OK So, most theme developers are aware of what the loop is… it displays your WordPress posts.

The one interesting thing about the loop is that it bounces in and out of the php and straight html output.  So, most of the functions that are called do the echoes themselves.  But what if need the output in a variable, or want to code it so that the call is part of its own echo function? You simply cannot use the same functions.

Fortunately WordPress provides two versions  of each of these core functions.  For example there is the_content and get_the_content() also the_permalink() and get_permalink() (yes, that inconsistency has ALWAYS bothered me..)

Here is a version of  ”The Loop” which calls all of the alternate versions of the functions:

if (have_posts()) {

while (have_posts()) {

the_post();
echo ‘<div id=”post-’ . the_ID() . ‘”>’;
echo ‘ <div></div>’ . “\n”;
echo ‘ <div>’ . “\n”;
echo ‘ <div>’ . “\n”;
echo ‘ <h2><a href=”‘ . get_permalink() . ‘” rel=”bookmark” title=”Permanent Link to ‘ . the_title_attribute(‘echo=0′) . ‘”>’ . the_title(‘echo=0′) . ‘</a></h2>’ . “\n”;
echo ‘ <small> <!– by ‘ . get_the_author() . ‘ –></small>’ . “\n”;
echo ‘ <div>’ . “\n”;
$content = get_the_content();
$content = apply_filters(‘the_content’, $content);
$content = str_replace(‘]]>’, ‘]]&gt;’, $content);
echo $content . “\n”;
echo ‘ </div>’ . “\n”;
echo ‘ </div>’ . “\n”;
echo ‘ </div>’ . “\n”;
echo ‘ <div></div>’ . “\n”;
echo ‘</div>’ . “\n”;

}

echo ‘<div>’ . “\n”;
echo ‘ <div>’ . next_posts_link(‘&laquo; Older Entries’) . ‘</div>’ . “\n”;
echo ‘ <div>’ . previous_posts_link(‘Newer Entries &raquo;’) . ‘</div>’ . “\n”;
echo ‘</div>’ . “\n”;

} else {

echo ‘<h2>Not Found</h2>’ . “\n”;
echo ‘<p>’ . “Sorry, but you are looking for something that isn’t here.” . ‘</p>’ . “\n”;
get_search_form();

}

The process is EXTREMELY simple. One line to install SVN, two to create the repository, and one to run the daemon:

yum install subversion.i386 mkdir /svn svnadmin create /svn/my-repo/ svnserve -d

Here’s what my results produced (The first line confirms I have subversion available in yum): [root@hosting ~]# yum list | grep ‘subversion’ subversion.i386 1.4.2-4.el5_3.1 base subversion-devel.i386 1.4.2-4.el5_3.1 base subversion-javahl.i386 1.4.2-4.el5_3.1 base subversion-perl.i386 1.4.2-4.el5_3.1 base subversion-ruby.i386 1.4.2-4.el5_3.1 base [root@hosting ~]# yum install subversion.i386 Loaded plugins: fastestmirror Determining fastest mirrors addons | 951 B 00:00 base | 2.1 kB 00:00 extras | 2.1 kB 00:00 updates | 1.9 kB 00:00 wiredtree | 951 B 00:00 Excluding Packages in global exclude list Finished Setting up Install Process Resolving Dependencies –> Running transaction check —> Package subversion.i386 0:1.4.2-4.el5_3.1 set to be updated –> Processing Dependency: perl(URI) >= 1.17 for package: subversion –> Processing Dependency: neon >= 0.25.5-6.el5 for package: subversion –> Processing Dependency: libneon.so.25 for package: subversion –> Processing Dependency: libapr-1.so.0 for package: subversion –> Processing Dependency: libaprutil-1.so.0 for package: subversion –> Running transaction check —> Package apr.i386 0:1.2.7-11.el5_3.1 set to be updated —> Package apr-util.i386 0:1.2.7-11.el5 set to be updated –> Processing Dependency: libpq.so.4 for package: apr-util —> Package neon.i386 0:0.25.5-10.el5_4.1 set to be updated —> Package wt-URI.noarch 0:1.35-1 set to be updated –> Processing Dependency: perl(Business::ISBN) for package: wt-URI –> Running transaction check —> Package postgresql-libs.i386 0:8.1.21-1.el5_5.1 set to be updated —> Package wt-Business-ISBN.noarch 0:2.00_01-1 set to be updated –> Processing Dependency: perl(Business::ISBN::Data) >= 1.09 for package: wt-Business-ISBN –> Running transaction check —> Package wt-Business-ISBN-Data.noarch 0:1.13-1 set to be updated –> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================ Installing: subversion i386 1.4.2-4.el5_3.1 base 2.3 M Installing for dependencies: apr i386 1.2.7-11.el5_3.1 base 123 k apr-util i386 1.2.7-11.el5 base 80 k neon i386 0.25.5-10.el5_4.1 base 101 k postgresql-libs i386 8.1.21-1.el5_5.1 updates 196 k wt-Business-ISBN noarch 2.00_01-1 wiredtree 353 k wt-Business-ISBN-Data noarch 1.13-1 wiredtree 12 k wt-URI noarch 1.35-1 wiredtree 146 k Transaction Summary ============================================================================================================================================ Install 8 Package(s) Upgrade 0 Package(s) Total download size: 3.3 M Is this ok [y/N]: y Downloading Packages: (1/8): wt-Business-ISBN-Data-1.13-1.noarch.rpm | 12 kB 00:00 (2/8): apr-util-1.2.7-11.el5.i386.rpm | 80 kB 00:00 (3/8): neon-0.25.5-10.el5_4.1.i386.rpm | 101 kB 00:00 (4/8): apr-1.2.7-11.el5_3.1.i386.rpm | 123 kB 00:00 (5/8): wt-URI-1.35-1.noarch.rpm | 146 kB 00:00 (6/8): postgresql-libs-8.1.21-1.el5_5.1.i386.rpm | 196 kB 00:00 (7/8): wt-Business-ISBN-2.00_01-1.noarch.rpm | 353 kB 00:00 (8/8): subversion-1.4.2-4.el5_3.1.i386.rpm | 2.3 MB 00:00 ——————————————————————————————————————————————– Total 1.6 MB/s | 3.3 MB 00:02 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : apr 1/8 Installing : neon 2/8 Installing : postgresql-libs 3/8 Installing : wt-Business-ISBN-Data 4/8 Installing : apr-util 5/8 Installing : wt-URI 6/8 Installing : subversion 7/8 Installing : wt-Business-ISBN 8/8 Installed: subversion.i386 0:1.4.2-4.el5_3.1 Dependency Installed: apr.i386 0:1.2.7-11.el5_3.1 apr-util.i386 0:1.2.7-11.el5 neon.i386 0:0.25.5-10.el5_4.1 postgresql-libs.i386 0:8.1.21-1.el5_5.1 wt-Business-ISBN.noarch 0:2.00_01-1 wt-Business-ISBN-Data.noarch 0:1.13-1 wt-URI.noarch 0:1.35-1 Complete! [root@hosting ~]# mkdir /svn [root@hosting ~]# svnadmin create /svn/my-repo/ [root@hosting ~]# svnserve -d

The last thing to do is to configure the password if you want one.

vi /svn/my-repo/conf/svnserve.conf

vi /svn/my-repo/conf/passwd

The details of those two files are beyond the scope of this post. Besides I’m sure you’ll want to triple check, as every one else does, that the svn password file is in plain text. Yes, that’s correct. Plain text.  That makes you think about all the svn repositories that you used secure passwords to access now doesn’t it?

