Asylum-ET™

Recently I downloaded Google’s attempt at a web browser. For the most part it is impressive. It seems to handle css rather well. I would compare it to using firefox. It does not suffer the typical issues of the IE variations out there, it does not suffer the same issues that Apple’s Safari browser has with redirects or other header calls. Overall it is well thought out and works great. More or less it is like they stole all the good ideas from the leading browsers and put it all together into a mash that they call Chrome. One issue I have noticed so far is rather trivial but could be viewed as a bug. I have included a little image to show the one and only issue I see so far.

There is a red box I have drawn in the area where an input box would normally be. The fact that they do not show the input box for a file upload is right on since it is not a user editable field anyway but the one thing that is a bit off is that if you click your mouse anywhere in the area that the input field would have been then it is as though you clicked the “Choose File” button. As I said I don’t know if this should be considered a bug but it could be an annoyance anyway.

Google Chrome Upload Field

Rather disappointed with the result of yesterdays upgrade to SP3 for Windows XP. I use a notepad replacement called metapad. I actually replace notepad.exe with it. That is “ALL� instances of it. This is done within micro seconds of each other so windows doesn’t realize it is being done until the files that windows would use to replace the alleged corrupt notepad with have been replaced so the one that appears corrupt is replaced with what is actually metapad. I have had windows XP pro installed for over 3 years now. My notepad replacement has never been an issue before.

Ok so with that said here I notice a problem right off the bat. Metapad has been replaced with notepad after the SP3 upgrade completed. No big deal right? Wrong. I start to overwrite the file(s) as I have done on many machines now for years and the second I right click on the file to copy it into the copy buffer for pasting into the 3 other folders exploder.exe crashes.

That was the first time I noticed it happen anyway. That was within minutes of having upgraded to SP3. Since then I would say every 1 out of 3 times I right click in a folder or on a file explorer crashes. It restarts itself right away but crashes. A few times I submitted the report windows generates. Maybe they will have it fixed in a day or two? We shall see.

It obviously has nothing to do with the fact that I replaced notepad, that much I do know. I am considering reverting back to SP2 if this keeps up though. I don’t care how many alleged security fixes SP3 takes care of because they are all useless if the shell can’t handle a right click.

I have since found that even ctrl + c to copy a file can trigger this explorer crash. After a day of fighting to keep windows exploder stable and free from crashes every few minutes I decided it was an incredible waste of precious time and money so I attempted to uninstall SP3 with the methods that Microsoft outlines for SP3 removal. The first two methods were a total bust. Tried to uninstall, just hung there for 2 hours at the very end. Killed the uninstaller process. Tried the second method to no avail with similar results. Tried the last method, System Restore. That worked like a charm and the crashing exploder is now gone. I am rather disapointed though that I have used XP for over 3 years and not once has explorer deserved to be titled exploder till now. Leave it to good Ole M$ to spoil a good thing.

There was once this website that tracked browser usage statistics and everyone linked to them and then they just went and disappeared :/ Oh well, it happens but when it does then what? Well I decided the other day that this information is still very useful when trying to develop a good website or to make additions to our users experience for with the current one. That evening I wrote a small application that uses an embeddable image that you place in your web page. The image lets us know which browser each visitor is using giving us a general idea of browsers that we want to make sure we have tested. It is also just interesting to follow people’s choice in browsers so it is really just that simple. If you would like to add to the statistics just embed an example image from below into one or all of your web pages and away we go.

You could also just link to the chart image on “one” of your webpages if you wanted. Either image tracks browser usage. or follow the examples below that show how to change the image color so that it can fit your websites theme. Color values are RGB 0-255. Be creative. We use it as a bullet in the footer of the asylum-et.com website.

(X)HTML


<a href="http://asylum-et.com/browser.stats/"><img src="http://asylum-et.com/image.png?r=255" alt="Browser Stats"/></a>
Or
<a href="http://asylum-et.com/browser.stats/"><img src="http://asylum-et.com/image.png?r=255&g=255" alt="Browser Stats"/></a>
Or
<a href="http://asylum-et.com/browser.stats/"><img src="http://asylum-et.com/image.png?r=255&g=255&b=255" alt="Browser Stats"/></a>


HTML


<img src="http://asylum-et.com/image.png?r=0&g=0&b=255" alt="Browser Stats">


First off I would like to say that this laptop has been a complete joke since the beginning.
When I purchased the laptop I asked the fellow at Staples if it included a restore CD because I intended to install WinXP Pro on it. He said that it did and that would not be a problem and claimed to have done the very same thing himself. I paid a little over $1000 USD for the laptop.

