Category Archives: Tips

Why should I cut up my credit card?

1 minute, 2 seconds

Recently, some one got a hold of my card and was making fraudulent charges on it. My card company was Johnny on the spot and called me to verify the charges (side note: I had no way of verifying they were who they said they were, so they did the right thing and told me to call the number on the back of my card. You can’t be too vigilant!). When I finally got a rep. on the line, they canceled my card and sent me out a new one. Done deal.

But then they tell you, “cut up your card”. Why? If the number was stolen and we’re de-activating it so it can’t be used again, why cut up the card? In fact, why would you ever cut up the card? I guess if you think that cutting it up an active card will stop you from using it, then you should do a good job and cut it real good. But otherwise, I can’t think of a reason. My 5 minutes of googling didn’t find an answer either.

Do any of my faithful readers have an answer?

Update: There’s some good discussion below, but more notable is my comeuppance! After writing this post, I got not, one, not two, but three copies of my new card. Now I have the need to trash three credit cards that are all not canceled. Oh the horror!

How to spam this blog

Leave a reply

1 minute, 40 seconds

As a follow up to last week’s post (How to comment on this blog), this week I bring you the results of the no-captcha test.

After much spam slipping through reCAPTCHA, I decided to nix a captcha all together. Originally I thought that just requiring a field via javascript and doing no server side checking would work. This was silly of me, of course. The spammers, having the source code of WordPress, would just blindly submit a comment to any post, bypassing any client side JS checks I had in place.

The fix was to create a field that was not known to spammers like the reCAPTCHA is. Further, if it is appended via javascript, then it is even harder to automate. I wrote the simple-math plugin (have a copy!) and implemented it as follow:

Turn off reCAPTCHA
Add a field via javascript
Ask a simple math question, validated in client side JS
Only validate that the field exists, not that the math is right, on the server side

The jury is, and I’m fully vindicated. Here’s the stats:

	Hits	Comment Attempts	Comment Succeses	Attempts per Visit	Defense Success Rate
Feb 6th-12th	1191	57	17	4.79%	70.18%
Feb 12 11pm – Feb 13 10am	58	20	13	34.48%	35.00%
Feb 13th-Feb18th	1204	132	0	10.96%	100.00%

#spamstats td, #spamstats th {padding:4px;margin:5px}
#spamstats td {text-align:center;}
#spamstats tr:hover {background:#ccc}

The important thing to note is twofold. The first is that the average number of raw hits (excluding me, yahoo and google) was the same week to week. Further, the number of attempts went up 200% of which 100% were thwarted (Defense Success Rate). Again, I suspect this is all possible because it’s not easy, nor worth while (it’s OK, plip isn’t a big blog, I know…sniff) to automate spamming against one off solutions like mine.

I should note that I used the free version of Splunk to garner the ad hoc stats for this post. As I was hemming and hawing on whether to count cookies or IPs or hits, it wasn’t worth while to use the old school command line style stats. Splunk scoffs at this level of stats and reporting. Really, it’s above it, but will happily crank out what you ask for it with ease. Here’s a purty graph:

Caveat Emptor: I work at Splunk.

How to comment on this blog

Leave a reply

1 minute, 20 seconds

It seems that reCAPTCHA is a victim of its own success. Y’all know I’m a huge, huge fan. However, recently the spammers have started to submit comments, successfully getting past the reCAPTCHA . I suspect this is a mechanical turk or some such tomfoolery. Of course the comments don’t get approved, but they’re still a bother to have to delete.

Our friend over at hanskellner.com ( guess which friend?) also has the same problem with submitted span. This makes it clear that reCAPTCHA is being targeted (well, not clear, but it’s better than n=1!). However, he found a solution to stop the spammers. He added a static math question to his comment form. That is, it’s always “what is 5 + 6”, never any other question. Funny enough, his spam stopped all together. He still has his reCAPTCHA giong, but now it’s a two factor anti-spam.

I posit that the reCAPTCHA code is easy enough to programmatically detect, but some random math question isn’t, so it breaks the spam scripts. Let’s test this theory, shall we? I’ve just written a word press plug-in called simple-math. Using a simple to hack, ~~all client side~~ javascript there’s now an easy to solve math problem on the comment form. It is random, choosing two numbers between 0 and 9. I haven’t tested it too broadly, but you’re welcome to a copy.