If you host lots of different sites for people, one of the things you might want to know is what versions of WordPress each site is running.

WordPress stores the version number in a variable named $wp_version which is set in the file version.php.

With that information in hand, you can write a bash command that you run from your /home directory to display all of the WordPress versions you have on your server:

find . -name version.php -type f|xargs grep ^\$wp_version

This is one of the aliases I have in my .bashrc file.

While working with Lee Newton over at b5media I was able to watch him build up some server tools over time that were invaluable to diagnosing exactly what was going on on the server.

Now I find I need to make some of my own. Here’s how I am doing it.

For now I am going to concentrate on access logs.

Where these logs are varies server by server, but if you are running a standard cPanel setup, chances are you can find a directory named /usr/local/apache/domlogs with files in it named after your domain name. In this case I picked one of the sites I host: nakedpastor.com

So if I do a:

cd /usr/local/apache/domlogs
tail -10 nakedpastor.com

I will get the last 10 lines of the access log file

Here’s one example:

24.555.555.27 – - [09/Aug/2010:20:13:45 -0400] “GET /wp-content/uploads/2010/08/IMG_0001.jpg HTTP/1.1″ 304 – “http://www.nakedpastor.com/” “Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_3 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7E18 Safari/528.16″

Someone on an iPhone is looking at a picture on the site (which David would get more Google Juice from if he had named it better).

The trick is going to be to break down that line into important bits of information that will help me diagnose how my server is being used. For example, I might want to know if one IP address is flooding me. I might want to know if I am getting a HUGE number of requests for one particular file or if I am serving a large number of errors. If I ran this on a combined log file I, I would want to know if one domain was getting all of the traffic. Top referrers might be a fun thing to look at too. There are lots of little bits of info in there that could be helpful.

My tool chest includes:

tail – request a certain number of lines from the END of the file as shown above. During testing I will use -15 to get the last 15 lines but when I make this live, I’ll want to look at the last several thousand at least.
head – requests the number of lines at the top of a file. In this case it gives me the most pertinent results
sort – Will put the most important results at the top
cut – probably not helpful initially as the fields are not fixed width
awk – Used to parse the lines into chunks so I can see what is important. See also here
grep – Used to search for text
uniq – Used with -c uniq counts the number of occurrences of each variance
| – The piping symbol used to send the results of one command right into the next.

Let’s go after something simple first. The IP address. I want to take the last 100 lines of the error log, get the the ip address which will be the first word in the line, count how many times each ip address is used, sort it numerically by count and return the top 10. In bash, that is pronounced as:

tail -10000 /usr/local/apache/domlogs/nakedpastor.com | awk ‘{print $1}’ | sort | uniq -c | sort -nr | head -10

You can find examples of that line lots of places out there. In fact I copied and pasted that from another site. Their line used a “tail -n” instead of “head”, but it did the same thing You may want to note that you have to call sort before you call uniq in order for unique to work right..

For the rest of the examples I’m going to use the awk command to break down the line into separate fields separated by quotes or spaces. this line prints the number 7 because there are 7 fields separated by quotes:

tail -5 nakedpastor.com|awk -F ‘”‘ ‘{c=NF; print c}’

If I search for quotes and then search for space, I can get the result code

tail -15 nakedpastor.com|awk -F ‘”‘ ‘{print $3}’|awk ‘{print $1}’

Or the requested page:

tail -15 nakedpastor.com|awk -F ‘”‘ ‘{print $2}’|awk ‘{print $2}’

Or the referrer:

tail -15 nakedpastor.com|awk -F ‘”‘ ‘{print $4}’|awk ‘{print $1}’

Or the agent:

tail -15 nakedpastor.com|awk -F ‘”‘ ‘{print $6}’|awk ‘{print $1}’

So using these examples I can get the 20 most popular agent/OS combos:

tail -1000 /usr/local/apache/domlogs/nakedpastor.com | awk -F ‘”‘ ‘{print $6}’| sort | uniq -c | sort -nr | head -20

So, there you have some tools to use the next time you want to see what is going on on your server. Along with free -m and top you can get some neat info.

Just remember that you are getting snapshots. When I looked a little bit ago. Knowmore.com’s bot took up 1390 of the 10000 lines I was looking at. That’s over 10% of the traffic going to just that bot. HOWEVER if I looked at 5000 lines, they didn’t appear at all. Looking at 100000 lines they only appeared 1394 times. So, don’t just use one sample size. It can be misleading.

I will probably take these lines and combine them into some .bachrc functions along the line of what I’d discussed in my Three helpful additions to your .bashrc post.

It’s rare that I open the source code for a random plugin and see every recommended security measure taken. When looking at Chris Boyd‘s plugin GeoLocation Plugin, I kept digging deeper and deeper and found he’d consistently covered everything. This plugin is a text book example of how to write a secure plugin.

Since he has so many techniques in here, this post wrote itself in my head. It was irresistible.

I strongly recommend you download the plugin and open geolocation.php to follow along

So, here are the security methods I saw him use, there may be more I didn’t catch, if so feel free to add them to the comments:

Use nonces on all input forms

Chances are your plugin will ask for information. A nonce is a security token that helps guarantee that you are getting real data from a real user. In function geolocation_inner_custom_box() Chris calls

echo '<input type="hidden" id="geolocation_nonce" name="geolocation_nonce"
	value="' .     wp_create_nonce(plugin_basename(__FILE__) ) . '" />';

to add the nonce to his input form and then to check this on the processing side in function geolocation_save_postdata he calls:

  // Check authorization, permissions, autosave, etc
  if (!wp_verify_nonce($_POST['geolocation_nonce'], plugin_basename(__FILE__)))
    return $post_id;

This is very simple code. There’s almost no cost to adding nonces to form processing and you can use that exact code, just changing the name of the field. This will block most bots from abusing your plugin.

Verify the user’s permissions

The user_can functions go hand in hand with the nonces and they work together to block the same kind of attacks. If your plugin does something that just anyone off the street shouldn’t be able to do, verify that the user is allowed to do it. This check is just a little bit further into function geolocation_save_postdata:

  if('page' == $_POST['post_type'] ) {
    if(!current_user_can('edit_page', $post_id))
		return $post_id;
  } else {
    if(!current_user_can('edit_post', $post_id))
		return $post_id;
  }

This simple check to confirm that the user is allowed to edit a post before the geotagging information is added and ties the plugin directly into all of the security already built into WordPress. It is tremendously powerful.

Configure default values

In programming 101, you learn never to trust the computer to give you a clean value for an uninitialized variable. In web development, there are even more implications to this. Caching is one of those. If you call get_option and WordPress does not have a value, it will access the database to see if there is a value set. Until a value is stored in the database, WordPress has to keep looking for it on every page load. Anything you can do that avoids accessing the database files and quite possibly the hard drives where the information is stored, will make your site run faster. If a value is found, that value will be loaded from the cache automatically. Additionally, if you set your default values, you know what you are getting back. Chris handles this in function default_settings():

function default_settings() {
	if(get_option('geolocation_map_width') == '0')
		update_option('geolocation_map_width', '450');

	if(get_option('geolocation_map_height') == '0')
		update_option('geolocation_map_height', '200');

	if(get_option('geolocation_default_zoom') == '0')
		update_option('geolocation_default_zoom', '16');

	if(get_option('geolocation_map_position') == '0')
		update_option('geolocation_map_position', 'after');
}

Use the Settings API and let WordPress do all the work

WordPress 2.7 added a wonderful set of tools called the Settings API. Most plugins do not take advantage of this complex tool set when they could. Chris uses the register_setting API call in function register_settings to enumerate the type of data he wants in each field.

function register_settings() {
  register_setting( 'geolocation-settings-group',
		'geolocation_map_width', 'intval' );
  register_setting( 'geolocation-settings-group',
		'geolocation_map_height', 'intval' );
  register_setting( 'geolocation-settings-group',
		'geolocation_default_zoom', 'intval' );
  register_setting( 'geolocation-settings-group',
		'geolocation_map_position' );
  register_setting( 'geolocation-settings-group',
		'geolocation_wp_pin');
}

As you can see he specifies that certain values must be integers. Chris doesn’t take full advantage of the API in this plugin. In fact, I’m not convinced that simply calling register_setting on its own does anything. It is meant to be used with other calls. Had he used them all WordPress could have handled all sorts of things for him automatically, including the nonce field and additional checks.

