by Brendon J. Wilson

New Exploit In WordPress

A friend noted that he was experiencing weird behavior when he surfed my site. Whenever he clicked a link on my site, provided he’d visited FriendFeed previously, he would randomly be redirected to anyresult.net. This is apparently a new exploit of WordPress that has arisen in the past week or so. I’m running WordPress 2.5.0.

The exploit is simple – it registers itself as an active plugin in your WordPress installation. To disguise itself slightly, the PHP code for this plugin is held in an image file. A quick look in the wp_option database should allow you to identify a plugin you don’t recognize. To do this:

  1. Login to your instance of MySQL: mysql <database name> -u <username> -p -h <database server>
  2. Find the active plugins registered in WordPress: select option_value from wp_options where option_name='active_plugins';
  3. Look for a plugin you don’t recognize: You should probably be able to figure out which plugins are which, based on their names – look for a plugin which is an image file.

For example, in my case an active plugin had been registered that was held in an image file called “rtl_old.jpg”. The result of looking at the active_plugins entry in wp_options:

a:10:{i:0;s:50:”../../backup/wp-content/themes/classic/rtl_old.jpg”;
i:1;s:43:”../themes/k2/app/includes/k2-sbm-loader.php”;
i:2;s:43:”../themes/k2/app/includes/k2-sbm-loader.php”;
i:3;s:17:”add-meta-tags.php”;i:4;s:19:”akismet/akismet.php”;
i:5;s:37:”batch-categories/batch-categories.php”;
i:6;s:41:”calais-auto-tagger/calais_auto_tagger.php”;
i:7;s:21:”no-flash-uploader.php”;
i:8;s:50:”wp-calais-archive-tagger/calais_archive_tagger.php”;
i:9;s:18:”wp-contactform.php”;}

Clever eh? I’m not clear on the mechanics by which this plugin is hidden from the Plugins panel of the WordPress, but nevertheless, the result is that you won’t be able to remove this malicious plugin from the WordPress admin panel. To remove the plugin, you’ll have to manually update the active_plugins entry for option_value.

You’ll need to craft a new value for option_value. Note that the entry encodes the data as an array of sorts (I’m not a big PHP guy, so I don’t know if this is standard practice or not). The “a:” entry specifies the length of the array, and the “i:” entry for each plugin specifies its location in the array. To remove the malicious plugin, I altered my option_value to the following:

a:9:{i:0;s:43:”../themes/k2/app/includes/k2-sbm-loader.php”;
i:1;s:43:”../themes/k2/app/includes/k2-sbm-loader.php”;
i:2;s:17:”add-meta-tags.php”;
i:3;s:19:”akismet/akismet.php”;
i:4;s:37:”batch-categories/batch-categories.php”;
i:5;s:41:”calais-auto-tagger/calais_auto_tagger.php”;
i:6;s:21:”no-flash-uploader.php”;
i:7;s:50:”wp-calais-archive-tagger/calais_archive_tagger.php”;
i:8;s:18:”wp-contactform.php”;}

To effect the necessary change in MySQL:

  1. Login to your instance of MySQL: mysql <database name> -u <username> -p -h <database server>
  2. Update the option_value entry: UPDATE wp_options SET option_value = '<new value for option_value>' WHERE option_name='active_plugins';

I’m curious about the content of the rtl_old.jpg file, but that can be dissected later. For now, these instructions should get you back on track and remove the malicious plugin.

in Technology 5 comments
 by Brendon J. Wilson

Amazon.com Downtime Cost

Amazon.comThe web is aflutter with Amazon.com being offline for the better part of several hours – it got me and Boris thinking: just how much is this costing them?

The answer is simple: about $33.96 in revenue per second (or a modest $122,260.27 an hour), based on Amazon.com’s $10.71 billion dollar revenues in 2007. Which translates into a lost profit, based on annual profit figures of $190 million, of $6.02 per second (or $21,689.50 an hour).

in Business / Technology 3 comments
 by Brendon J. Wilson

Google Reader: Anti-Social Software

I’ve been a longtime Google Reader user, and I recently decided to explore their “Shared items” capability. The idea of “Shared items” is that you can mark posts interest you come across in Google Reader, and share them with your friends; and, vice-versa, you can view items your friends have shared with you. Pick the right friends, and your social network becomes an effective news filter, minimizing the amount of RSS feeds you actually track and read.

It sounds like a great idea, until you try to use the feature. The first step in any social networking-type application is simple: add your friends. If you got no friends, the whole thing doesn’t work. It would seem reasonable, therefore, that the first and most important aspect of such an application would be to make adding friends easy. It is in this regard that Google Reader not only hops on the failcopter, but grabs control of the stick, and jams it into a steep descent. Into the side of a mountain.

