Asylum-ET™

About a week ago we had noticed the image server we were using for the album art covers was failing. Looking into it we found that the image server must be under a high load and there really is not too much we could do about that since we do not own or control that server so we decided to add a new image server of our own to even out the load from all the album art covers. During the process though we had to shift the load somewhere since the image server was down about 80% of the time. I set up a small private server that handled the image requests until we could get this all worked out.

The setup of the new image server went rather smoothly except I could not decide which would be faster, archive 3.8 GB, upload it, unpack it or to just upload the un-compressed images eliminating 2 steps. Well now 3.8 GB uncompressed uploaded via ftp was the initial choice. Now keep in mind I have what “Comcast” calls 12MB connection speed. This was sold to me as 16MB+ but that’s another story. I pay almost 100 bucks a month for that. So anyway we started the ftp transfer. A day and a half later not even 20% complete :/ Kind of expected that though.

A friend of mine presented me with an option that he said should work out nicely “IF” I were using Linux/Linux like he. Well my friend is a very Linux minded fellow but I thought well we both know I have a Win/Lin setup but he knowing me presented the idea anyway since I have a habit of converting Linux type operability to Windows machines.

Well this idea of his turned out that converting or altering anything outside of a few config files and permissions was not even necessary. We set up RSYNC to synchronize the directories and files from my home/private server to the new image server that now had been partially uploaded via the ftp. RSYNC worked beautifully. The job still took longer than I would have preferred (16 hours including setup time) but completed without issue.

Everything I was finding for setting up RSYNC appeared as though I would need a client and server to make it all work. Turns out that was not even the case. I already had SSH setup on both the host and at home. I had been using putty to connect to SSH and this would have to change but yet again not an issue. Cygwin is also something I have been using for many years now and with it you can use SSH. So I had to create a new key pair.

After making the keys I then needed to put the public key in place on the host

scp id_rsa.pub user@host.com:~/.ssh/new_key

which is secure copy [public key] [you]@[yourhost]:[your home dir]/.ssh/[the new key]

Once this file was on the host I then log into the host and su to root. (Turns out to be an issue later). So now I then ran a few commands from within the ~/.ssh directory.

cat new_key
cat new_key >> authorised_keys

This added the new key to the authorized keys file.

Back at home open up Cygwin, try to ssh hoping that this time our key pair is used right because we want to be able to run bash scripts locally to take care of automatically synchronizing sites we need this to be done without any password hint added so we are never prompted to login which would cause our script(s) to fail. This is another place I failed at first creating this extra password hint when generating the key pair was not wanted.

Anyway with the keys done proper I was able to ssh to the host with Cygwin and not be prompted for a password. Looking good, Success so far

Next I don’t want to go and attempt syncing the remaining 80% of the images just to find it did not work so next we perform a little test.

I go to the host and create a directory named test in the web root and add a few text files with random data in them. I then create a directory locally named test and put some files into it and also create a few directories inside it with files and so on. We want to make sure that
A: the newly created local directories/files get uploaded to the host.
B: the files on the host do not get overwritten unless changes have been made.

In my local user home directory I have an alias setup to a directory named scripts. Any bash file in it becomes accessible at the command line by simply typing its name from any location in the shell window. The bash file for this I named sync_serv. Below I will include the portion related to RSYNC. I am keeping the automation part to myself and leave you to write your own. This is what was left of the original code. Most of the options we had originally intended are not available on windows like –chmod=Dg=rwxs,Fgu=rw,Fo=r –no-times –human-readable –no-owner –no-group which is unfortunate but here is the script.

#!/bin/bash
rsync \
–verbose –archive –update –backup –recursive –checksum –rsh=ssh \
/cygdrive/D/test/ \
user@host.tld:/full_path_2/web/test/
echo RSYNC Completed
exit

Our test completed successfully. But wait! We do now have a few issues that must be taken care of. Permissions are all messed up. Since the RSYNC options we wanted were not available and the fact that we did this as a different user than the one who should own the files all we get is a 403 when trying to access any file that was RSYNC’ed yet the ones that were already in place are totally accessible.