The settings API is POWERFUL but has a steep learning curve. Once you pass the learning curve your input form printing just becomes five lines:

<form action="options.php" method="post">
	<?php settings_fields('plugin_options'); ?>
	<?php do_settings_sections(__FILE__); ?>
	<input name="Submit" type="submit"
		value="<?php esc_attr_e('Save Changes'); ?>" />
</form>

This topic is WAAAAAAY to big to cover here and I freely admit, I’m no expert on it. I recommend that you read more: A quick & dirty example or The Whole Shebang

Verify your data

The last two topics are related as the come from the same rule: ALL data that you get from ANY source must be verified. This is where many plugins fail. The assumption is that “if it is in the database, it must be clean” or “it’s from an RSS feed, I know the data is good” or “The variable has INT in the name so it obviously contains an integer” or any of a thousand other gotyas. The way to keep yourself safe from an assumption is to VERIFY.
I want to highlight just two examples of this in Chris’s code.

First, in function display_location, he uses a cast to ensure the data he gets is what he wants from post meta:

$public = (bool)get_post_meta($post->ID, 'geo_public', true);

Second a function clean_coordinates uses regex to ensure the value he receives is what he wants:

$latitude = clean_coordinate($_POST['geolocation-latitude']);
[..]
function clean_coordinate($coordinate) {
	$pattern = '/^(\-)?(\d{1,3})\.(\d{1,15})/';
	preg_match($pattern, $coordinate, $matches);
	return $matches[0];
}

Escape all variable data you display

I won’t show specific examples of this as they are everywhere throughout the whole plugin, but this is one of the most important steps you can take to make your plugin secure. It is also one of the areas that has has the most focus in the WordPress core over the years.

If you are displaying a value that isn’t hard coded in your source, you need to first feed it through one of these functions (or something similar):

esc_attr()	Cleans HTML attributes for use on screen
esc_html()	Prepares complete blocks of HTML code
esc_js()	Special javascript handling of quotes and EOL characters
esc_sql()	Escapes data for use in a query
esc_url()	Returns a valid URL if possible
esc_url_raw()	Prepares an URL to be inserted in a database

This applies to values you are putting into javascript, urls you are displaying on the screen or using for includes, and data used to build image references. All this information must be sanitized. Visit the codex for more information on data validation.

Bonus Tip

If you’ve made it this far in the post, you get one more tip for free. DON’T DO IT ALL YOURSELF. I’d be willing to wager that this plugin was not ‘born’ with all of these security techniques in place. Though this plugin is attributed to Chris in the repository, he lists multiple authors for the plugin. You don’t HAVE to do all of this by yourself. Once your plugin is done, ask people to review it. I can pretty much guarantee that someone will find something. That’s just how it works. But won’t you feel much better if your friend catches the problem before it is discovered because your plugin added an avenue of attack to every site it’s been installed on? Someone will be glad to review it for you it. That’s part of what is great about the WordPress community: people love to help.

Summation

Website security will forever be an on going battle. It is a big, complicated subject with nuances you can miss easily. However, WordPress has been around long enough to have build up quite a collection of tools you have at your disposal as a plugin author. If use the tools WordPress provides, following Chris’s example outlined here, you can rest easy at night knowing you’ve done your job well.

I just made a change to my .bashrc file and I thought I would share the tip. All of this is pretty basic stuff, but if you don’t customize your linux logins, this would be a good place to start.

For Microsoft people who don’t know, .bashrc is in some ways like a combined config.sys and autoexec.bat file. If you don’t know what an autoexec.bat file is, you totally missed the 80s dudes…

In a *nix environment, the rc at the end of a file name typically means that it is a “run control” file. Run Control files execute when a program starts. In this case, the program is bash – the command line interpreter/shell. Other programs look for rc files too. Because of this, you could have bunches of them in your home directory. The . at the front of the file name indicates that they are hidden from a normal directory listing. This way they don’t clutter up your home.

I have lots of neat things in my .bashrc file that add functionality to my default CLI. I’ll be sharing just three of those with you now.

The first is an alias: ebrc. When I type ebrc and press enter, I’m taken immediately into an editor with my .bashrc file open. You can think of an alias as a single line shortcut. It looks like this:

alias ebrc='vi ~/.bashrc'

As you can see, it just says “when I type ‘ebrc’, treat it like I really typed ‘vi ~/.bashrc’”.

The second thing I used tonight was the alias brc:

alias brc='. ~/.bashrc'

That executes the .bashrc file again, so that all of the changes I’d just made are loaded.

You might ask “Can’t you just type all that out? You’re not saving much time.” Go ahead.. ask. I’ll wait…

OK. The answer is Yes. So, it is important that you don’t go overboard on this stuff. If you use aliases too much, you’ll lose your familiarity with *nix and the skills to do your work on any other server. So proceed with caution. This stuff can be addictive and detrimental to your guru health.

Now with those two helper aliases in hand, I added the function I really wanted to include: ‘upskel’. It takes a task I might otherwise put off and allows it to be completed in 7 keypresses. This is the perfect use case for a .bashrc function.

‘upskel’ takes the latest version of WordPress and places it into the cpanel skeleton directory that is used as the base for every new account created on my hosting service eHermits, Inc.. So, every time an update comes out for WordPress, I can spend 5 seconds to grab the latest and all new accounts I create will be safe and updated.

Unlike an alias, this is done through a function call. Functions allow the use of multiple lines and variables. Here is the call I just added:

function upskel()
{
  cd /root/cpanel3-skel
  rm -R public_html
  rm latest.zip*
  wget http://wordpress.org/latest.zip
  unzip latest.zip
  mv wordpress public_html
}

Technically I probably could have done that as an alias but a function is much easier to read with multiple lines involved.

As a bonus, here is a function that takes a variable:

function  ewpc()
{
  cd /home/$1*/
  pwd
  sudo vi ./public_html/wp-config.php
}

Can you tell me what it does?

When manipulating WordPress databases for exports and merges, sometimes it is helpful to get a list of all of the parents for the categories your posts are in.

For the import I am working on right now.  The category list is being flattened from 30 categories down to 5 categories. The blog has just over 75 thousand posts in it and doing the conversion manually would be a rather arduous process to say the least.

So, I came up with this little query to give me the parent category for each of the child categories on that site.