Well the laptop does not come with a restore CD but rather a restore from hard drive with some 3rd party software. I guess this is typical now because the makers are to cheap to include a disc and they anticipate your having to buy a new hard drive with OS installed. They also refused to sell me a restore CD when I called the company so eventually I was able to get everything running as intended but what a process and to know that I have now voided my warranty by installing a different OS was not comforting. A week later the price dropped 300 bucks and I asked for the difference from Staples. They declined due to the OS being upgraded. I then demanded that Staples refund me the difference or I would return the entire $3800 worth of merchandise I had bought the very same day along with the $1000 laptop. Oh no sir let us help you out. A few weeks after that the optical drive started to fail and about a week after that would not do much more than beep at me. So now I was stuck with what I had and there was nothing to do about it unless I wanted to put more money into it and replace the drive.

Recently I picked up an external lightscribe optical drive and decided to go ahead and try to install a new OS. I chose Suse 10.3 since I have been happily using it on my host for about a year now.

First I downloaded openSUSE-10.3-GM-i386-mini.iso and burned it to a CD. I next booted from this CD and started on the install. I selected all the general settings. The screen for the network setup caused me a little grief. After messing around a bit with a few options I decided to not use the Wifi just yet so I hard wired the network connection. I selected HTTP and then entered the ip address and directory location of the repository for the install. See the opensuse website for more details.

The rest of the install process was straightforward except for the one thing I must make note of. The Averatec 3200 had WinXP Pro on it and I was not ready to just wipe it out altogether even though I was aware that this very well could destroy it I figured it was a chance I had to take. While in the partition screen, I selected to resize the Windows partition to 20GB, which was the default that the Suse installer chose for me. That worked out just fine and Windows still boots as expected.

After the installation was completed we want to make sure that everything is up to date so make sure that we have internet connection and then open up a terminal program (Shell – Konsole) and start Yast like this.

user@host:~> su
Password: <your root password>
user@host:~> yast

When the Yast Control Center opens up select Software > Online Update and press Enter.

Once loaded you should see a few or more updates available. You will want to look them over and select the applicable ones for your install by using your spacebar to select them. You will know an item is selected when a + plus mark appears next to it. Once you have selected what you wish to update tab to OK and press Enter. One thing differs at this point from what I was use to on my host and that is when the update finishes it returns to the main Yast screen which on my host you must press Finish.

Next while still in Software we use the down arrow and select Software Management to add any additional software packages we wish to use. If there is a specific package you want to find you may tab to [Search] and press Enter. Type in at least part of the software packages name. For example I want to install an irc client so I type in bitchx or irc even.

Using the up/down arrows select bitchx and press the spacebar to select it. You can go through and do the same for any other packages as well before Accepting and installing otherwise you can just repeat the above steps.

When you have completed your tasks in Yast just tab to [Quit]
When back in the terminal type exit and then enter.

Compatibility issues and other notes:
So far there are no issues that I have noticed except that the VIA S3G UniChrome Pro IGP display adapter has a minor bug that does “NOT

We have recently really pissed off some folks with our willingness to tell it as it is and as a result we have seen a serious increase in the amount of Spam related traffic. It could very well be coincidence but that is highly doubtful given the IP addresses of the offenders. Just the same we have investigated the traffic and found that the majority are attempts at email forgery where a Spammer tries to send email with our domain as the return address so it would seem to have come from us.

Well even though we never forwarded the messages on to the return addresses that had been supplied which would have discredited us and eventually caused bans against our domains we decided to implement a bit of a defense against this insolence. We recently implemented something called SPF. For those that are not familiar with SPF it stands for “Sender Policy Framework”. SPF is a fairly new method of determining the validity of email being sent. It checks the emails and makes sure that the sender has a valid SPF record in DNS and if not drops the email and gives the offender a notice describing their violation and what to do in the event that they are trying to send legitimate email.

Installing the packages needed and configuring SPF was a rather simple task but at the same time it has proven to be a bit of a double edged sword. By using SPF we gain the protection against forged emails like Spam, Fraud, Worms and Phishing but at the same time it is still fairly new and not everyone uses it or in the case we are going to discuss they do not use it properly. We have seen that this poses a bit of an issue in that we have found emails from legitimate services such as technorati that get dropped.

The way the technology works is that 2 parties are required for successful messages to be sent. Each party (domain) publishes an SPF record in their DNS zone for the domain. When one of these domains tries to send an email to the other the receiving domain checks to see if the message complies with the sending domains policy and if not is then considered a fake. Depending on what has been specified in the SPF record the messages can be sent anyway, bounced, dropped and so on. Due to what is considered attacks against our server we have decided to drop all messages that appear to be forged leading us to the technorati issue.

