Redesigning and Testing

Over the holidays, I have set up a new theme for Dr. Jerry Pournelle’s Chaos Manor blog. The new theme is now ‘responsive’, which means that his posts are going to be more readable on mobile devices.

That was not without some minor issues. There are tons of themes out there, but it is difficult to find a theme with all of the features that are needed. In addition, Dr Pournelle is somewhat set in his ways on how to write content for his site. He wants more control over the visual look of his posts, so he needs to easily see how things look before he publishes.

When we first moved him to the WordPress platform, we had to move him away from FrontPage and into a visual editor. We decided on Windows LiveWriter, which had the advantage of giving him a close approximation of the final look of his posts before he publishes. Live Writer had most of the features he needed, and those that he was used to (mostly fonts and how to get pictures in his posts) we figured out some workarounds.

With the new theme on his site, we have found that LiveWriter had some shortcomings. One in particular: fonts. LiveWriter has the fonts that are available on his computer, but those font are not necessarily the same fonts available on the web site. So things would look as he wanted them on his local system (in Live Writer), but the published post would substitute fonts away from what he had selected.

So, I’ve been spending a bunch of time trying to find the ultimate combination of responsive theme with an editor that will show posts that will look the same while editing and when it is published.

So this site is the ‘test-bed’ of that search. The current theme is “Graphene”, which has lots of customization options. I’ve also installed the TinyMCE Advanced editor plugin. The combination of the two appears to be what is needed. The TinyMCE Advanced options allow customization of the editor screen. The Graphene theme seems to support having the published posts look like the post on the editor screen. The Graphene theme options allow for the customization of theme settings. Plus it is responsive, so it should look OK on mobile devices.

So, this place has changed the look, and it will change as I tweak things to get closer to the ultimate needs. And perhaps this will provide the features that Dr. Pournelle needs for his site.

More Form Spammer Blocking

A few posts ago, I wrote about a technique to block form spammers. It is very effective, and easy to implement. More details in the post there, or you can see it in action at FormSpammerTrap.

I made a tweak to the program that allows for a resubmit of the form when a correction needs to be made to a field that doesn’t implement the form spammer blocking trick. A small tweak to add the blocking function, but needed on one of the sites that has implemented it.

Full details are found at the FormSpammerTrap site. The technique is still open source, free, no obligation. And it just works. I put it on another site today that was having form spam problems, and the technique stopped the form spam immediately.

Check it out.

Bogus Update Sites

Just found a site that has apparently been hijacked. I used it as a source for some nice wallpaper images (open source) and logos for the Soldiers of Suicide site I built for that organization. I wanted to look for some images for another project, so went to that site again.

When I went to the main page, I got an ‘outdated Java’ warning, with an invitation to click on a link to update my installation of Java. I don’t do that (never install software from a place that ‘helpfully’ alerts you to a needed update, unless it is the actual vendor’s site). So I attempted to close that browser tab, and immediately got additional warning messages, and was unable to close that tab without using Task Manager to kill the browser.

I wanted to notify the site owner about the apparent site hijack, and noticed that the site owner had changed in the past couple of days, to an owner in Indonesia. Another warning sign of a bogus site. Apparently, the original site owner had let their domain lapse, and it was grabbed by a hacker that is trying to push an infected “Java” update.

So, the warning is to be very wary about clicking on links that suddenly pop up with a security update warning. If you need to make sure your software is up to date, use the Personal Software Inspector from Secunia. Recommended; it will ensure all your software (not just OS) are kept current. It is free for personal use. I have used it through several versions, and install it on all of my personal/family systems.

Defeating Form Spam

If you maintain any web site, you probably have a form of some sort where visitors can contact you. And eventually, you will start getting ‘form spam’, which is just what you think it is.

Since I have many web sites (it’s a hobby, with the optimistic theory that one of them will one day be worth millions), the forms on those sites get attacked. The mechanics of the attack are not important here – they are automated form submittals with links. The intent of the spammer is to get those links on your web site, so they can get revenue from the display and clicking of those links.

There are several techniques to block them. Catpchas – those squiggly words and letters – are one, hidden fields are another, but those can get bypassed. Even captchas are being hacked.

One technique I used in the past was to just rename the contact form page (and the ‘process the form’ page) filename, getting rid of the old file on the web host. That would usually buy me a couple of months. Hidden form fields might be another few months of protection. I don’t get many form spam submissions – probably because my sites are not well-read (hello to my three regular visitors).

Then I found another technique. This one has promise. It’s mainly for PHP-language based sites (although it could be modified for other languages), and you do need a bit of PHP programming knowledge. So here’s the basics (mostly for my own benefit, to make sure that I remember how to do it).

First step: create a new file called ‘response.php’ (assuming that you don’t already have a file like that). This looks like a promising name to a spammer; change it if  you wish. Inside that file, enter this line at the top of the page

 

<?php header(‘Location:http://www.formspammertrap.com/’);return; ?>

Make sure it is the very first line of the file. You can put other stuff in the file’s body area, if you want to further obfuscate things. But the main thing is that if a visitor (in our case, the evil form spammer) go to that response.php page, you will immediately get redirected to the site in the command. You can change the ‘location’ value if you want; just make sure it is a real page.