It’s fairly simple but I’ve had to write it several times now and thought maybe someone else might need it sometime too:

SELECT `tt1`.`term_taxonomy_id` as 'Child Tax ID', `t1`.`term_id` as 'Child Term ID', `t1`.`name` as 'Child Name', `tt2`.`term_taxonomy_id` as 'Parent Tax ID', t2.`term_id` as 'Parent Term ID', `t2`.`name` as 'Parent Name' FROM `wp_term_taxonomy` `tt1`, `wp_term_taxonomy` `tt2`, `wp_terms` `t1`, `wp_terms` `t2` where `tt1`.`term_id` = `t1`.`term_id` and `tt1`.`parent` = `t2`.`term_id` and `tt1`.`taxonomy` = 'category' and `tt2`.`term_id` = `t2`.`term_id` and `tt2`.taxonomy = 'category';

Now I can just grab it instead of rewriting it again next time.  After all, this is The Code Cave…

PS – If you just want to see the top level categories, here’s how:

SELECT `tt1`.`term_taxonomy_id`, `t1`.`term_id`, `t1`.`name` FROM `wp_term_taxonomy` `tt1`, `wp_terms` `t1`where `tt1`.`term_id` = `t1`.`term_id` and `tt1`.`taxonomy` = 'category' and `tt1`.`parent`=0

Periodically I would get messages from Twitter and Facebook telling me that my email address is invalid. �I would just hit reconfirm and it would work fine for a while.

When a client came to me and said he was getting the same messages, it became important to dig into it. �What did I find? �The Spam Cop is to blame.

What is an RBL and how does it block mail?

In earlier articles, I wrote my own spam blocking program because I wanted to be in control of how spam was caught. �I no longer use that method, but if you read those articles, you will know that a common way of blocking spam is by asking different services “Does the ip address associated with this email send out spam?”. If the answer is yes, you can mark the email as spam, delete it or reject it.

One of the services that can answer the “Is this a spammer’s ip address” �question is SpamCop.net. �They are an automated service that has a bunch of email addresses out there waiting for people to send them spam. This method of setting a trap address for people to send email to generates what is called a “Real-time Black-hole List” �SpamCop is one of the most relied on black list out there. � The problem is that it includes both Twitter and Facebook ip addresses on the list.

Do Facebook and Twitter send out spam?

According to SpamCop’s position, the answer is yes and they know it:

FaceBook servers are sending ordinary spam, so they should be on our list like any other spam source.

Reports are being send to spamcop[at]facebook.com. We’ve sent them over 30,000 reports.

I can’t help but think they should be aware of the problem.

- Don D’Minion – SpamCop Admin -

http://forum.spamcop.net/forums/lofiversion/index.php/t10783.html

In short, SpamCop isn’t budging and Facebook isn’t budging so the sys admins have to.

How do I fix this?

I see two paths: one: don’t use SpamCop as a black list; two: whitelist the ips that are being blocked.

Your method of implementing those steps may be different than mine, but if you use WHM and Exim on your servers, the process is simple. �Open WHM and type in “exim” in the Find� box and then choose “Exim Configuration Editor”. � From that screen, in the RBLs� section, you COULD uncheck “RBL: bl.spamcop.net” and hit save.

I decided that keeping SpamCop was important. So I logged into my server by SSH and made a list of all of the IPs that were blocked for Twitter and for Facebook �using these two commands:

[root@hosting ~]# exigrep facebook /var/log/exim_mainlog*|grep spamcop|cut -f2 -d?|cut -f1 -d’”‘|sort|uniq
109.194.143.178
115.113.120.132
123.192.73.157
123.238.17.88
123.24.235.138
124.124.46.13
125.251.222.122
173.9.236.229
178.95.9.11
186.69.26.122
188.162.175.80
190.121.131.98
195.205.21.51
195.93.160.116
200.85.38.222
203.115.75.158
217.123.229.190
217.20.167.105
220.130.11.134
41.177.21.237
62.162.52.152
69.63.178.160
69.63.178.161
69.63.178.162
69.63.178.163
69.63.178.164
69.63.178.165
69.63.178.166
69.63.178.167
69.63.178.168
69.63.178.169
69.63.178.170
69.63.178.171
69.63.178.172
69.63.178.173
69.63.178.174
69.63.178.175
69.63.178.176
69.63.178.177
69.63.178.178
69.63.178.179
69.63.178.180
69.63.178.181
69.63.178.182
69.63.178.183
69.63.178.184
69.63.178.185
69.63.178.186
69.63.178.187
69.63.178.188
69.63.178.189
69.63.178.190
69.63.178.191
77.247.234.66
77.46.179.115
78.188.203.15
79.177.115.97
82.207.120.217
82.246.8.181
85.71.36.197
87.251.142.12
89.211.57.250
93.125.10.223
93.87.96.245
93.88.184.11
94.233.12.74
95.133.172.164
97.77.191.218
98.249.208.39
[root@hosting ~]# exigrep twitter /var/log/exim_mainlog*|grep spamcop|cut -f2 -d?|cut -f1 -d’”‘|sort|uniq
128.121.146.141
128.121.146.142
128.121.146.143
128.121.146.144
128.121.146.151
128.121.146.152
128.121.146.153
[root@hosting ~]#

Now that I had a list of all ip addresses ever blocked for Facebook and Twitter I went back to that Exim configuration screen and at the end of the RBLS section under “Whitelist: IPs that should not be checked against RBLs” I clicked edit and pasted those IP addresses in. I then restarted my Exim mail server right from the option built into WHM.

If you would like, you can use the addresses I’ve included here in this list. �There may be new ips to add each month, so you might also want to generate your own list to make sure it is current.

Also, �it would be nice if we could white list blocks of IP addresses. I know exim supports that but I’m not certain if WHM’s interface does. I want to try it sometime. then to whitelist all of the twitter addresses, you could just put “128.121.146.0/20″ or something similar. �If you try that and it works, let me know.

I was faced with a weird copy command I wanted to do today; so I thought I would share.

How do you copy files in a directory tree to another directory?

I wanted to copy all of the mp3 files in a directory tree over to one specific target directory.

Initially I thought the command

cp -r *.mp3 /target/directory/

would work, but �even though it specifies the –recursive option, it does not iterate the subdirectory looking for the mp3 files.

So I resorted to my �every faithful companion: find -exec. �It seems like this is one of the most useful tools in linux. �In this case, here is the command line I used:

find . -type f -name ‘*.mp3′ -exec cp {} /targetdirectory/ \;

The process is straight forwarded. There are several methods:

find . -mtime -1 \! -type d -exec ls -l {} \;

Or more simply

find . -type f -mtime -1

In my case, I wanted to do more. First since I was searching an SVN repository, I wasted to exclude all of the extra files that are touched by SVN. Additionally, the goal was to show which files contained a print_r function.

Here’s what I came up with:

find . -path '*/.svn/*' -prune -o -type f -mtime -1 \
-exec echo '{}' \; -exec grep print_r {} \;

Hope that helps!

AVG is a “free” antivirus software package that has become fairly popular lately. The b5media tech team has been asked many times in the last 24 hours about why AVG is blocking legitimate sites. There is a FAQ on AVG’s site about this, but it is incomplete and, in my opinion, inaccurate*. People are asking the questions in the AVG forum, but responses have just been long paragraphs explaining how they’ve asked the question in the wrong forum and links to the FAQ. I’ll attempt to better address the question here.

The FAQ says:

There are several possibilities how a clean and legitimate website may become infected:

• Website was exploited by some hacktoolkit which searches for vulnerable websites, and automatically infects them.
• Infection was inserted on the machine that is used to create/upload websites, which means that the author’s/administrator’s computer is infected.
• An attacker gained direct access to the website administration thanks to a weak or stolen access password.

We recommend to contact the administrator of such website.

This may have largely been true 5 years ago, but it isn’t now. Yes, breaches in security happen and always will. However, the most common vector for malware to get on today’s sites is through ads.  These ads aren’t even ever seen by the webserver you are visiting**. 

The FAQ would be accurate if they added:

• The website is currently displaying an ad/image hosted on a site that AVG has deemed dangerous.