We noticed email being sent from technorati that is getting dropped. We contacted technorati right away to inform them of the issue. We did not hear back from them and do not expect that we will until they fix their SPF record. After having thought about it for a bit we decided to look into it a bit further by checking their SPF record and what we have found is that the record does not include the server IP that they are sending email from. It does include a range of IP addresses but this one they are using is not close to being included. We then contacted them one more time to inform them of our new findings and suggested a fix.

It has only now been about 24 hours since contacting them but we have not seen a fix yet and notice yet more messages from them are being dropped. This is a bit unfortunate but their email is not important enough for us to change our decisions with the implementation of our sender policy. It is a bit disturbing that such a well known website has a miss configure like this but everyone can make mistakes. We just hope for their sake that it does not go on for to long especially since they are listed as one of the most frequently used domains that have implemented SPF.

Before I finish up. We highly recommend that if you are not already using SPF you do so immediately to protect yourself, your domain, your reputation and your users from damages that could very well be irreversible. Just remember that getting yourself blacklisted is the easy part.

Hello folks, a few weeks back we had some issue pop up with Big G and their Adsense program. We have not spoken out about this for fear of Big G taking action against us by banning us from search results or whatever have you but have since seen so many things that cause disgust on the big G’s part that we wont sit idly by and watch.

After speaking with a great number of webmasters about this we have found that 9 out of 10 have had their accounts disabled and any earnings they had made zeroed out by Big G with no explanation other than vague pages leading to what “may or may not

I was just looking at our last addition to the downloads section and I see in the upgrade to the new site the download section broke. All you would see when trying to download a file was a white page with the files name :/ That was a simple fix but I want to apologize to anyone who had been trying to download one of the files. All is back to good now

About a week ago we had noticed the image server we were using for the album art covers was failing. Looking into it we found that the image server must be under a high load and there really is not too much we could do about that since we do not own or control that server so we decided to add a new image server of our own to even out the load from all the album art covers. During the process though we had to shift the load somewhere since the image server was down about 80% of the time. I set up a small private server that handled the image requests until we could get this all worked out.

The setup of the new image server went rather smoothly except I could not decide which would be faster, archive 3.8 GB, upload it, unpack it or to just upload the un-compressed images eliminating 2 steps. Well now 3.8 GB uncompressed uploaded via ftp was the initial choice. Now keep in mind I have what “Comcast” calls 12MB connection speed. This was sold to me as 16MB+ but that’s another story. I pay almost 100 bucks a month for that. So anyway we started the ftp transfer. A day and a half later not even 20% complete :/ Kind of expected that though.

A friend of mine presented me with an option that he said should work out nicely “IF” I were using Linux/Linux like he. Well my friend is a very Linux minded fellow but I thought well we both know I have a Win/Lin setup but he knowing me presented the idea anyway since I have a habit of converting Linux type operability to Windows machines.

Well this idea of his turned out that converting or altering anything outside of a few config files and permissions was not even necessary. We set up RSYNC to synchronize the directories and files from my home/private server to the new image server that now had been partially uploaded via the ftp. RSYNC worked beautifully. The job still took longer than I would have preferred (16 hours including setup time) but completed without issue.

Everything I was finding for setting up RSYNC appeared as though I would need a client and server to make it all work. Turns out that was not even the case. I already had SSH setup on both the host and at home. I had been using putty to connect to SSH and this would have to change but yet again not an issue. Cygwin is also something I have been using for many years now and with it you can use SSH. So I had to create a new key pair.

After making the keys I then needed to put the public key in place on the host

scp id_rsa.pub user@host.com:~/.ssh/new_key

which is secure copy [public key] [you]@[yourhost]:[your home dir]/.ssh/[the new key]

Once this file was on the host I then log into the host and su to root. (Turns out to be an issue later). So now I then ran a few commands from within the ~/.ssh directory.

cat new_key
cat new_key >> authorised_keys

This added the new key to the authorized keys file.

Back at home open up Cygwin, try to ssh hoping that this time our key pair is used right because we want to be able to run bash scripts locally to take care of automatically synchronizing sites we need this to be done without any password hint added so we are never prompted to login which would cause our script(s) to fail. This is another place I failed at first creating this extra password hint when generating the key pair was not wanted.

Anyway with the keys done proper I was able to ssh to the host with Cygwin and not be prompted for a password. Looking good, Success so far

Next I don’t want to go and attempt syncing the remaining 80% of the images just to find it did not work so next we perform a little test.