To add friends in Google Reader, you have to add friends in…GTalk? It’s hardly an auspicious start to the user experience when using the web application requires the user to navigate to another web application. And of course, to use GTalk, you have to use Gmail. Fine, whatever, I already use Gmail. In fact, I’ve imported about 1000 contacts into my Gmail address book, so the rest should be simple, right?

Wrong. Here’s the UI to add a user to GTalk:

Worst. Interface. Ever.

That’s right, you have to add users manually. In addition, there’s no autocomplete capability either, which means you’ll have to type in all of your friends’ complete email addresses. Who thought this was a good idea? It’s like the application needs human suffering to provide sustenance. Does this application thrive on misery?

Seriously, Google, come on. I’ve given you my email contacts. You even have a Google Contacts API that allows third parties to use my Gmail contacts! What the heck is going on here? In fact, this UI shouldn’t even exist – it should be a list of my Gmail contacts, filtered by those that are already using GTalk, that allows me to easy select a number of contacts and make the request. Done.

The lack of integration between different web properties is not unique to Google. If you use Upcoming, you’ll note that adding a user is a painful manual process similar to the Google Reader experience.

It’s like they actually want these applications to fail. If these providers can’t even integrate their own APIs to simplify the exchange of data within their own company, what hope does the DataPortability movement have?

in Opinion / Technology 1 comments
 by Brendon J. Wilson

Now We Are 33

Every New Year’s Day, I take a moment to reflect on the past year. I write my future self a letter to remind me what I achieved that year, the hurdles I faced, and plot my next steps. I’ve also fallen into the habit of doing something similar each birthday on my blog. This year I’m a bit late, but I’ve been busy – but the more I think about it, the more it’s important for me to put this out there.

As an engineer, I have a predisposition to negative thinking. While many might think of engineering as a creative profession, one embedded in the positive act of generating something from nothing, critical thinking is a significant component of an engineer’s thought process: What could go wrong? What’s wrong with this picture? What assumptions am I making? There’s a logical reason for the critical nature of an engineer’s thought process: if we get it wrong someone else could pay the price. In software, it’s no longer about lives (flashback to university: “…and if you do this wrong, someone could die, and it’ll be your fault!”), but the impact of getting it wrong can be disastrous nonetheless.

This past year, I’ve started trying to hack my brain to reverse this thought process. It’s not that I want to ignore what could go wrong, but rather examine and invite the opportunity for things to go right. One part of this transformation has been due to a partial read-through of “The Power of Positive Thinking“, a book that examines the new field of positive psychiatry. The book’s theme in a nutshell is that the internal dialog you use to dissect problems you face can ultimately undermine not only your health, but your chances of success in the future.

Now I’m not one for pseudoscientific self-help mumbo jumbo, but there’s enough science quoted in the book that it’s a worthwhile read.

A lot of my introspection in the past has been overly negative – why aren’t I doing X, how come I haven’t achieved Y, why did I fail at Z? In the past half year, I’ve stopped doing that. It is in this new vein of positive thinking that I want to chronicle the things I’ve done in these 33 years:

  • I got an education: I was quite down on university during my time at both SFU and at UBC. In retrospect, I’ve come to realize that SFU’s Engineering Science program prepared me for the real world in ways that most programs don’t acknowledge as important, such as writing and presentation skills. Besides the formal education that comes with university, my experience in a variety of startups has spared me the experience of being a corporate cog, stuck in a single company for the entirety of my working career.
  • I made stuff: I always have felt the need to be busy, to have some project that I’m working on. In retrospect, I now realize I’ve actually done a lot of stuff with my time. I wrote a book, I recorded a CD, I’ve helped release a lot of software, and some of it even made a lot of money.
  • I travelled the world: Most people don’t even get to see the world at large, nevermind live in it for any extended period of time. In just over the past decade, I’ve lived in five countries (US, Canada, Britain, Anguilla, Ireland). I’ve toured Europe and the US pretty extensively. I’ve accumulated two citizenships (Canada, Ireland), a US Permanent Resident card, and British Patriality. Although I lost my Australian citizenship when I became a Canadian, I could probably resume it without too much trouble. In short, I’ve gotten around.
  • I found a partner in crime: Shortly after leaving university, I married my wife Ashley. She’s been a constant companion on this adventure, patient in the face of my many moods, and always supportive of my decisions to undertake new or risky endeavors. She can read my mind most of the time, and has been a balancing force that keeps me grounded. Most people aren’t so lucky to find the one they want to be with for the rest of their lives. Lucky me!

I once knew a divemaster, Peter, that I met while living in Anguilla. As he took me out to dive sites, I asked him how he had ended up on a small island running a dive shop. It turns out that he’d had a fairly interesting life: he’d been a literary agent in New York for a decade, a mountain guide in the Himalayas for a half dozen years, then a junk-bond trader, and finally a divemaster in the Anguilla dive shop. He’d lived around the world doing weird things, and generally had enjoyed himself doing it. In many ways, it sounded like an ideal way to live.

