Category Archives: Blogging

Adobe Flash security hole

This is sort of scary.

For those not familiar with security terminology, this article states that websites which allow uploading of Flash files are vulnerable to a security hole that lets bad guys run code that has all the security accesses of the webserver combined with those of the unsuspecting person who runs that file.

For instance, an attacker could send a specially coded Flash attachment to their victim in a gmail message. When the victim loads the attachment, it gets to do anything the gmail server could do with the victim’s account; reset the password, delete messages, send messages (spam!), etc.

The scariest part is that there’s not really a fix without significantly changing the way Flash works behind the scenes. In the meantime, you should avoid flash that isn’t directly provided by the website you’re going to. For instance, the Flash slideshow on the WOU homepage is OK because we wrote it, but if you go to somebody’s personal website like “https://wou.edu/~joeblow” then you should be careful unless you personally know that Joe Blow isn’t the kind of person to play nasty tricks.

Actually that’s not really the best example, because even if Joe Blow has one of these malicious Flash files on his webspace on our server, it wouldn’t profit him much because there’s nothing much our webserver can do other than show you web pages. The WOUPortal and the Sun Java Email system are on separate servers, so they wouldn’t be vulnerable to Joe Blow’s attack. Of course, Joe Blow could send you a Flash attachment in an email, and if you open it in the Java email system, it could do nasty things to your email account.

This security hole isn’t easy to exploit, but it is theoretically possible. I recommend limiting the Flash files you run on the Web; there are browser extensions to help you do that. If you use Firefox, an extension called NoScript can block Flash files (and malicious javascript code as well) on all sites except those you designate as safe. If you use Internet Explorer, you can install Toggle Flash, a toolbar button that lets you turn Flash off and on whenever you want. Instructions for both are available in (ironically enough) a flash video on the page I linked at the top of this entry. Don’t worry; Foreground Security is a reputable company, so the video is safe to watch.

Some progress on the blog server front!

OK, of the four problems I noted last time, I’ve made progress on three of them. Plus I got permission to delete all empty blogs on the system and stop automatically creating a blog with every new user account. That in itself is going to make a big difference.

Luckily, I have a semi-automated procedure to create new blogs, so if anybody is offended that their empty, unused blog was wiped without their permission, I can recreate it in under a minute. Well, OK, luck has nothing to do with the fact that this procedure exists. It’s there because I created it. All these after-midnight workdays have to count for something, you know. (No I’m not whining… late nights mean I get to come in late in the afternoon. Yes, my schedule is weird. Yes, my boss is very generous and forgiving. And yes, it’s late at night and I may later regret being so glib.)

Anyway, progress on the specific problems:

  • The permissions issue was actually caused by a misconfiguration on the old server that gave it too many rights. The new one is set up correctly (and much more securely) but this means that some old blogs that were set up under the old, too-loose security rules won’t work now that things are the way they were supposed to be all along. (No, I will not explain exactly what was wrong and how it’s right now, sorry. We can’t give out detailed security info.) Anyway, I still need to go in and fix some of the blogs, but the major ones have already been taken care of.
  • The style problems happen because the upgrade didn’t change the templates on the existing blogs. The company says “User data is sacred and we never change it”, which is really just a nice way to spin “We couldn’t possibly upgrade the actual contents of your blogs without messing them up really bad.” Luckily, I found a way to upgrade the templates on an existing blog; it’s been successfully tested on two blogs, and now I need to apply this fix to everybody’s blog, except those which were so highly customized that the owner doesn’t want their templates converted to the generic MT4 versions. Those people probably aren’t going to be applying the canned styles anyway, so this problem won’t affect them.
  • The random logouts were caused by a subtle error in the code I added to the blog server to make it compatible with the WOUportal single sign-on system. I just found that and fixed it… or at least, it seems to be fixed, because I’m not getting logged out anymore. And, oh yeah, logging into the WOUportal automatically logs you into blog admin, too.
  • Then there’s the blog stats widget thing. I have no clue here, sorry. Of course, that widget didn’t even exist on the old server, so I don’t consider it a gigantic tragic loss.

Anyway, back to work….

Blog server update woes

Known problems with our upgrade:

  • People with blogs outside their public_html folder may encounter permission errors when rebuilding (eh, they call it “publishing” now) their blog
  • If you apply a style to your blog, it will completely mess things up and your blog will look like the computer puked. (That’s the technical term, anyway)
  • You get randomly logged out when administering your blog
  • the blog stats widget doesn’t show anything

I have yet to figure out why this is. I can fix the permission errors when they are reported to me, at least. And newly created blogs won’t have any problem with styles. I just wish we didn’t have 42 million blogs on our system (well, OK, I exaggerate. It;s really a bit over 13,000, of which fewer than 500 have even one entry.)

FeH. OK, I need to get back to working on this thing instead of complaining about it.

Tap tap… is this thing on?

So, um, yeah, I haven’t posted anything to my blog in way too long. Time to fix that.

Here’s my current project list with a bit of explanation on each (I’ll go into more detail on some of these later, because many of them won’t make sense unless you’re actually in UCS.)

  • User account renaming – Setting up a process to change people’s usernames on request. Actually a lot harder than it sounds.
  • User account deletion – We need a process to delete user accounts when they are no longer needed. This will be run every year or so.
  • Blog server upgrade – The new version is ready for testing… check it out at https://wou.edu/blogadmintest.
  • Course catalog information on web – We’re working on a way to more easily update and display stuff like course descriptions and degree program requirements on the Web.

