This Blog Is Not For Reading

A blog, just like any blog, only more so

  • Subscribe

  • Categories

  • RSS Bob Jonkman’s Microblog

    • New note by bobjonkman 19 October 2017
      #Squigglebrows are tame. Try #NostrilHairExtension if you dare: https://www.instagram.com/p/BaGmKPzDiSq/
    • bobjonkman repeated a notice by lifning 16 October 2017
      RT @lifning roses are red violets are blue in surveillance capitalism poem reads youand shows you ads for flower shops and tracks your clicks and never stopsit cares not about if privacy's harmed the money is green when people are farmedtwitter is cyan facebook is blue your friends are the product and so are you
    • Favorite 16 October 2017
      bobjonkman favorited something by lifning: roses are red violets are blue in surveillance capitalism poem reads youand shows you ads for flower shops and tracks your clicks and never stopsit cares not about if privacy's harmed the money is green when people are farmedtwitter is cyan facebook is blue your friends are the product and […]
    • bobjonkman repeated a notice by kontalk 15 October 2017
      RT @kontalk @bobjonkman Hey! A custom extension for #PGP through #XMPP. Check here for more: https://github.com/kontalk/specs/blob/master/README.md
    • Favorite 15 October 2017
      bobjonkman favorited something by kontalk: @bobjonkman Hey! A custom extension for #PGP through #XMPP. Check here for more: https://github.com/kontalk/specs/blob/master/README.md
    • bobjonkman repeated a notice by kzimmermann 15 October 2017
      RT @kzimmermann !TIL that there's an alternative to #Gajim for those who wish to use #OMEMO on the desktop: #Dino https://github.com/dino/dino/ #XMPP
    • Favorite 15 October 2017
      bobjonkman favorited something by kzimmermann: !TIL that there's an alternative to #Gajim for those who wish to use #OMEMO on the desktop: #Dino https://github.com/dino/dino/ #XMPP
    • New note by bobjonkman 15 October 2017
      Oh, hello @kontalk !
    • New note by bobjonkman 15 October 2017
      This may be interesting: #Kontalk, based on !XMPP and encrypted https://www.kontalk.org/ I'm curious what they're using for E2E encryption, since #OMEMO is still being considered for addition.
    • New note by bobjonkman 14 October 2017
      I was happy to find a setting for "Autocook Rice" way deep in the microwave UI

At the Canadian Open Data Experience event, 14 January 2015

Posted by Bob Jonkman on 18th January 2015

Open Data logo

Open Data

On Wednesday, 14 January 2015 I registered for the Canadian Open Data Experience event called “Economic Potential of Open Data”. Speakers were to be Tony Clement, President of the Treasury Board; James Moore, Minister of Industry; and Ray Sharma, creator of the Canadian Open Data Experience (CODE).

Before the presentations started Tony Clement was off in a side office, unavailable for networking, and he left immediately after his presentation. James Moore was not present at all. For an Open Data event that promotes Open Government, it was a bit disappointing not to have access to the government ministers responsible for openness.

Here are some of the notes I took during the speakers’ presentations. My comments are indicated (like this).