I’ll let it run for a week and see how it goes and report back.

Feb 13th Update: I fought the law, and law won! Spammers got past round one of simple math. I’ve updated it to now check for the existence of the field on post, but still, no checking for a right answer on the server. As well, the field is created via javascript. Spammers, back to you for round 2.

Meego Redux: 1.1 Released

Leave a reply

1 minute, 33 seconds

If you recall, I fell in love with Meego a bit ago. Then, we broke up, and I left Meego for Ubuntu Netbook Remix (UNR). Guess what? Yup, just like the title of this post suggests, I’m back to Meego. Yesterday was their 1.1 release and the netbook flavor with Chrome is ready for the Live USB Key, easy install testing. I skipped over the live USB thing and cut right to the chase to install it over UNR.

I went to go install some of the key apps that I use and bumped into a few problems. I’ll sketch ’em out here in case any one else is an early adopter like me:

No more yum: Well, yum is still available to install, but it’s not there by default. Instead the fine folks at Meego are shipping ZYpper instead. Works just the same, but for the not so distro savvy nerds like me, I had to search around in the forums to figure what was what. Thanks physalis!
KeepassX: The next problem I found was that Keepassx’s download page had 404 links for the fedora packages. When I found that Fedora 12 page DIDN’T 404, I downloaded THAT version of KeepassX. Welp, that version didn’t like the current version of QT that ships with Meebo. Finally, I searched around and found a slightly out of date version at hany.sk
Dropbox: Nothing really tricky here. Their download page has a “Fedora (x86 .rpm)” package. For both KeepassX and Dropbox, it looks like this to install it :
sudo zypper install nautilus-dropbox-0.6.4-1.fedora.i386.rpm

For those keeping tabs, I did do a write up on configuring Meego mail and calendar which appears to all be the same in 1.1 as it was in 1.0. At first blush, it seems a little tricky to set up with Google Apps, where plip.com’s mail is, but we’ll hack away.

Next up: Installing Skype. Happy Meebo-ing!

Update: Skype installed no problem, and QT warning seems to be around fonts. A forum tip around font hinting worked wonders to make Skype and KeepassX look sharp (actually, look anti-aliased).

Wayback machine, privacy and old plip.com

4 Replies

1 minute, 16 seconds

This post is a short parable told in three lessons:

Lesson 1: The web is not as temporal as you might think!

Recently a co-worker was travelling and was unable to access her work based email. Instead, she directed folks to email her at her personal email. Being a curious fellow, I clicked over to her personal site to see what she had to say. All I found was “Site in progress, check back later” and link to a very outdated resume. Well, that’s just no fun! Enter the wayback machine! Using this fine site, I was able to see all the text, photos and links she had long since redacted. The wayback machine never forgets, so don’t you forget that.

Lesson 2: Robots.txt can pull Jedi mind tricks.

A natural response to seeing the archive of other sites, is to see what dirt folks might find out about me via the same method. Sure enough, there’s some good stuff! However, the more interesting fact I learned is that my robots.txt of today redacted the archive.org copy of yesterday! This is cool! A while ago I took down my resume and some older, more personal content and as well took a sec to make some broad strokes of search engines shouldn’t index. It was these actions that archive.org took note of. With a wave of my robots.txt hand, indeed these are not the pages you’re looking for.

Lesson 3: The wayback machine is way cool.

Ok, this parable kinda peters out right about here, but still, the wayback machine is way cool. Check out the rad looks plip.com has had over the years! Hrm, maybe that should be “rad”. You decide.

How to fix Zend 5.5.1 in Windows 7

2 Replies

0 minutes, 29 seconds

For those still addicted to Zend Studio 5, like I still am, but can’t figure out how to make her go, take note: It is easy to run this app in Windows 7.

When you first install it, you can launch it fine, and the splash screens shows, but that’s it. The process is listed for a second and the whole thing disappears. I’d read one some site that it involved extracting the installer and making a copy of the JRE. Maybe this is true for some folks, but all it seemed to take for me was to go into the properties for the binary (ZDE.exe) and choose “Vista”. That’s it!