I go to the host and create a directory named test in the web root and add a few text files with random data in them. I then create a directory locally named test and put some files into it and also create a few directories inside it with files and so on. We want to make sure that
A: the newly created local directories/files get uploaded to the host.
B: the files on the host do not get overwritten unless changes have been made.

In my local user home directory I have an alias setup to a directory named scripts. Any bash file in it becomes accessible at the command line by simply typing its name from any location in the shell window. The bash file for this I named sync_serv. Below I will include the portion related to RSYNC. I am keeping the automation part to myself and leave you to write your own. This is what was left of the original code. Most of the options we had originally intended are not available on windows like –chmod=Dg=rwxs,Fgu=rw,Fo=r –no-times –human-readable –no-owner –no-group which is unfortunate but here is the script.

#!/bin/bash
rsync \
–verbose –archive –update –backup –recursive –checksum –rsh=ssh \
/cygdrive/D/test/ \
user@host.tld:/full_path_2/web/test/
echo RSYNC Completed
exit

Our test completed successfully. But wait! We do now have a few issues that must be taken care of. Permissions are all messed up. Since the RSYNC options we wanted were not available and the fact that we did this as a different user than the one who should own the files all we get is a 403 when trying to access any file that was RSYNC’ed yet the ones that were already in place are totally accessible.

So we log into the host again. CD to the web root. Then we need to do the following commands.

chown –recursive –verbose theusername.thegroupname .
find . -type d -print|xargs chmod 0775
find . -type d -print|xargs chmod g+s
find . -type f -print|xargs chmod 0644

Then all files and directories get set with the proper owner/group and default permissions. So everything in our test went well and now to perform the real SYNC. We got that going, about 12 hours later it completed with one error which I caused. Remember the test directory and that we tested the sync with it. Well that was inside the covers directory when we did this. The first time RSYNC ran on the local machine it built a list of directories and files. The test directory and its files were in the list. I deleted the directory and it’s contents after the rsync started and had built it into the list so we see this at the end.

rsync error: some files could not be transferred (code 23) at /home/lapo/packaging/tmp/rsync-2.6.6/main.c(791)
RSYNC Completed

Next for good measures we do not want everyone hot linking our album covers so we add the following in an htaccess file in the new image servers web root. This stops anyone from directly accessing the images and also from using them in their own pages. Only yourdomain.tld can access them.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://yourdomain.tld/.*$ [NC]
RewriteRule \.(png|gif|jpg)$ – [F]
ErrorDocument 403 /index.php

So some twit(or bot) attempted an SQL attack against our site. SQL Injection is a form of Code injection. There are many types of code injection. The definition of XSS includes SQL Injection as one of the methods.

This one used a crafty query in attempt to gain access to records from our databases.

http://asylum-et.com/?page_id=3&forumaction=showprofile

&user=1%20union%20select%20null,
concat(user_login,0×2f,user_pass,0×2f,user_email),
null,null,null,null,null%20from%20wp_users%20where%20id=1/*

which output this nice little bit

WordPress database error: [The used SELECT statements have a different number of columns]
SELECT count(*) FROM wp_forum_posts WHERE author_id = 1 union select null,concat(user_login,0×2f,user_pass,0×2f,user_email),null,null,null,null,null from wp_users where id=1/*

WordPress database error: [The used SELECT statements have a different number of columns]
SELECT * FROM wp_forum_posts WHERE author_id = 1 union select null,concat(user_login,0×2f,user_pass,0×2f,user_email),null,null,null,null,null from wp_users where id=1/* ORDER BY date DESC LIMIT 10

Unfortunate for this person this is not what they were after as a result since our database is not the standard WP database as well as the code not being the standard WP code but I have fixed the code so that not even this is output any more.

Please take note of this twits IP address.
88-232-152-90

I am glad that this attempt has been made because it alerted us to a vulnerability in the
wp-forum Version: 1.7.4 software. The author must have decided that sanity checks were useless because there was not a single one checking the data being passed for database queries.

If you are using this plugin you should at least go through and do an intval() on each of the $_GET variables that wp-forum has accessed directly in the queries. Hopefully the author
decides to release a security fix for their software but that wont effect us since we have
extensively altered our script to secure it. The original wp-forum can be found here http://www.fahlstad.se/wp-plugins/wp-forum

We have just added a new download for everyone. A php script that updates your website with your listening statistics and then gives example to output the information in your website to show your most recently played tracks without the need for a 3rd party.
MusikCube Now Playing Script