So we log into the host again. CD to the web root. Then we need to do the following commands.

chown –recursive –verbose theusername.thegroupname .
find . -type d -print|xargs chmod 0775
find . -type d -print|xargs chmod g+s
find . -type f -print|xargs chmod 0644

Then all files and directories get set with the proper owner/group and default permissions. So everything in our test went well and now to perform the real SYNC. We got that going, about 12 hours later it completed with one error which I caused. Remember the test directory and that we tested the sync with it. Well that was inside the covers directory when we did this. The first time RSYNC ran on the local machine it built a list of directories and files. The test directory and its files were in the list. I deleted the directory and it’s contents after the rsync started and had built it into the list so we see this at the end.

rsync error: some files could not be transferred (code 23) at /home/lapo/packaging/tmp/rsync-2.6.6/main.c(791)
RSYNC Completed

Next for good measures we do not want everyone hot linking our album covers so we add the following in an htaccess file in the new image servers web root. This stops anyone from directly accessing the images and also from using them in their own pages. Only yourdomain.tld can access them.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://yourdomain.tld/.*$ [NC]
RewriteRule \.(png|gif|jpg)$ – [F]
ErrorDocument 403 /index.php

So some twit(or bot) attempted an SQL attack against our site. SQL Injection is a form of Code injection. There are many types of code injection. The definition of XSS includes SQL Injection as one of the methods.

This one used a crafty query in attempt to gain access to records from our databases.

http://asylum-et.com/?page_id=3&forumaction=showprofile

&user=1%20union%20select%20null,
concat(user_login,0×2f,user_pass,0×2f,user_email),
null,null,null,null,null%20from%20wp_users%20where%20id=1/*

which output this nice little bit

WordPress database error: [The used SELECT statements have a different number of columns]
SELECT count(*) FROM wp_forum_posts WHERE author_id = 1 union select null,concat(user_login,0×2f,user_pass,0×2f,user_email),null,null,null,null,null from wp_users where id=1/*

WordPress database error: [The used SELECT statements have a different number of columns]
SELECT * FROM wp_forum_posts WHERE author_id = 1 union select null,concat(user_login,0×2f,user_pass,0×2f,user_email),null,null,null,null,null from wp_users where id=1/* ORDER BY date DESC LIMIT 10

Unfortunate for this person this is not what they were after as a result since our database is not the standard WP database as well as the code not being the standard WP code but I have fixed the code so that not even this is output any more.

Please take note of this twits IP address.
88-232-152-90

I am glad that this attempt has been made because it alerted us to a vulnerability in the
wp-forum Version: 1.7.4 software. The author must have decided that sanity checks were useless because there was not a single one checking the data being passed for database queries.

If you are using this plugin you should at least go through and do an intval() on each of the $_GET variables that wp-forum has accessed directly in the queries. Hopefully the author
decides to release a security fix for their software but that wont effect us since we have
extensively altered our script to secure it. The original wp-forum can be found here http://www.fahlstad.se/wp-plugins/wp-forum

We have just added a new download for everyone. A php script that updates your website with your listening statistics and then gives example to output the information in your website to show your most recently played tracks without the need for a 3rd party.
MusikCube Now Playing Script

I noticed about a week or two ago that the http://browserreport.com image for tracking browser statistics has been broken. Did not think to much of it, just figured the server was under high load or whatever. So I stopped over to their site the other day to check it out and maybe find out what the problem was. I found when trying to access the image directly I see a php error that says the image create function that was being used was undefined. This means either they moved to a new server and this extension is not enabled in php or that their host disabled it or something to that effect. AT first I figured it was just a little boo boo. Nope still no change.

What had made me decide to even try to access the image directly was that their captcha for their comment form was not working and so I had to investigate that. Anyway we have no way of contacting them through their website to inform them and it seems evident from viewing the stats and how they went from firefox maxing the charts out for a steady coarse and then all of a sudden a mass swoop of ie as if every ie lover decided to load up their ie with an auto refresher/reloader and the servers admins decided to kill it.

Anyway we have removed the image at least for now until they are up and running again so our performance is not degraded by trying to access this dead image. We will leave any links on our site to them since we have hung in with them for some time now. Good luck over there guys and hope to see you up and running again soon.

This is going to a bit a bit of an odd post but recently I bought a webkinz for my daughter. When the thing arrived I was a bit disappointed. They darn thing was a dollar store stuffed animal that cost $20.00 Just the same though with it came use of this website for webkinz where the kids are supposed to be able to go and create and play with their webkinz in a virtual world.

That is all great. She likes to play the games and all but most often it is not even possible to log into the website. Today my daughter had tried a few times to log in and play but was unable to since the website uses javascript for literally everything and something was changed in their code so now when you log in and get to the screen you are after it is a JavaScript popup that is not resizable and is to small to see what is on the screen.