The unprinted bullet point is:

• We mess up. We are humans. We are not perfect and neither are the tools we use. Sometimes we will say a site is infected when it isn’t. Sometimes we will say something is malware, that really is, but it is so common place that blocking it will make so many sites unusable that we will have to back down. When this happens, we will try to “fix” the issue as quickly as possible.

This ad vector is something that all websites are fighting right now. It’s difficult because servers can be spotless and tight, but tools like AVG and the Google toolbar will see one of these ads (that we have nothing to do with) and will list that site as infected.  If a bad ad is served when Google scans for infection, then the site is completely dropped from the Google index. NOT GOOD. Then the admin has to go and figure out which ad is bad and from that which ad manager let something slip through that they should have blocked.***

So, what is the current issue? Well, on October 14, 2009 AVG reclassified an ad/cookie used on a large majority of websites out there as dangerous. That’s why AVG is blocking familiar sites such as http://nytimes.com, http://imageshack.us, http://yahoo.co.uk, http://babelfish.yahoo.com, http://problogger.com as well as other b5media entities like http://everyjoe.com http://splendicity.com and http://blisstree.com

Everything seems to point to ads.YieldManager.com as what is being blocked. Yieldmanager.com has an Alexa rating of 198. Think what you want of Alexa, 198 means they are BIG. You probably know the name as they have been on most sites you’ve visit for years.  YieldManager is run by Right Media, which, since 2007, has been controlled by Yahoo. This is why the ip addresses, that come up in the AVG LinkScanner alerts, all point to Yahoo.

In short, AVG will either change this decision or lose market share. It won’t take long for them to make up their mind.

UPDATE: Around 9am the forum included a post stating “UPDATE…. It’s now been ascertained that it was actually a false positive. Please update the AVG on your system.”

Forum users report that AVG has changed their statement from:

Let us inform you that this is not a false detection. Our LinkScanner
technology detects a real threat, which is Geo-IP and also browser
specific targeted, therefore it is detected only at www.yahoo.co.uk
(IP: ) in Mozilla Firefox web browser only.

Over to:

Unfortunately, the previous AVG Link scanner database might have
detected the mentioned web page as threat. However, after thorough
analysis we can confirm that it was a false alarm. We have released a
new Link scanner update that removes the false positive detection on
this web page. Please update your AVG and check if your are able to
open the web page properly.

As you can also see from that thread, some people received an update this morning, but still are having problems on popular sites.  My only suggestion is that you update AVG a few more times and hope that they allow you to surf your favorite sites.

* Yes, I’ve submitted feedback about this.

** The way most ads work is a webpage will include instructions for your computer to say “Hey, you big sexy ad server, give me an ad to display.” when the page is loaded.  At that point, the big sexy ad server says “Very well then. Go to ads.example.com and get the ad.”.  Your computer then visits ads.example.com which can return any number of different ads. Some will be perfect nice ads. Some may be nasty infectious ads. Others will work on one browser, and throw errors on another.  The site has no control over this. Really, neither does the big, sexy ad server (though it should run its own periodic checks) since the ad that appears at ads.example.com was probably legit when the ad was purchased. The ads that appear are only as reliably legit as the checks in place at that third party ad server.

*** That said, it is kinda interesting to look at all the sites out there listed as infected. For example go here to see an infected site and then bounce up from there into any of the 3 networks that site is hosted on. That will lead you to thousands of other infected listings.

I’m just jotting down some notes about using the Google Safe Browsing API to prevent a site from serving malicious/bad ads.

Problem Defined

• Ads are put on a site via javascript by calls as simple as “getad(‘adposition1’)”. JavaScript is executed via the client’s browser after the page is served.
• Those calls don’t touch any of our servers, they go from the client to the Google/Glam/Whatever Ad Server. So we don’t see the ads before they appear on the customer screens.
• The ads being served may be malicious
  • Any ad that is served can link to a site that has been infected. We will want to block this.
  • Any ad that is served can “take over” the page and redirect the page to a site that may or may not have malware. We want to block ALL take over attempts.
  • There may be other types of ads that we wish to block.  Potentially we might wish to block specific ads on specific sites (i.e. a sexual connotations in ads on pre-teen audience sites). This may be beyond the initial scope and/or incur unwanted execution expenses.
• Serving a malicious ad can get a site listed as “infected” even though your server has had nothing to do with ANY of the ad content.
  • http://www.google.com/safebrowsing/diagnostic?site=http://malware.testing.google.test/testing/malware/
  • http://www.google.com/safebrowsing/diagnostic?site=Folkalley.com
  • http://www.google.com/interstitial?url=http://malware.testing.google.test/testing/malware/

Obstacles

• Any extra calls WILL slow the page load process.
• Each page load MUST call the ad serving script again
• If an ad can be identified as bad, some other type of content must be served in that position to ensure page integrity.
• The request for ad content HAS to come from the customer side because many ads are geo-specific and the customer’s IP determines what ad shows at what time.
• You don’t want to set up a system where the site itself can submit a site as “bad” as anyone could sniff that info and seed our black list with bad data.
• The results of the first getad() call could result in more javascript which must, in turn, be processed by the browser to produce the final ad. Potentially, several layers of JS could exist before the real ad is served. (e.g. 2 layers of indirection before ad: Google Ad Manager JS —serves—> Glam Ad embeded JS call —serves—> JS call to 3rd Party Ad Server —serves—> Ad). This pattern is real and happens often.

Possible solutions

• Status Quo: As problem sites are reported to us, determine which ad is bad, report it to the ad server & hope they fix it before google sees it and lists the site as a dangerous site in it’s tool bar and in chrome.
  • Unless you are “lucky” you don’t get the badad.
  • Once you get the badad, it is hard to determine the initial JS that caused the problem
• Embed everything JS with its own iframe
  • Will block take overs
  • May or may not prevent Google from listing the site, probably not.
  • Will break ads that are contextual based
• Check the ad entirely on the client side via a black list: GSB API (http://code.google.com/apis/safebrowsing/) or PhishTank (http://data.phishtank.com/data/online-valid.xml)
  • This Good/Bad check could be done with a single call with the API call
  • Calls to external servers are dependent upon the health/bandwidth of that server
  • This could also be done via downloading the black list and checking off of that: http://code.google.com/p/jgooglesafebrowsing/wiki/Quick_Start_Guide
  • Blacklist downloading would cost time and would have to be updated periodically.
• Implement a hybrid solution where a call is done to our servers to see if the an ad is good or bad.  (Server side base code: http://lampsecurity.org/php-google-safe-browsing-api )
  • Ad call is processed in JS eval (Will have to be checked for nested JS calls)
  • MD5 of ad is sent to the server. The results are Good/Bad/Unknown.  (Pass the url?)
  • If the result is Good, ad is served and process exits
  • If the result is Bad, either go to step 1, or serve place holder/known good ad & exit.
  • If the result is Unknown, send the JS to the server for verification. The server processes the code and returns a Good/Bad result.
  • If the result is Good, ad is served and process exits
  • If the result is Bad, either go to step 1, or serve place holder/known good ad & exit
• Other solutions?

Reading

• All your IFrames Point to us: http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html http://research.google.com/archive/provos-2008a.pdf
• The Ghost In The Browser http://www.provos.org/index.php?/archives/17-The-Ghost-In-The-Browser.html http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf
• Ask the Google Malware Team: http://moderator.appspot.com/#15/e=a77ea&t=a9521
• Cybercrime 2.0: When the Cloud Turns Dark http://queue.acm.org/detail.cfm?id=1517412
• Google Online security http://googleonlinesecurity.blogspot.com/

Anyway, I had this going through my head and wanted to get this all written out. So I can have a place to check back on this tomorrow…

This error message always bothered me because it makes no sense when I get it.