Plus there’s lots of little stuff; improving the efficiency of some of our processes, improving the programs we use to manage our user databases, looking for security holes and plugging them, and the usual ongoing tasks of website, blog server, and wiki server administration.

Future projects:

  • Rewrite Websmith – I want to redo websmith in a different programming language (PHP instead of Perl) that will allow a lot tighter integration with the website, and creation of new features.
  • Automatic K: drive folders – We’re planning a system (probably for next year) that will let faculty request folders on the K: drive for specific classes, and have them be automatically created. Right now we spend a lot of time doing this manually.

That’s it for now. I’ll go more in-depth on some of these later.

Next MT upgrade – problems

Ever since the Movable Type upgrade, we’ve had problems with the StyleCatcher and WidgetManager plugins. I haven’t had any luck fixing them; nobody else has reported the type of problem we’re getting, or at least they haven’t reported it in anyplace that Google can get to it.

Tonight I tried upgrading Movable Type to the next version, hoping it would solve the problem. This was supposed to be a much easier upgrade than the last one since it doesn’t involve any database changes. But it didn’t work. Apologies to any of you who got errors; the server was only down for a minute when I tried the upgrade, and less than a minute when I tried the second time.

The existing version is running normally. I’ll need to do some more research before trying this upgrade again.

Also, there probably won’t be much of an FAQ this week as I’m feeling under the weather.

Deleting blogs

I’ve had my head buried in blog server code for the past couple of weeks. One thing has become clear. We have too many blogs on our system and some of them will need to be deleted.

We need to do this because the server cannot display or set people’s permissions on various blogs. When I ask it for even a single author’s permissions, the server churns and churns for five minutes (I timed it twice) and then gives up. The server is working great for everything else, but not for this, and I think it’s no coincidence that out of all the tables in the blog database, the permissions table is the biggest.

We have over 13000 blogs on the system, only a few of which are in use. I plan to delete blogs belonging to students who have not been enrolled since Fall term. I will preserve any blogs that actually have entries, though. After that, we’ll see.

Geeky stuff about the blog server’s database

Who knows how many of you will find this interesting, but I’ll talk about it anyway. I’ve been delving into the database that holds all the blog server’s data – all the blogs, their settings, entries, comments, all the users, security permissions, and all that.

The designers of Movable Type did a good job with their database; everything is efficiently linked together and easy to understand. If I want a count of all unapproved comments on the system? One simple SQL query, bam, it’s done. Listing of all blogs ranked by the number of entries? slightly more complicated query, bam, done. Add myself to the permissions list for an old blog with an insane number of comments? Simple SQL insert, bam, I’m in. Hmmm, those comments are all spam except for ones from WOU IP addresses? Simple SQL delete statement, double-check it to make totally sure it’s only going to wipe the ones that need it, bam, done. Say good bye to lots of spam that was cluttering the system; when I started this, there were over 25,000 comments in the database, but after checking them out, I found I could delete all but 3000 or so.
Oddly enough, all the spam was concentrated in about 15 blogs. I cleaned out all of them that didn’t seem to currently be in use, but there are a couple that I didn’t touch because people had been updating them recently.
I’m thinking about setting up some webpages to report blog use; now that I have the database figured, I can easily make a page to display links to the ten most recent blog entries, or list the most active blogs, or whatever. Now I need to write up this week’s FAQ, which will talk about some of the new features on the blog server; since hardly anybody has asked me any actual questions, it’ll probably be a short one. I’ll intro the features I think are most interesting and/or useful and leave it at that.

Ahhh, junk filter!

Wow, in just the few days the new version has been up, I’ve already seen a major reduction in the amount of spam comments I get. It used to be a few hundred a week, but in the last couple of days I’ve gotten a grand total of thirteen, eleven of which were automatically sent to my junk list. Looks like I may need to tinker with my junk filter a little bit in order to catch ones like those last two, though.

I’m not sure what happened to the other eighty-some spam comments I was expecting, though. My junk filter isn’t set to actually delete anything, so where did they go? It would be too much of a coincidence that a bunch of spammers just happened to cut down their blog spam right exactly when we upgraded, so it must have something to do with the upgrade itself.

I wonder if they can detect the version of a Movable Type server before spamming it, and don’t send as many to recent versions that have the anti-spam features? Though that’s probably doubtful, considering that all along we had the nofollow plugin that makes spam links useless for improving google rankings, yet the spammers kept on firehosing us. It’s probably more effort for them to target their spam in any way than simply to spew it out it blindly.

But whatever the reason, the amount of spam on my blog is way, way down. Now if only I could do that to my email…

Blog server upgrade!

OK, our blog server is now up to the latest version of Movable Type. You’ll notice a lot of new features, though luckily the basic operations of the admin system are still located where they’ve always been. There’s just a lot of new stuff added: a better search function, improved handling of large lists, defaults for new posts, and my personal favorite: junk filters for comments and trackbacks!

I’ll cover all this stuff in more detail as part of this Friday’s FAQ. Now I have to go in and test some more stuff to make sure everything is working.

Freakin’ spam!

I just deleted 3,952 spam comments from my blog. Boy, those things pile up if you don’t keep on top of them. There were too many to delete all at once, but I discovered a trick: in your list of comments, you can click the magnifying glass icon next to a blog topic to list only those comments for that topic. That’s generally a small enough number to delete at once (I think it can handle about a thousand in one gulp.) You can also select comments by commenter name or originating address, but considering the spam comes from thousands of different computers, and the username is different for each comment, that isn’t very helpful.

I’m looking forward to the new blog server version, which will have more anti-spam tools.