404er Legit and WordPress community kudos

Leave a reply

0 minutes, 30 seconds

Remember way back when we posted 404er? Well, good news! We jumped through the hoops and now our plugin is officially on the WordPress site. Clearly the readme needs to be updated so the page is a little more full featured.

Soon, when we’re indexed, you can search for us by name at your nearest WP admin control panel. Here’s a ‘recently changed’ listing showing the 404er:

Noteworthy is that WordPress.org has really gone above and beyond to help developers. We get a full SVN environment, lots of PR on their site, detailed yet easy to read docs and best off, a really rich code base to code against. Thanks WordPress!

Lifehacker on Passwords

2 Replies

1 minute, 34 seconds

As a fan of security and strong passwords, I read with interest Lifehacker’s article about how easy it is to hack passwords. In general the article is right on the money and I agree with it’s message. However, I took issue with the article on two points.

The first point they’re talking about how easy it is to either guess or brute force your passwords. Guessing and forcing passwords can be done over the Internet with out needing to compromise your (the victim’s) computer. However, the last step is “simply” to get at the cookies on your local machine:

But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)
– Lifehacker Mar 30, 2010

For me this is crossing the line from informative into fear mongering. Yes, once you have logged into some one’s computer as the user they surf the internet as, it is indeed trivial to read cookies. No, this can not be done over the Internet. No this is not a simple step to make.

The second point (now that I’m not drafting this on my phone and am using a real computer) I see that the original article was published in 2007! Just about all the info in the original article still holds true 3 years later, but I find awkward when the article on Lifehacker has items like this in the article:

EDIT: You might also want to listen to my interview on Connecticut Public Radio about password security.

Which made me think it was a Lifehacker edit in 2010, but was in fact an edit from John Pozadzides in 2007. Speaking of Pozadzides, his blog looks pretty right on and I don’t really have any beef with him (in that totally anonymous Internet beef kind of way), but I mainly take issue with fear mongering, especially when in comes to cookies.

Update: This article seems to be making the rounds on a lot of sites.

Update 2: There’s a great comment from Wangston below.

Google: gmail, mail and calendar sync with Meego Netbook (Google Apps Too!)

Leave a reply

0 minutes, 36 seconds

Recently a reader inquired about how to set up Meego to sync with gmail mail, calendar and contacts based off me mentioning I got it working. I use Google apps for mail hosting at plip.com, so this applies to both gmail and Google Apps (domains that use gmail for their email server). Settings are based off IMAP settings for Thunderbird.

Here’s the steps I took for a clean install of Meego (see matching screenshots below too):

Launch Mail for the first time

Enter your Google Apps or Gmail login info (per google IMAP or thunderbird )

Choose IMAP (again, per google IMAP or thunderbird )

Configure SMTP (again, AGAIN per google IMAP or thunderbird )

Confirm and make sure contacts and calendar are checked

Mail Works!

Launch Calendar and Contacts

Contacts synched!

Calendar synched! (no screenshot :( )

Bye Bye Meego, Hello Ubuntu Netbook Remix

Leave a reply

0 minutes, 54 seconds

Meego, as I mentioned before, is really really cool. I was able to get all my apps installed and even managed to get my Google calendar, mail and contacts syncing by just adding it via the email client under IMAP (BTW – Meego, you should really highlight that feature!). All the apps even appeared as a native icon alongside the pre-installed ones which is a really nice touch. Alas, the lack of a working AIM client is just too much. It’s my primary IM network and it just bugged me that it didn’t work. Which is too bad, because Meego is so close to being perfect. Well, too about AIM and about sleep.

So, what to do? After reading Mr. Doctorow’s latest post, I was reminded about good ol’ Ubuntu. Sure enough, there’s a Netbook remix. Let’s give it a whirl! USB key is prepped and primed and install is imminent.

Also – I love love love (yeah, 3 times) Pendrivelinux.com!. This is a super easy way to create bootable USB drives (aka live “CDs”) of your local linux distro. The old days of some crazy fdisk silliness is gone. Now it’s just point and click. Love it.

Stay tuned for my Ubuntification!