After she tried again with the same thing resulting I asked if I could have a look. I tried clicking the login button on the main page and sure enough it is broken. So I then decide to put my mouse over the login link to see where it goes. javascript:pW(‘loadReturnUser’); Is what is in place of the link. So I then do a view source on the page to find out what it is that the function pW and the value loadReturnUser does. I find a few included JavaScripts in the head of the page. Oddly name location I may add. They call their JavaScripts directory assets. Interesting just the same but anyway I go and open up 2 JavaScript files. The first was not it then the second had the function in it. This function makes a link for a few browser types including the loadReturnUser into the link.

So I go and copy the url that this function assembles and then enter it into the address bar then change the +page+

We have all encountered them. Most are very poorly done and even though they do stop some Spam from getting through they stop a lot more legitimate users than you would be happy with if you only knew you lost them due to the Captcha.

Interested in finding out just how many that is? That would be as simple as tracking every time your comment form is posted and weigh that against the amount of comments you see actually made it through (Both marked as Spam and good clean comments). It is safe to say that if you have 30 attempts at posting a comment form and yet you only have 3 comments then you had at least 20 visitors try to post a comment, about 4 of which even tried more than once and yet you lost those viewers and their comments why? Because your Captcha sux.

As we get more attuned to the web in its every day use we form habits. My greatest habit that is widespread beyond myself is arriving at a comment form that has a non-legible garble of text and lines in an image for a Captcha. Can you say next site please? You just lost me. What is your purpose in that anyway? Are you trying to make your would be users go away? Something tells me this is surely not the case but you still use these Captcha.

I wonder if by using these with all the garbled text you actually think it is more secure than just text in an image? Are there actually bots on the net capable of reading and deciphering what an image says? Not really. There is however software semi capable of determining words from a scan but do you realize what such a program would cost to have written for the web and also that the only ones who could afford it would be those like Google and MS and you know they are not about to do that since by evading the Captcha like this could be viewed as an actual attack against your website and business and that could even lead to some pretty hefty legal penalties and fees for the person using the tool to in a sense hack the Captcha and your site.

Anyway that is about enough of that. Now on to why I write this post. This is my alternative to using Captcha. It is one that won’t tick your viewers off. You could use it by itself or even with a typical Captcha but loose the funky text crap already.

Add one field to the form. Give it any name such as accounts.

2 rules to follow here that other similar methods fail with are.

1. Do not name this field Captcha or hidden or anything like that. A name such as accounts is perfect.
2. Do not make the input’s type = hidden nor should you make it with a class named hidden or anything of that sort.
With that said you would add this new field and we will call it accounts.
We will give it a value for the class property and name that acnts so what we will have would look like this.
<input type="text" name="accounts" value="" class="acnts"/>

Once you have done that then we will go into the sites style sheet and add.
.acnts {display:none;}

Next you will see that the new field “accounts” is not visible to the viewer when you load this form up in your browser. It is however visible to Spam bots. Spam bots will fill it in. Yes even the smart ones that got around this type of method before. Why? Simple. The ones everyone else has used break my 2 rules and so if you read them and follow them it becomes pretty obvious why they fail.

So now the point to this. When the form is submitted we check to see if $_POST['accounts'] is not empty and if it is not then we do not go further since it is a spammer otherwise we move on.

Pros/Cons
Pro: Users do not get furious with you and leave.
Pro: Nothing extra for the user to do.
Pro: No external calls to some site that you were using for your Captcha
Pro: 100% increase in comments.

Con: Someone with a personal vendetta could make their Spam software so that it skips the field named accounts but this would require then to actually know that your website intends for that to happen which is why we use a name like accounts as apposed to Captcha or hidden.

Just before I last went to bed I had been on the phone with a good friend of mine and a fellow programmer. We had been discussing the days work and the progress we had made for the day. We discussed the web shop we have been building for some time now and he took a tour through the pages, options and features that the shop includes.

So far the shop has been tested to work in Firefox, Opera, Sleipnir and lastly Internet Exploder 6. At that end we decided that if it works in those 4 browsers then we should not have any issue with any other browsers so long as the browser follows standards for CSS and HTML. After testing the four layouts we have chosen to use with the shop against these three common and one un-common browsers all of them appear to be displaying just fine.

So this friend of mine noticed a bit of oddness in the browser he uses. He had stated that the top menu has one link that is not positioning properly and is not totally clickable. Only one of the two words in the link is clickable. This is most odd since the links are not linked to individual words but the both together in the same link.