Here’s my scenario… I have a directory that is used as the base for all new accounts I sell on my servers. The path is; /root/cpanel3-skel. I always put WordPress in that directory and I want to keep the latest version of WP in that directory

[root@wiredtree ~]# rm -r wordpress latest.*
rm: cannot remove `wordpress’: No such file or directory
rm: cannot remove `latest.*’: No such file or directory
[root@wiredtree ~]# wget -q http://wordpress.org/latest.zip
[root@wiredtree ~]# unzip -q latest.zip
[root@wiredtree ~]# mv -f wordpress/* /root/cpanel3-skel/public_html/
mv: cannot move `wordpress/wp-admin’ to a subdirectory of itself, `/root/cpanel3-skel/public_html/wp-admin’
mv: cannot move `wordpress/wp-content’ to a subdirectory of itself, `/root/cpanel3-skel/public_html/wp-content’
mv: cannot move `wordpress/wp-includes’ to a subdirectory of itself, `/root/cpanel3-skel/public_html/wp-includes’

WHAAAAT? Obviously it is not a subdirectory of itself…

Something strange is going on… We get a little more information if we try to do a move from one device to another. Take a look at this error message:

[root@wiredtree tmp]# mv -f wordpress/* /root/cpanel3-skel/public_html/
mv: inter-device move failed: `wordpress/wp-admin’ to `/root/cpanel3-skel/public_html/wp-admin’; unable to remove target: Is a directory
mv: inter-device move failed: `wordpress/wp-content’ to `/root/cpanel3-skel/public_html/wp-content’; unable to remove target: Is a directory
mv: inter-device move failed: `wordpress/wp-includes’ to `/root/cpanel3-skel/public_html/wp-includes’; unable to remove target: Is a directory

This reveals the true source of the error message. In “mv –help”, the explanation of “-f” is too simplified and says only:

-f, –force do not prompt before overwriting

In “cp –h” we closer,but not exact, explanation of the real process, and one that better matches the inter-device error message:

-f, –force if an existing destination file cannot be opened, remove it and try again

The final bit of information is in an Ubunto bug 71174 “Misleading error message with mv and existing directories” where they change the error message to be “mv: cannot move `a’ to `b/a’: Directory not empty”.

So there you have it. You get that error message because the -f command tries first to remove the directory and can’t because it contains one or more files. You don’t get this message if the subdirectories are empty. The remove works fine on an empty directory but fails if there are files. The Linux core can’t correctly handle this exception and throws up what is probably the last error message in a switch/case statement “cannot move – to a subdirectory of itself”.

So what do you do about it? Well you can either empty the destination directory first, or you can copy the files and then delete the source directory. I chose the latter option and run this from the root folder:

rm -r wordpress latest.*
wget -q http://wordpress.org/latest.zip
unzip -q latest.zip
cp -rf wordpress/* cpanel3-skel/public_html/
rm -r wordpress latest.*

Cool? Hope that helps someone…

You might find this little command useful, it allows you to create thumbnails for all the files in a particular directory:

find . -maxdepth 1 -name *.jpg -print -exec convert "{}" -resize 80×60 "thumbs/{}" \;

This should work on any server with ImageMagick installed and in the path.

Enjoy!

Jeremy Wright publicly announced today that he has has left the helm of b5media.

My family owes a lot to Jeremy Wright. With Aaron Brazell, Jeremy brought me into b5media, full time in this world of new media.

I’d not have made many of the friends I have today or traveled to some of the places I’ve been, without Jeremy and his dream for b5. He’s a good friend and a good man.

Times have not always been easy, but Jeremy has had the courage to make the difficult decisions that allowed my family and many others to still put food on the table. This is only due to Jeremy’s leadership and the strength of those at b5′s helm. Other companies in our market space have not been fortunate enough to have the same caliber of leadership.

Thank you for all the hard work over the years Jeremy, from all of us.

I ran into a situation where I wanted to get the name of the directory I was in, in PHP. To be clear, I didn’t want the full path, just the directory/folder name

To be clear, if I was working in the directory:
/home/username/public_html/addonname

I wanted to have addonname returned.

I worked out two solutions.

The first solution used the getcwd() function which returns the full directory path as shown above but to use the basename function to get the part I needed. It worked so… “echo basename(getcwd());” returns “addonname” in this scenario.

That would meet my needs perfectly. I believe that matches my requirements in spirit, but was not literally correct. That statement returned the current working directory, but not the directory where the file was located. In fact, PHP 4 and PHP 5 differ when getcwd() is called from the command line. If you are in the ‘/’ directory and execute “php /test/talktome.php“, a php 4 getcwd() in that file will return the path “/test” while PHP 5 will correctly return ‘/’.

To resolve this, this next call works even better:
“echo basename(dirname(__FILE__));”

Does anyone want to do some speed tests to see which is faster after 10,000 calls? Let us know your results.

A few weeks ago, I’d been asked to beta test the new levels for the popular Zynga Mafia Wars game. Mafia Wars is arguably the most popular and successful of the social media games developed by the recently Venture Capital funded company Zynga. To date, the 1.5 year old, profitable, VC backed Zynga has raised 39 Million dollars in funding. As Mafia Wars is widely popular, there is bound to be great interest in this new Zynga release.

The story starts as I was about to crash for the night and made the mistake of turning on a computer screen. Imagine my surprise when I noticed a “Fly to Cuba” button on the top of my Facebook Mafia Wars page. In this beta release, there are new jobs hidden till you complete the next level and there are loads of new help topics and weapon descriptions and loot items revealed. I’ve made certain to record as much as I can tonight and you can look forward to finding more information in The Code Cave about this new Mafia Wars module.

My Mafia Wars links:
Be My Friend on Facebook
Join My Mafia
Promote me, [LSM] Capt. Queeg, if it will help you
Send me Black Mail Photos! I need 130 more

However, as I am likely to pass out on the keyboard at any moment, for today, you’ll have to be content with these tall images of the Mafia Wars: Cuba Home page and its first Jobs page. Enjoy:

This is the initial page for Mafia Wars: Cuba. Notice the Shared Mafia Wars Resources.

Mafia Wars: Cuba - Jobs - El Soldado - The Soldier

There’s been rumor and confusion over the last week about whether WordPress and WordPress mu were merging as Matt seemed to imply at WordCamp SF. The announcement was so shocking that the true meaning was uncertain. For example, the avid WordPress evangelist Lorelle was left with the impression that WordPress.org would become a community site. Thankfully, Donncha, WordPress mu’s lead, gave the conclusive word on the subject this morning:

Basically, the thin layer of code that allows WordPress MU to host multiple WordPress blogs will be merged into WordPress. I expect the WordPress MU project itself will come to an end because it won’t be needed any more (which saddens me), but on the other hand many more people will be working on that very same MU code which means more features and more bugfixes and faster too.

Donncha, I would view this with the honor it does you. It is not much of a stretch to say that with your work on mu, you’ve made a lasting contribution to the shape of world and how people get information and will relate to each other over the upcoming years. More and more and more sites are run on mu, while the whole buddy press/bbpress/mu paradigm is taking off and will change the shape of the web. The adoption of the mu’s features into the WP core is a signal of what is to come and it will be an exciting ride!

Congrats guy!

While I was rolling around near comatose yesterday WordPress 2.8 beta 1 hit the streets. We plan to do a thorough review of this project on Thursday at the Ohio WordPress meetup here in Akron, Ohio. So, I figured it would would be a good time to run it officially here in The Code Cave.