As I look back on it, I’ve realized that I’ve actually already had a pretty damn interesting life. Here’s to more of the same.

in Personal 0 comments
 by Brendon J. Wilson

Canadian Government Wants to Search Your Laptop

This appeared in today’s Province: New documents have been leaked showing the Canadian federal government is secretly negotiating an agreement to turn border guards and other public security personnel into copyright police. They would be charged with checking laptops, iPods and even cellphones for content that “infringes” on copyright laws, such as ripped-off CDs and movies. The guards would determine what infringes copyright.

This is being done under the Anti-Counterfeiting Trade Agreement – interestingly, federal trade agreements do not require parliamentary approval.

Seriously – are you kidding me? Just how, exactly, is this going to work?

“Sir, do you have your iTunes receipt for this copy of “In Da Club”? No? Then I suspect it’s illegal. Thanks for the free laptop!”

When border guards are incapable of recognizing that a MacBook Air is a real computer (the TSA was stumped by this for a while until they issued new guidance), how can we expect them to correctly judge what is or isn’t “infringing”?

Now that I think about it, why stop here? Why not also have them check everyone for “stolen” articles?

“Sir, do you have your receipt for the pair of Gap jeans you’re wearing? No? I think you stole them. Thanks for the free pants! Now, about that underwear…”

This smacks of bureaucracy that doesn’t actually solve a real problem – but it’s nothing new. A few years ago, the Canadian Copyright Board added a tax to blank media to remunerate artists for lost revenue due to “private copying”. As of 2007, the tax had generated over $100M using this tax – portions of this levy applied to iPod-type devices were struck down, echoing a similar finding in 2004.

We need to see a little public outrage over this.

in Politics / Technology 3 comments
 by Brendon J. Wilson

Reminder: SFU Alumni Board Elections on May 31st

Simon Fraser University LogoA brief reminder that I’m running a position on the Board of Directors for the Simon Fraser University Alumni Association.

Election of the Board of Directors occurs during the Annual General Meeting, which will be held as part of SFU’s Open House on May 31st, 2008 at the Burnaby Mountain campus. The Open House last from 12:00pm to 4:30pm, giving you an excellent opportunity to catch up on what’s happening with your old school. So come out, enjoy the activities, and, of course, go to the AGM at 1:00pm and vote for me. Thanks again in advance!

in Personal 0 comments
 by Brendon J. Wilson

Is OpenID Doomed?

Zoho's LogoZoho made an interesting move today by adding support for using a Google or Yahoo! account to authenticate to their suite of online productivity tools. I wonder what the OpenID community will think of this?

I’ve been following the OpenID space for the last little while, and this marks a curious turn in the development. OpenID has been promoting the idea of decentralized system that would allow users to minimize the number of usernames and passwords they need to login to the various web-based applications they use. It’s a great idea, but as I did some research for a client recently I concluded that the conflicting incentives for OpenID stakeholders may prove to be a barrier to adoption.

The core challenge is that while everyone wants to control users’ information by becoming an OpenID identity provider, there’s less enthusiasm towards becoming a relying party that accepts OpenID credentials. This is not especially surprising – controlling users’ information is the means that corporations maintain lock-in, and derive competitive advantage that they use to drive revenues. Hence, the move by many large web portals to act as OpenID identity providers, but not relying parties, has been viewed as an underhanded means to exploit the interest in the OpenID standard.

What’s curious about the Zoho move is that the company has obviously made the decision to accept third-party authentication credentials in a bid to lower the barriers to adopting its products. Google’s Docs and Spreadsheet offerings are a major competitor to Zoho’s offerings, so it makes sense to try minimize the pain of switching from Google to Zoho products. However, the decision to include Yahoo! accounts in the mix confuses things somewhat. Given Yahoo’s current problems, why would Zoho want to include those users? And if you’re going to go to the trouble of supporting yet another authentication scheme to reach a wider audience, why not go for OpenID?

Overall, it seems very strange that Zoho would exert the effort to support GAuth (used by Google) and BBAuth (used by Yahoo!). Both Google and Yahoo! are now OpenID identity providers, so why go down the path that requires roughly twice the effort required to support OpenID? You could do less work, and reach more users!

I can only guess that either this work began prior to Google and Yahoo!’s OpenID support was announced. However, there is one other troubling possibility: that while OpenID solves the technical problem, using a Google or Yahoo! account to authenticate to a third-party is more easily understood by users.

in Opinion / Technology 5 comments
 by Brendon J. Wilson

Why Buy a Scooter?

Yamaha Vino 125Since returning to Vancouver in January, I’ve noticed a change in the types of vehicles on the road. The automobile landscape in Vancouver has expanded to include two new vehicles: Smart cars, and scooters.