Tony Clement, President of the Treasury Board:
  • Tony Clement referred to January 2014’s CODE event as the “first Open Data hackathon” in Canada (yet Open Data Waterloo Region has been holding Open Data Hackathons and CodeFest events since 2011)
  • CODE hackathon had 900 participants, with the spotlight on the business value of Open Data
  • “Electric Sheep” was the winner of the hackathon
  • Tony Clement and James Moore are making this road trip to announce 20 — 22 February 2015 as the CODE2015 Hackathon
  • Dates intentionally chosen to coincide with the International Open Data Hackathon; hopes to have international coexistence
  • There will be cash prizes for the top three apps created during the CODE hackathon
  • Tony Clement gave some words of praise to the Canadian government, saying that Open Data allows Canada to “compete with the world”.
Ray Sharma, creator of Canadian Open Data Experience:
  • Weather and GPS are commercially successful applications of Open Data
  • National competition had 930 participants
  • Ray Sharma talked of the “power of the crowd”, mentioning Litebox, WordPress, Kickstarter and Goldcorp
  • The economic potential of Open Data is like an iceberg — most of it is below the surface
  • There will be three hubs participating in the CODE2015 hackathon: Toronto, Vancouver and Montreal
  • The 2nd Generation of apps will use Open Data and Private Data, e.g. Zillo
Lan Nguyen, Deputy CIO for City of Toronto:
  • Toronto Open Data started in 2009 (although I remember Toronto setting up a blank Open Data web page after the Smart Cities conference in 2006)
  • Open Data is part of Toronto’s Open Government
  • There’s a long list of Open Datasets — Petabytes!
  • Unexpected benefits: silos of ownership; “See, Click, Fix” received 3,000 requests!
  • Commercialization of Toronto Open Data
  • Availability of budget and Council data
  • Transparent, engage citizens
  • Able to understand the outcome of Open Data
  • Liability, risk?
  • Open Data is available to everyone; it is Social Justice
  • Crowd sourcing: Encourage commercialization; partner with educational institutions
  • Next plan: Open Dashboard — reports from different stakeholders
  • Open Data is a powerful driver for Open Government
Devin Tu, founder of Map Your Property:
  • Idea for Map Your Property came from the fact that California has a single portal for geodata
  • MYP aggregates multiple datasets
  • Reports are made available in Microsoft .docx format and maps are exported as .pdf files (Oh great, Open Data in proprietary, non-consumable formats)
  • Benefits of Open Data: Entrepreneurs go to those places where there is Open Data
  • It is expensive to do business in places that don’t have Open Data!
Ryan Doherty, co-founder of IAmSick.ca:
  • Goal of IAmSick.ca: Reduce Emergency Room wait times
  • Integrated datasets? (speaking with Ryan Doherty after the presentation, I learned that much data was collected manually)
  • User tracking provides estimated wait times (are users aware their use of IAmSick.ca is being tracked? What information on users is retained? This could be a privacy leak nightmare waiting to happen. Speaking with Ryan Doherty afterwards, he assured me there was no medical information about users collected)
  • Improving business — efficiency in care delivery was apparent later

I found the focus on business interests and the competitive aspects of the CODE2015 hackathon a bit disconcerting. A cynic would say business is using $40,000 prize money in a competition as cheap bait to attract programmers to work for 24 hours straight. At 900 participants, that works out to paying only about $2.00/hour per programmer. And only four teams split the prize money, so most programmers go completely unpaid.

Still, CODE2015 only has three competitive hackathons on a weekend where the International Open Data Day holds hundreds of cooperative hackathons.

I hope OpenDataWR holds an event this year — the ones in 2013 and 2014 were fun, productive for some, and educational for all.

Tags: , , , , , , , , ,
Posted in Business, Open Data, Politics | 2 Comments »

Recovering from a WordPress hack

Posted by Bob Jonkman on 29th October 2013

WordPress logo cleaved by axe

WordPress Hacked!

Last Friday I was finally getting around to upgrading the WordPress installations on the SOBAC server from v3.6 to v3.6.1. Surprise! WordPress v3.7 had just been released the night before!

WordPress upgrades are famous for their ease of installation. Surprise! After upgrading the first installation most of the plugins were missing, and the theme was broken. A quick look at a directory listing showed that the plugins and themes were still installed. A quick look with a text editor showed some peculiar PHP code at the top of every .php file in the plugins folders. Surprise! This WordPress installation had been hacked! Fortunately, of the five instances of WordPress on this server, only two appeared to be affected. This Blog Is Not For Reading was not one of them.

Each .php file started with something like this:

<?php $zend_framework="\x63\162\x65(…)\x6e"; 
@error_reporting(0); 
zend_framework("", "\x7d\7(…)

Injected, obfuscated PHP code at the top of every .php file, referencing the zend_framework

Searching the Internet for “wordpress plugin invalid header zend_framework” I found a reference that makes me think this may have been possible because of a flaw in an earlier version of the WordPress code that handles comments. Most likely one of the comment fields (user name, e-mail, web address or the comment text itself) wasn’t properly sanitized, and allowed some kind of code injection (probably PHP injection, not a MySQL injection; the contents of the databases appeared to be untouched).

From the backups of the server it appeared that the breach occurred in or before August — either just before the release of WordPress 3.6 on 1 August 2013 or just before the release of WordPress 3.6.1 on 11 September 2013. If I had not been slack in upgrading to WP v3.6.1 then this breach might have been identified much sooner.

The upgrade to WordPress identified the modified files because the injected code preceded (and corrupted) the WP headers, and so WP v3.7 disabled any affected plugins and themes.