The upgrade process is as simple as always. Unzip the file, copy it over the existing files, go to wp-admin upgrade and click continue. When the official release comes out, I plan upgrading my wp-upgrade script as I still think it is useful. Even though WordPress itself has upgrade abilities within it, the full file backup and database backup that my script does, still provides added benefit. So, I’ll keep it around a while longer.

As for WordPress 2.8, you don’t need to fear about learning a totally new system from scratch. There are a number of nice changes and tweaks, but the basic interface remains the same. There are a lot of changes for plugin developers and the like, but the everyday users will see some things like the new widget drop zone that makes it easy to make a widget inactive without loosing its settings. I’ll be testing over the next few weeks to see what I’d consider note worthy for a release post. I used to even do a line by line comparison, but I don’t know if I’ll don’t be returning to that. For now you can read about the changes here.

If there is any part of this upgrade that you definitely think we should cover at the Ohio WordPress Meetup, please let me know so that I don’t miss it!

Send me 1 item on my wish list and put a message on my wall asking for any two items from this list and I’ll send them back to you. Make sure to provide a link to your profile or your profile name or I’ll not be able to find you. First Come: First Serve. So you might want to have a backup choice or two. I’ll adjust this page as I run out of stuff.

Of course if you want to do this you’ll need to:
Add me as a Facebook Friend
Join My Mafia
Promote me (I’ll give you at least a 13% bonus depending upon your level if you Promote me as your Bagman)

After less than 2 months of playing, I am a Level 160 Boss Mogul with master on every level up to underboss. I have 11 out of 14 achievements. I currently earn 111mil every 51 minutes. I’ve been leveling up 3 to 4 times every day, though I might hit 5 levels today. With >1000 mafia members, I’m really raking in the experience points just by other ppl using me in fights. So I should reach the max bagman bonus for you pretty quickly.

Here is what I am offering:

Ten of Diamonds
Monkey Sculpture
White Poker Chip

Ebony Cigar
Sky Cigar
Rose Cigar
Ivory Cigar
Turquoise Cigar
Gold Cigar

Eight of Spades
Nine of Spades
Ten of Spades
Jack of Spades
Queen of Spades

Topaz Ring
Opal Ring
Amethyst Ring
Sapphire Ring

Solid Tie
Striped Tie
Checked Tie
Geometric Tie
Dot Tie
Knitted Tie

Warhol Painting
Van Gogh Painting
Dali Painting
Monet Painting
Rembrandt Painting

Silver Cufflinks
Gold Cufflinks
Amber Cufflinks
Jasper Cufflinks
Agate Cufflinks
Onyx Cufflinks
Pearl Cufflinks

Mill Reef
Sea Bird
Arkle
Golden Miller
St Simon
Ormonde
Eclipse

9mm Semi-Automatic
.22 Pistol
Butterfly Knife
Brass Knuckles
.45 Revolver
Firebomb
Automatic Rifle
Semi-Automatic Shotgun
C4
Tactical Shotgun
.50 Caliber Rifle
RPG Launcher
Grenade Launcher

Stab-Proof Vest
Lucky Shamrock Medallion

Armored Truck
Prop plane

A New Look

You may notice that there are a few things different around here! I am approaching the three year anniversary of The Code Cave and have decided to spice things up a bit. The site is now sporting a new theme on a new web host, its own VSP. And I’ve got a number of posts lined up to be published. The first of which is this one. My entry into the Blog World and New Media Expo Free Ticket to South By South West Interactive contest.

Sham WOW!

Now, I have to admit I was inspired by an infomercial that you simply can’t get around seeing these days. It’s Vince Offer‘s Sham Wow product:

Now if you haven’t seen that, surely you’ve seen the “Slappin your troubles away” Slap Chop. The excitment Vince shows for his favorite past time, of selling products everyone could use, is infectious.

I’m not the first to be inspired by his exuberance. Rhett and Link have given the commercial their full treatment and created this video:

And now… SxSW WOW!

My reaction ( major hat tip to http://twitter.com/markjaquith ) to Blog World and New Media Expo giving away a free ticket to SxSWi was simply WOW! and stare at the screen for screen for a while waiting for my brain to turn back on and finish processing every thing it had been ignoring from my eyes for the last 5 minutes. SxSW wow! And that was it! the vision was born within minutes of reading the article.

I shot some even fancier footage from my motorcycle showing the excitement of the 20 hour drive down to Texas, if that’s how I went (And yes, I would live stream the whole way). And had some other ideas to include, but the priorities fell to 1. Get the site transferred to the new host. 2. Make the site pretty enough to host the video 3. Get the blasted thing DONE!

So without any more ado, whatever that is, I present you with “SxSW WOW!” (uploaded at March 01, 2009, 10:43 PM PST):

I do need to thank my loving wife Denise Layman (aka Sorka) of knitting fame at KnitChat.com for all of her help filming with MS Movie Maker tips as I’d never used it before. Thanks Love!

Download hi res 600mb

Mentioned in the Video

Tim Bourquin founder of New Media Expo – who seems like a really nice guy And as far as I know he’s never consumed 20 times his weight in ANY type of liquid
Rick Calvert – Co-Founder of Blog World Expo who I know is a really nice guy
Jim Turner – aka Genuine, who is an excellent write of no little fame. I noticed that he happened to be the author of the contest post! And as far as twitter is concerned, yes, I’m pretty sure he is following me!

Sham WOW! Script

Since I had this file on my desktop I figured I’d share my script with you. Here are the original and new lines I used from the commercial:
O: Hi It’s vince with Sham Wow!
N: Hi it’s Brian and I’ve got a SxSW Wow! from Blog World Expo!

O: I’ll be saying wow, everytime I use this ticket.
N: You’ll be saying wow, every time you use this towel.

O: It’s like a shammy it’s like a towel it’s like a sponge.
N: It’s like a party, It’s like a confererence, I’ll be like a sponge, YAY ME!

O: Sham wow holds 20 times its weight in liquid.
N: SxSW attendees absorb 20 times their weight in liquid! Just ask Tim Bourquin

O: Look at this it just does the work
Why do you want to work twice as hard
N: Look at this, I’m doing work!
Why would I want to be working at home?

O: Made in germany. You know the germans always make good stuff
NOT USED: This is a gift from blog world expo, you know Calvert always makes good stuff…
REPLACED: Every SxSW Wow! comes pre-Rick rolled by (Rick) Calvert himselfs

O: Here’s some cola, wine coffee cola pet stains
Not only is your damage on top but
There’s your mildew. that is gonna smell you see that?
N: Here… here is my anxiety of how to get to SxSW. My sweat, my tears, my embarrassing stains,
Not only is it on top
But it’s down deep man

O: Were gonna do this in real time
Put it on the spill, turn it over
without even putting any pressure 50% of the cola right here. Following me camera guy
The other 50% the color starts ta come up.
N: I’m gonna stream this live
I put my SxSW Wow! on top and roll it
No Pressure man, No pressure and suddenly 50% of my worries are gone!
All that remains is the fun of getting there. You followin me (Jim) Turner, you followin me?

O: No other towel is gonna do that
It works like a vacuum.
N: And look at that
It works like a Valium.
No other ticket is gonna do that!
SxSW Wow!

O: See what I’m telling you.
Sham wow – you’ll be saying wow every time
N: See what I’m telling you.
SxSW Wow! – I’ll be saying Wow! all the time!

THANKS BLOG WORLD EXPO!