Before I left Silicon Valley, I was commuting to work on a Yamaha Vino 125 motor scooter. With oil exceeding $90 a barrel already in those days, it was a good decision. And apparently more people are agreeing with me – even before I left California I started noticing more and more scooters on the road in the final months. I even had people pull up beside me at stop lights and ask me about buying one. Although I sold my scooter upon my departure from California, I thought I’d do a quick run-down on the pros and cons for people considering making the jump to a scooter.

The Good

  1. It’s easy: Although California requires you to get a motorcycle license to drive a scooter, obtaining a license is simple, especially if you already have a driver’s license. You take a simple written test to get your learner’s license, and then take a weekend safety course that exempts you from the DMV road test. Note that if you already have a driver’s license, you will also need to renew your existing license when you take the motorcycle license written test. In BC, you can ride scooters under 50cc using only your regular driver’s license (although these are pretty wimpy)
  2. It’s cheap: While a Vespa will run you between $5K and $6K USD, Honda and Yamaha make some sporty alternatives that cost a little over $3K with tax and dealer fees. Insurance will run you about $250 for the year.
  3. It’s fuel-efficient: I racked up 2,588 miles in a year and a half, sipping a meager 35 gallons or so of gas along the way. That’s about 70 to 80 miles per gallon (34 km/litre)!
  4. It’s environmentally friendly: Not only are scooters more fuel efficient, but four-stroke engines in larger scooters have lower overall carbon dioxide emissions versus cars. Not only will you be saving money, but you’ll be dumping about 75% less CO2 into the air.

The Bad

  1. No freeway for you: Unless you go with one of high-end scooters with a larger engine, your state’s laws probably doesn’t won’t allow you to drive your scooter on the freeway. Which is OK, because…
  2. Car drivers are insane: Nothing proves this quite like a 5-ton minivan moving into your lane without a shoulder check. Hello?? Hellooo? I’m right here!
  3. It’s distance limited: A scooter’s ideal for commuting about 10 miles or so. Any further, and the inability to get on freeway becomes an impediment to timely travel. For me, that was perfect – I drove 10 miles a day. Who wants to spend life commuting?
  4. Your friends are jerks: In our macho North American culture, nothing emasculates quite as quickly as driving a 236-pound scooter to work instead of a 5-ton SUV.
  5. Rain sucks: Climate is a major consideration. While California only gets a couple showers during the year, those times can be deadly on a scooter. Low visibility, reduced traction, and even crazier drivers.

The Awesome

  1. Traffic? What traffic? Nothing wipes the superior smile off a car driver’s face like watching a cute little girly scooter pull into the space between traffic and disappear into the distance. It’s a good feeling. Unfortunately, lane-splitting is illegal in BC, so this doesn’t apply to Vancouverites. However, there are always situations where a little extra maneuverability comes in handy.
  2. Did I mention it’s cheap? When you’re getting 80 miles per gallon, your gas costs go through the floor. On average, I spent about $3 a week on gas. Total cost for the scooter for the first year, gas and insurance included, was less than $4K. Cost to run after you’ve paid off the scooter? Less than $35 a month.

Happy scooting!

in Opinion / Technology 8 comments
 by Brendon J. Wilson

Uh Oh: TSA Can Search Laptops

A US Ninth Circuit court ruling this week has asserted that computers are like luggage and are therefore subject to searches at borders and airports. This is a scary revelation for anyone in the computer industry who is practically inseparable from their laptop.

Unlike luggage, a laptop is a vessel for storing sensitive corporate data, personal financial information, and in many cases, just about everything a person has ever done (I, for example, have email archives dating back to 1996).

This is yet another reason to start protecting your data using applications like PGP Whole Disk Encryption (for whom I used to work), or Open Source alternatives like TrueCrypt. However, given that a state court has already ruled that the TSA can’t force you to divulge your passphrase, I have to wonder how long it is before the TSA lobbies for a software equivalent to the ominous TSA travel locks?

in Opinion / Politics / Technology 11 comments
 by Brendon J. Wilson

SFU Alumni Association Board Nomination

Simon Fraser University LogoAs part of my continuing bid to try and help get things cooking in Vancouver, I’ve decided to run for a position on the Board of Directors for the Simon Fraser University Alumni Association. Thanks go to Aaron Cruikshank for suggesting this wonderful opportunity to give back to my alma mater, and nominating me for a board position.

This is, of course, the part where I do a little begging to help me get elected.

Election of the Board of Directors occurs during the Annual General Meeting, which will be held as part of SFU’s Open House on May 31st, 2008 at the Burnaby Mountain campus. The Open House last from 12:00pm to 4:30pm, giving you an excellent opportunity to catch up on what’s happening with your old school. So come out, enjoy the activities, and, of course, go to the AGM and vote for me. Thanks in advance!

in Personal 1 comments