From previous discussions we have had and a countless number of issues he has reported with a number of websites using this browser I would think by now he would decide to use a browser that works but he choses to be difficult and continue with this browser that has obvious issues that span well beyond our themes. He uses the browser named Konqueror. Konqueror is a browser for use with Linux only so we have no way of testing and adjusting our layout for use by it since we do not have a Linux install.

When my friend made this complaint I sleepily replied well man use a real browser. After just waking up the conversation and my response was still fresh in my mind and I can not help but to be bothered by it. Why this friend would be so set on using a browser that obviously does not work properly is beyond me. He claims that Firefox is to great an issue for him to use on Linux even though it is cross compatible between the Operating systems we use. He states that the memory and resources it uses are not acceptable and he can not use Firefox because his machine becomes sluggish.

We both have the same specs for memory so I do not see the issue but just the same it is a problem. The themes do not work proper in Konqueror and seriously enough the only advise I have is use to get a better browser. That may sound like a cop out but the thing is that Konqueror is seemingly the only one it does not work in. Until Konqueror decides to fix whatever issues they have the inhibit a large number of websites from displaying proper STOP using it. After enough people discontinue the use of it the developers at Konqueror will be forced to fix the issues or sacrifice users.

Another thing I would like to comment on is the ongoing barrage of dissatisfaction from developers that we receive on account of a message that displays in our themes that informs the user that they should enable Javascript if they wish to have access to all of the features that are available with the shop.

First of all this is good practice to alert your users of such things since they will see a degradation in the sites performance if they do not have Javascript enabled and therefore will think the website is broken.

Secondly Javascript has a place in development and about 90% of all websites use it in some form or another. Javascript has no right in handling security or anything to that effect but for the basic things we use it for such as confirmation dialog boxes and things of that nature, that is exactly what its purpose is and it is intended for use like this.

Thirdly the only people who have Javascript disabled are typically developers who are not users and seldom look at things from a users prospective. Not to mention it takes a whole of .3 seconds to click a button and enable it. Laziness?? That is what it appears to me.

So for these confirmation dialogs and such why Javascript and not using code? Well that is simple. Ease of use and saving on bandwidth as well as time. The other option is to code yet another page that when a user clicks say a delete link they are sent to another page that asks them if they wish to continue and then yet another page that says the action was completed.

Ok so that without Javascript is what a three step process that depending on the speed of your server, how many images are in your layout and so on could take upwards of 2-3 minutes since now we are going to have three page loads instead of 2 of which the last the user does not worry about to much. Not acceptable especially if all that had to be done was one short little snip in the link like return confirm(‘Do you really want to do that’) which pops up a message that the user can click yes or no and then the action is performed or not. None of this is much of an issue for developers since we all typically have 16+ MBit connections but think of your users who a large portion are still on dial up. Do you want them to come back? I am assuming you would rather they did not but we enjoy and rely on return visitors so we do what we need to please them not other developers.

As you can see we have made our minds up. The javascript notice when javascript is disabled will remain, we will continue to use the javascript were appropriate and we will not loose any sleep over Konqueror being a junk browser.

Due to recent events ALL clients must pay a 50% deposit of the total balance due to retain any form of services from us regardless of the type of service. Entertainment services will require the entire balance to be paid in full on the date of the event. Asylum Entertainment will NOT start a performance until this payment has been made so to insure your event goes as planned be sure to make prompt payments available.

Programing services will be subject to a similar stipulation were intellectual property will not be released to the client until payment is made in full and work will not commence on a project until a 50% deposit has been made on the total amount due.

We can and will NOT make quotes until a complete outline of service has been submitted and approved by Asylum Entertainment LLC at which time it will be signed and returned to the client.

We no longer accept payment programs or any other form of incomplete payment for services from anyone including but not limited to non profit organizations. If you are not prepared to pay for services do not bother to contact Asylum Entertainment LLC since you are wasting both your and our time.

Sorry for any inconvenience this may cause but we can not afford to continue giving our time and services away. We already have such a low rate for service that we can not afford to go unpaid.

I don’t have any solid details just yet but there was just a 17 year old boy murdered a few blocks from here in downtown Rutland, VT. Apparently at about 4:30 PM a man in his early 20’s named John Bruno just walked up behind this poor boy and slit his throat. This happened right near our Depot Park near Wall-mart. The boy passed on shortly after enroute to the hospital. We do not have any details as to who this boy was but our sympathies go out to his family

Here in Rutland we have not had to many murders. I can count the total in my lifetime on one hand. This is just disgusting that a human thinks they have the right to take the life of another for any reason. Totally un-acceptable. The real sad part outside of the murder itself is that I am willing to bet he does less time for this than the boy has acquired in age.