The Fix Is In

I renamed the directory containing the WordPress code, installed a fresh copy of WP3.7, cleaned and copied the wp-config.php and .htaccess files, uploaded a small image to create the wp-content/uploads hierarchy, then copied the upload folder (which didn’t contain any .php files), and then re-installed and re-configured the themes and plugins directly from the WordPress site.

Aside from the additional PHP code, there didn’t appear to be any other damage to the system. So I used the original wp-config.php (but cleaned, and with the “Authentication Unique Keys and Salts” section refreshed), and the new installation just used the existing databases. If there’s any malcode in the databases then that could re-infect the system, so I’m keeping an eye on it.

I have no idea what the malcode was intended to do. It didn’t corrupt the databases or anything else, but it’s possible it was acting as a keylogger or phoning home some other way. If I feel inclined I might try to de-obfuscate the injected code, but right now I don’t really feel like doing forensics.

Someone suggested using AppArmor to make the WordPress directories read-only. I’m not sure that locking down the WP directory is a good idea. The big new feature in WordPress 3.7 is its automatic update feature. If the WordPress directories are locked down then future security updates won’t be applied automatically. If there is an exploit and WordPress issues a new release to fix it, then a locked-down site will experience a delay in upgrading until the SysAdmin notices and upgrades manually (which is what used to happen before v3.7, but it seems a bad idea to delay upgrades when that’s no longer necessary). Also, the plugin and themes directories would be locked down, and they still require fairly frequent manual upgrades.

I sent the users on the affected sites this message:

While doing upgrades on WordPress yesterday I saw that your blog had been hacked sometime during or before August. I’ve fixed it (re-installed the code, copied your media library, re-installed themes and plugins). I don’t think any damage was done beyond the insertion of malicious code in some of the WordPress files. I don’t know what the action of that code was intended to be, but you should change your WordPress password just in case the bad guys captured it. You can change your password on the “Users, Your Profile page” once you’ve logged in.

After spending some time on Saturday fixing the two hacked WordPress sites I’m a little paranoid, and making sure to implement updates quickly. But a little paranoia is good — it’ll ensure I won’t become complacent again.

–Bob.

WordPress Hacks by Rafael Poveda is used under a CC BY-NC-SACreative Commons — Attribution-NonCommercial-ShareAlike — CC BY-NC-SA license.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in code, How To, security, System Administration | No Comments »

Why I’m an E-mail Luddite

Posted by Bob Jonkman on 2nd October 2013

Statue of a Luddite

Luddite Memorial, Liversedge

The pervasive expectation of HTML everywhere came to light in a recent e-mail exchange:

Him: Bob, have a look at this video: LOLcats at work

Me: Did you intend to send a link with that?

Him: Yes, here it is: LOLcats at work

Me: Sorry, still no link. Remember, I don’t receive HTML e-mail…

Him: Wut? I’ve never heard of someone not receiving HTML e-mail!

E-mail was never designed for HTML; it is intended to be a plain-text medium. HTML is merely cobbled on, and mail clients have no standard way to render HTML messages, resulting in different displays on different mail programs. Some mail programs, especially those run from the command line, can’t show HTML rendered messages at all.

Although I use a graphical mail client (Thunderbird), I choose to not display HTML for two reasons:

1) Security: HTML mail can have Javascript code or other objects embedded. That’s a great way to get virus infections on your computer. I don’t want any code running on my computer that I didn’t put there myself.

2) Privacy: HTML mail that links to external images allows the owner of those images to track your mail usage: When you open the mail, how often you open it, the location you open it at, what computer you’re using, and whether you forward it to others (and then, when they open the mail, how often, their location, &c).

Not to mention that HTML messages are far bigger than text messages, especially when the HTML contains embedded images, fonts, and other stuff. Now, that’s not such a big deal with fast connections, unlimited download caps, and cheap disk drives, but it will still make a difference on small-format devices like phones and watches.

That said, if you do send me HTML e-mail, be sure to embed any images or LOLcat videos. That way I can still view them as static attachments, without revealing when, where, and how often I view them.

For more info have a look at the Wikipedia article on HTML e-mail

–Bob.

You can send HTML e-mail to Bob Jonkman at bjonkman@sobac.com

The Luddite Memorial, Liversedge by Tim Green is used under a CC-BYCreative Commons — Attribution 2.0 Generic — CC BY 2.0 license.

Tags: , , , , , , , , , , , , , , , , , ,
Posted in email, privacy, security | 1 Comment »

 
Better Tag Cloud