Upload that file to your host, and browse to it to make sure the redirect works.

Next step: edit your contact form page (or whichever page you want to protect). Insert this code just before the “</body>” (end body) code:

 

<script type=”text/javascript”>
var Clicked =0;
var C13379746183901= “”;

var C13379746183902= “”;
var FormName=”the-form-name”;

function CL() {
Clicked++;
if(Clicked > 1) { return; }
eval(“document.”+FormName+”.action='”+C13379746183901+C13379746183902+”‘”);
}
</script>

Replace ‘ the-form-name’ with the ‘name’ value used in your <form> command.  (Inside the ‘form’ code of your form, you have a “action” value. That is the page that processes your form.) Take that value, split it into two pieces, and place the two pieces in the C….01 and ‘C…02’ variables. Make sure you get them in the right order.

What that script does is put the two “C…” variables together, and puts them in the ‘action’ value in the form that is named ‘the-form-name’. That replaces the ‘action’ value in your <form> code with the real form processing page. (If your form page also does the processing, as in “action=’’ ”, just use empty values as the two “C..” variables.)

The third step is to put the fake form name (in our case ‘response.php’ as the ‘action’ value in the <form> code. This will be what the form spammer sees.

The fourth step is to have a required field in your form get this additional code inside the <input> code. Important: do not place this in the first field on the form, since that form field often gets ‘focus’ when you load the page. Also, if you use the same form as a function called by other pages, you will need to add that JavaScript code to the other pages too … and your authorized editor’ need to know that they must click in the field that has the ‘onfocus/onclick’ code, or they will be redirected to the phony page.

onfocus=”CL()” onclick=”CL()”

And the last step is to make sure your <form> has a ‘name’ parameter that is ‘the-form-name’ (or whatever you called the form).

Save your comment form page (make a backup copy of the old one first).

This is what happens when a real visitor fills out your form: when they get to the required field (the one with the ‘onfocus’ and ‘onclick’ code in the <input> statement), the CL() function will grab the two pieces of the real ‘action’ page and stick that in the ‘action’ parameter of the <form> code, replacing the ‘response.php’ fake page name that is in the code. So a ‘submit’ by a real person will get to the real form processing page. The form spammer, with his automated tools, won’t fill out the form normally, so the ‘onfocus’ and ‘onclick’ (both are required) will not happen, so they will use the ‘response.php’ fake page name.

Now, when I first saw this technique, I had to read through it a couple of times (perhaps I am a slow learner), but then it all made sense. We’ve used some JavaScript to replace the ‘action’ value in the form, and the JavaScript function is not executed unless a real person clicks in the required field.

Note that you may have some visitors that don’t have JavaScript enabled (usually, the paranoid types). For them, you just need to put a small notice just above your form:

<noscript>Note: JavaScript must be enabled to use this form</noscript>

You can use a bit of CSS to make that code stand out if you wish.

If you are already getting form spam, you might want to change the name of the contact form (and the processing page) to a new set of names. Delete the old name, and change the contact page value in any links elsewhere on your site. This will prevent the form spammer from using the old-unprotected form pages.

But the result of this technique should be a significant decrease in the amount of form spam that you get. And that’s a good thing!

(Added 22 Sep 2013: If you want more details, go to my Form Spammer Trap web site that uses the technique. That site is where form spammers will end up. And this post about it is more recent.)

On-Line Banking Attacks

Reports in a couple places about some really sneaky attacks if you do on-line banking. The attacks will steal your credit card info (with your help), make unauthorized charges, then remove those charges from your on-line statements. Pretty clever, actually.

Here’s a couple of links about this: http://redtape.msnbc.msn.com/_news/2012/01/06/9986119-new-virus-raids-your-bank-account-but-you-wont-notice and http://nakedsecurity.sophos.com/2012/01/05/spyeye-bank-trojan-hides-its-fraud-footprint/ .

Your defense? Those four things we mentioned here http://cellarweb.com/securitydawg/?p=56 : Windows updates, application updates, anti-virus updates, not browsing as an administrator. Those would be a great start.

…and we’re back …

Not that anyone has noticed, but this place has been like <sound of crickets>. Let’s see if we can rectify that situation.

Changes in store for this place. The ‘look’ will be tweaked, so expect those changes. Content will appear more regularly, with any luck.

We’ll post things about computer security that catch our eyes. It might just be a short sentence with a link to someone else’s site. But more content, more often. At least, that’s our plan.

In the meantime, four things to do:

1) Install all Windows updates. Set it up to install automatically.

2) Update your antivirus regularly. At the very least, use Microsoft Security Essentials (at www.microsoft.com/protect ) . Good program, catches most problems, low footprint/effect on your system

3) Update your applications. I recommend Secunia PSI program. Go to www.secunia.com . It’s free, and will keep your applications current. That’s important, as more exploits are aiming for your programs, not the operating system.