I first laid eyes on Michael Widenius, the original and principle author of the MySQL database software at the 2008 MySQL Conference in San Jose.  Michael, who is more commonly known simply as “Monty”, had recently had his pride and joy, the MySQL AB company purchased by Sun Microsystems. I’d say that just about every attendee was extremely nervous about the future of MySQL, and every (new) Sun employee was eager to say “Oh, the purchase was great thing!”. There certainly was a Sun head hunter at every corner ready to hand out an application form (and a pair of boxer shorts or two).


I left the conference having learned a lot of the techniques Lee Newton would be soon applying to the b5media database architecture. But far as the Sun purchase was concerned… I felt a little less safe. It was worrying that something that important was not quite as secure as it once was.  There was no indication something bad was about to happen, but the way things were, it was sure to be painful if something did.

So now not a year later, Monty announced today that he has quit because Sun released MySQL 5.1 without first resolving significant flaws despite Monty’s strenuous objections. Monty previously released a detailed list describing some of the “many known and unknown fatal bugs in the new features that are still not addressed.” My take from the article is that we should consider MySQL 5.1 should be considered a 5.0 maintenance release with pre-release beta features included.

Obviously Monty had spoken up to the higher ups at Sun prior to the release, but as he explained this had little affect.  I think that the open source world collided heavily with the corporate reality of “Cost, Schedule, Features, or Quality – Choose 3”. In the open source communities, the choice is simple, the schedule rarely if ever enters the mix. In this corporate battle, it obviously was one of the three chosen. Monty had been seen this coming early on and had been very vocal even back in April 2008 (see page 19) calling for Sun to “Create a release policy and independent release policy board that can’t be manipulated by people in charge of server development (to not allow anyone to sacrifice quality to reach personal goals)” Whoa… “To reach Personal Goals” – even then it sounded to me like he had someone in particular in mind. Additionally, from another comment later in the keynote: “Sun is more opensource/free software friendly than MySQL AB has been lately and is driving MySQL in the right direction” it seems obvious that there was a power struggle going on. After all MySQL AB was co-founded by Michael and he should have had significant influence over the company’s philosophies. I don’t know the rest of this particular sub-plot, but I’m certain there is more to be told.

In any case, in light of MySQL 5.1’s quality issues at time of general availability Michael tells us he immediately quit  but was talked into giving three months months to Sun for reconciliation and putting things right. That stretched into seven months, but the end result was the same. Michael announced today that he’s resigned and will be creating his own version of MySQL called MySQL-Maria which will will incorporate all MySQL updates but include rewrites and additional code to improve stability. It will be primarily developed by a new company he is forming named Monty Program Ab which will be “a true open source company”. I’m still not sure what that means, but I guess I could read up on it in more detail, if I wanted to.

So, what does this mean? Is it a good thing? I guess it is good that someone is out there fixing known bugs in MySQL, but won’t that happen anyway with an open source project? It’s great to see another company formed to further the open source movement, but can a MySQL standards war be beneficial?  Given the adoption rate of new MySQL releases, does it even matter that 5.1 was released? It’s not as if ISPs will install it anytime before 2010 by which time there will be patches.

In the end, from the clues I’ve seen I suspect this episode occurred due to a personal, philosophical dispute that Monty didn’t win. Regardless, I wish him success with his new project and thank him for providing a tool that I use ever day: MySQL.

I figured I’d record me reading a story to the kids… because… well you never know…

And I did sign the life insurance policy today..

BTW – an antimacassar is that little thing that always falls off the back of the lazy boy every time you sit on it.. http://en.wikipedia.org/wiki/Antimacassar

For various reasons, sometimes the number of comments shown under the title of the post may not match the number of actual comments displayed under the post.

Here is a simple SQL statement that will resolve the issue:

update `wp_posts` set comment_count = (select count(*) from wp_comments
WHERE `comment_post_ID` = `ID` and comment_approved = '1')

You can use this to verify what would change and where your problems may lie:

SELECT ID, `post_title`, `comment_count`,
    (select count(*) from `wp_comments`
        WHERE (`comment_post_ID` = `ID`) and (`comment_approved` = '1')) as NewCC
    FROM `wp_posts`
    WHERE `comment_count` <> (select count(*) from `wp_comments`
        WHERE (`comment_post_ID` = `ID`) and (`comment_approved` = '1'))

Copy, paste, and bold what you have done!
1. Started your own blog
2. Slept under the stars
3. Played in a band
4. Visited Hawaii
5. Watched a meteor shower
6. Given more than you can afford to charity
7. Been to Disneyland/Disneyworld
8. Climbed a mountain
9. Held a praying mantis
10. Sang a solo
11. Bungee jumped
12. Visited Paris
13. Watched a lightning storm at sea
14. Gone rollerskating
15. Adopted a child
16. Had food poisoning
17. Walked to the top of the Statue of Liberty
18. Grown your own vegetables
19. Seen the Mona Lisa in France
20. Slept on an overnight train
21. Had a pillow fight
22. Hitch hiked
23. Taken a sick day when you’re not ill
24. Built a snow fort
25. Held a lamb
26. Gone skinny dipping
27. Run a Marathon
28. Ridden in a gondola in Venice
29. Seen a total eclipse
30. Watched a sunrise or sunset
31. Hit a home run
32. Been on a cruise
33. Seen Niagara Falls in person
34. Visited the birthplace of your ancestors
35. Seen an Amish community
36. Taught yourself a new language
37. Acted in a play or performed on stage
38. Seen the Leaning Tower of Pisa in person
39. Gone rock climbing
40. Seen Michelangelo’s David
41. Sung karaoke
42. Seen Old Faithful geyser erupt
43. Bought a stranger a meal at a restaurant
44. Visited Africa
45. Walked on a beach by moonlight
46. Been transported in an ambulance
47. Had your portrait painted –
48. Gone deep sea fishing
49. Seen the Sistine Chapel in person
50. Been to the top of the Eiffel Tower in Paris
51. Gone scuba diving or snorkeling
52. Kissed in the rain
53. Played in the mud
54. Gone to a drive-in theater
55. Been in a movie
56. Visited the Great Wall of China
57. Started a business
58. Had an uncontrollable giggling fit at the worst possible moment
59. Visited Russia
60. Served at a soup kitchen
61. Sold Girl Scout Cookies
62. Gone whale watching
63. Got flowers for no reason
64. Donated blood, platelets or plasma
65. Gone sky diving
66. Visited a Nazi Concentration Camp
67. Bounced a check
68. Flown in a helicopter
69. Saved a favorite childhood toy
70. Visited the Lincoln Memorial
71. Eaten caviar
72. Pieced a quilt
73. Stood in Times Square
74. Toured the Everglades
75. Been fired from a job
76. Seen the Changing of the Guards in London
77. Broken a bone
78. Been on a speeding motorcycle
79. Seen the Grand Canyon in person
80. Published a book
81. Visited the Vatican
82. Bought a brand new car
83. Walked in Jerusalem
84. Had your picture in the newspaper
85. Read the entire Bible
86. Visited the White House
87. Won money
88. Had chickenpox
89. Saved someone’s life
90. Sat on a jury
91. Met someone famous
92. Joined a book club
93. Had to put someone you love in Hospice Care
94. Had a baby
95. Seen the Alamo in person
96. Swam in the Great Salt Lake
97. Been involved in a law suit
98. Owned a cell phone
99. Been stung by a bee
100. Read an entire book in one day

Note: I played in a group recital in elementary school, but I’m not sure that counts as a band.
I may have climbed to the top of the Statue of Liberty but I’m pretty sure I turned around with Denise when it was too long of a climb.
I also was selected for a jury but was dismissed as I didn’t give the attorney the answers he wanted.