Anyway once again our hearts and prayers are with the family in this unfortunate event that has ended such a young souls life before it even had a chance to begin

This post is going to tick a lot of people off but that is seriously the majority of it’s purpose. I am so sick and tired of getting no shit 500+ spam a day. It is seriously pathetic. All day long I get these same losers who post comments linking to garbage sites with less then appropriate content on them or the ones I cant stand the most are the how big is your… and well you know the ones. We never allow your comments through so why do you continue to eat our bandwidth? This is costing us money and once it totals up enough we have each of your ip addresses and various other details to identify you and we will be seeking restitution as soon as the cost mounts up to an amount that is criminally punishable. Think about that one the next time you go to post your rubbish comments.

So anyway without further adieu we are going to present some of the comments here as we have done in the past only we will be altering the links they included to link to things we chose instead so thank you spammers for your content. Maybe this time you get the hint?

We call this one the freelance special. This has appeared in our comments about 600 times so far under different user names but the same series of ip addresses.

Hi! Good site respect! Visit [junk link was here] and [junk link was here] Thanks!

This type of comment is believed to be generated by

freelancer

person who pursues a profession without a long-term commitment to any one employer.

type websites that allow jobs to be posted where a website is searching for x amount of one-way pr x links for x dollars. The takers of these jobs fire up their spammer software with a list of urls and smash the internet with junk to hundreds and even thousands of websites that allow comments to be placed and the sad part of this is that I’ll bet that 85% of them do not moderate the comments.

This is what we like to call the dumb teen

Like! Thank you!
[Like Uhm I pasted links here but I'm not cool enough to figure out why they aren't showing]
I am glad to find this forum! [This isn't a forum you twit]
[Like uh I wish I had a real life then maybe they would show my link]
Like! Thank you!
[Don't they say if you try something the same exact way more than once and it still fails you should probably give up or you would be considered insane?]
Thank you! I delighted!
[Like uh. This sux I think I'll do it some more]
Good stuff, very nicely done!

The tickle my ego approach. This one has appeared about 500 times so far.

I agree with the author.
[My junk links won't show]
Very nicely done
[I keep banging my head on the desk and it hurts]
The Author, you – genius
[I am still doing it]
Excellent work, added to favorites!
[I don't get it. Why do I have a headache?]

And then there is this one most odd of all. I am not sure if this is spam or not. The comment was literally a whole book more or less. The posters name looked suspicious like taxsomethingorother and the posters web address included with the post seemed to be a female named Sonja who has a blog that allegedly allows users to post about deals making it even more suspicious but what made it most odd is that this post the poster actually knew how to make a link. Like OMG! Anyway the content of it I read every bit and it was surely very interesting. The originator claims to be a man who is in love with Mary who is his girlfriend and he wants to marry you Mary! He wants that so bad he has told millions of people by spamming their blogs telling the blog owners to email this message to as many people as they can that he wants to marry you in the worst way.

Surely an interesting approach if this is legit but hey who is to say what is romantic I mean in a geeks world you never know. Heck at this point I am starting to think that I want to marry Mary if she is such a geek that she actually would find such a proposal (JK). Anyway so he included a poem to Marry that goes like this.

Mary, please forgive me, as you know English is not my native language. And I am not a poet. But I mean it from my heart.
My angel,
Five years ago, I will always remember the day When fate made us meet, blissful Alaskan moments in May Earth spun around us and a journey began Love, warmth, happiness, enough the years to span.
The longer it lasts the more grows our bond And with 80 still – of you I will be fond Whatever happens, I will stay at your side Through good and bad, together let us stride
No second with you was ever wasted
You are the sweetest I have ever tasted
We have spent so many years – why not a life?
Mary, will you marry me – and become my wife?
Mary, if you have received that and have recognized me, then give me a sign so that I can continue with the romantic part of my proposal

Well that’s sweet now isn’t it? So Mary if you are out there and you see this marry this shmuck proposal to mary . I mean dang, he has registered a domain and dedicated a website to this cause of pure fate. Hey reader, yea YOU! What do you think his chances are? Leave us a comment and tell us and if you want go ahead and pass his story along as well because he surely needs all the help he can get and fast.