Shortly after that, the second episode in the Shada series will be found at that link.
http://www.bbc.co.uk/bbc7/listenagain/sunday/rams/0000.ram

If you’ve stumbled on this post after this date and have missed the first episode, send me an email. I’ll commiserate with you. Or you can check out the online comic version of Shada that was written for the now defunct Cult BBC pages. You need to have Flash to enjoy the visual and audio extravaganza: http://www.bbc.co.uk/doctorwho/classic/webcasts/shada/one/index.shtml

You can also read more about the episode plot here: http://www.bbc.co.uk/doctorwho/classic/episodeguide/shada/plot.shtml

Favorite Quote: “Tea?” “Yes please.” “Milk?” “Yes” “One lump or two?” “Two please.” “Sugar?” “What???”

BBC7’sEpisode Summary:

DOCTOR WHO: SHADAWritten by Douglas Adams. Directed by Nicholas Pegg. Produced by Big Finish Productions.
Saturday December 10 at 8pm

The good Doctor made a comeback to TV in 2005. But this Douglas Adams adventure has made a comeback on radio instead! Starring Paul McGann, Susannah Harker and Edward Fox.
The Doctor has a spot of unfinished business. Reunited with his old friends Romana and K9, he answers a summons from Professor Chronotis, a retired Time Lord now living the academic life in a Cambridge college.

But the Doctor isn’t the only visitor to Cambridge. Somewhere in the city is the sinister alien Skagra, who is intent on stealing an ancient and mysterious book brought to Earth by the Professor many years before.

What is Skagra’s diabolical masterplan? And who or what is the mysterious Shada? To discover the truth, the Doctor and his friends must embark on a perilous journey that will take them from the cloisters of Cambridge to the farthest reaches of deep space, risking deadly encounters with a sentient spaceship, the monstrous Krargs, and an ancient Time Lord criminal called Salyavin. As the Doctor soon discovers, the fate of the universe hangs in the balance…