4) When wanding around the Interwebs, log on with a limited (non-administrative account). That will help protect agains malware attacks.

Do these four things, and your computer will be protected from the most common problems.

More later … and, with any luck, more often.

Internet Still Working After Conficker "Threat"

Noticing that the Internet is still working after the big ‘Conficker attack on 4/1/09.

But there are lots of computers with the Conficker malware, as shown by this map http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionDistribution from the Conficker Working Group.

That group also has a quick test for checking if you are infected is this Conficker “Eye Chart” http://www.confickerworkinggroup.org/infection_test/cfeyechart.html , which uses graphic images from web sites that are blocked by Conficker. A good quick test to see if you are infected with Conficker.

Conficker is still a threat, since there is no limit to what a bot-controlled computer could be told to do. The map shows that it is still widespread.

But the attention of the anti-malware community will minimize it’s impact, I think. Or at least the details of the next attack will be known.

Is Your Data Safe?

So…where is your data? And what is your backup plan? Is it like Ma.gnolias (a free site to store your web browsing bookmarks)? Who apparently didn’t have a backup plan, as the entire site was hosed by some unknown error (I suspect that their database got corrupted, and backups weren’t’ available). One place for the story here http://blog.wired.com/business/2009/01/magnolia-suffer.html .

Or, in these uncertain economic times, do you have a procedure that disables access when your network administrator is let go? Or are you like the folks at “Fannie Mae” (US govt housing mortgage agency), who told a contractor he was fired, but didn’t revoke his access? Seems that he was a bit miffed at the whole thing, so he put a logic bomb on their servers that would have deleted all their data on all servers. See here: http://www.theregister.co.uk/2009/01/29/fannie_mae_sabotage_averted/ ).

If your company may start downsizing, do you have proper access controls on your data? If you gave an employee two weeks’ notice, could they start deleting files? Or changing some spreadsheet formulas?

Something to think about for your personal data … and your company’s data. Could your company survive a disgruntled employee’s nefarious action on your data?

Looking at other "Free" File Transfer sites that aren’t really free

Some minor fine-tuning on the www.filehurl.com site (my absolutely free unlimited file transfers web site).

There was a comment in a previous post about using another site. So I was curious about it, and looked at the site and compared it to FileHurl.

The other site requires registration (FileHurl doesn’t). It does have free file transfers (like FileHurl), but limits the size of the free transfers (FileHurl has no size limit). It also limits the number of times you can use the “free” transfer (FileHurl has no such limit). It has some paid services that allow unlimited use and size (FileHurl is fully free, although you can voluntarily donate).

The other site may be a bit ‘prettier’. FileHurl is pretty simple. Click one button, fill in one simple form (four or five fields, plus a ‘Browse” button to select the file), and that’s it for sending the file notice.

The recipient gets a simple email with one link. One click for the link, one click to get the file, one click to save the file. That’s pretty simple.

And it is totally free and unlimited, unlike the other place. If you want to check it out, go ahead.

But I think that my FileHurl place is better. It certainly doesn’t have the limitations of other file transfer sites. I haven’t found any that are totally free like FileHurl (but will look at any alternatives that you mention).

Try it out. And let me know what you think. (And a mention on your web site or to places like “Digg” might be nice.)

How to Send Big Files via Email

Ever need to transfer a file to someone, but it was too big for sending via email? There are some sites that do that, but most have a one-time or monthly charge, especially if the files are large. Or they limit the size of the file.

That happens to me sometimes. So I decided to try to create my own file transfer web site. And I think that it is ready for my thousands of readers (well, maybe as many as five) to try out (and to recommend to others).

The concept is quite simple. You fill out a simple form with the email address of the person you want to receive a file. Type in a little message, use a browse button to find the file on your computer, then click one button to send it off. (We call it “Hurling a file”.)

The recipient gets an email message with a special and unique link, along with your message. Click on the link, then click one “Get the File” button to save the file to your computer.

And that’s it! You’ve sent your file to someone else, no size limits, no charges, and it’s simple enough for “Aunt Minnie” to use (at least, that’s our hope). We don’t save the email addresses, and the file is available for just seven days and then goes away.

It’s not a file sharing site, since you only get to send one file that you already own. And it can’t be a spam site, since you have to enter the email addresses manually. We’ve protected it against the evil guys as much as we can, and will monitor things to make sure that the site stays as safe as it can.

And, it’s all free. Although we do have a ‘donate’ button, and hope to get some simple advertising, to help defray expenses.

We (hmm…sounds like a ‘royal we’…) also put some social networking buttons at the bottom of the page to spread the word about the place. It’s a grand experiment, it will be interesting to see if anyone other than me actually goes there.

Oh. Where’s there ? We call it “FileHurl”, and it’s at www.filehurl.com . You’re invited to try it out…and send along any suggestions for improvement.

And tell a friend. The place might even be ready for the “Digg Effect”.