A Brief Interlude, With Bees

There’s a bee hive in the Oak near our front door. The bees are good neighbors, coming and going in small numbers and seldom straying into the house. One day a limb is going to come crashing down and we’ll get drenched in honey.

On Thursday, the bees swarmed. I was at work and missed it. Yesterday, they swarmed again.

Here’s what the swarm looked and sounded like at its peak.

Ten minutes later, the swarm was half this size; an hour later it was gone. Today, the hive has returned to its normal routine.

XSS Exploits in WordPress Themes

I found a family of Cross-site Scripting (XSS) Vulnerabilities while checking out WordPress themes. It’s the same vulnerability, copy/pasted from one theme to its “inspired by” children.

An XSS vulnerability is where a site allows a hacker to spit back JavaScript of the hacker’s choosing to some innocent third-party, typically by way of some type of sneaky JavaScript injection that the site isn’t coded to protect against. The third-party’s browser executes the JavaScript as if it came from the site, which lets the injected script have access to any cookies that the third-party has with the site. The hacker stealthily retrieves the cookies, and it’s all downhill from there. Lost cookies can lead to lost passwords.

One of my longer-overdue tasks has been to get this site off of the default WordPress theme. So I’ve slowly been checking out themes, taking notes of what I like, and kicking a few of them around on a private WP install on my laptop. Quite a few themes are fodder for XSS attacks, by way of incorrectly sanitized search pages.

Here’s how to tell if the theme you’re looking at (or using!) is vulnerable to the XSS exploit. Type this into the search box:

<script>alert('xss');</script>

If you get a pop-up dialog that says ‘xss’, you’ve found a vulnerable theme. Repair the vulnerability before using the theme, or find a safer one.

To pick on one theme in particular (because it’s a nice theme, and the author hasn’t fixed the exploit or responded to my email), try this on the DePo Clean theme. Scroll to the bottom to get to the search box.

Fortunately, repairing the vulnerability is straightforward. Find and open search.php in the editor of your choice, then replace

<?php echo $s; ?>

with

<?php echo strip_tags($s); ?>

This prevents a script entered via search from being echoed back to the user.

And consider sending a note to the theme’s author. Fixing a problem at the source is usually best.

And no, no new theme here yet. Working on it.

A Word About Hospitals and Flowers

The dread “____ is in the hospital” call came in early February. I spent parts of that month on airplanes, doing bedside duty, and taking care of things away from home. A few long weekends disappeared from the calendar, and a bunch of stuff I’d wanted to get done either went *poof* or caused cascading delays. Meanwhile, other, smaller emergencies didn’t get the memo about waiting their turn. It’s taken most of March to get back on top of things.

If you have friends and family, at some point the same might happen to you. One moment your life is chugging along, and the next you’re sitting in a hospital keeping someone company, or just being there for them while they go through a miserable, painful experience.

One lesson from this is that it’s important to have a way to quickly contact people who may be expecting things from you, so that they can know you’ll be unavailable and can make alternate plans. A quick exercise is to list all of the things you’re involved in, and who might be left hanging if you had to suddenly disappeared. Do you have their contact info, or contact info for someone who can let other people know? Can you reach them if don’t have net access?

The other lesson has to do with flowers.

The florist industry has spent a lot of advertising money conditioning us to send flowers when someone we’re close to goes into the hospital. From what I’ve seen hanging around a large hospital, that advertising paid off. Arrangements too large for one person to carry getting wheeled in; Roses and daisies by the dozens; a large, heavily tattooed Yakuza wannabe carrying a dainty little arrangement in a tiny vase for his sick mother.

There are at least three problems here.

First, there’s not a lot of room in many hospital rooms. Surface space is at a premium. There’s no place for the flowers to go that doesn’t displace something else, and often that something else is medical. So expensive arrangements end up on the floor in the corner, out of the patient’s sight.

Second is the issue of pollen and smell. You’d think that people (or florists) would know not to send a mass of allergens into confined places where people might be having, say, respiratory problems. But it happens. And you don’t want the patient going into a sneezing fit when they’re hooked up to a bunch of tubes, or when they’re in traction. And we link smells to events. It isn’t nice to associate the smell of, say, roses with having an IV needle changed and being woken up at all hours for blood pressure checks.

Third is the “no flowers” policy in some wards that will leave you stuck with a bill for flowers that the florist couldn’t deliver, or which a nurse immediately redirected to a trash can outside. An expensive gesture, wasted.

So when someone you love goes into the hospital, think twice about sending flowers. If you can, coordinate and send one small, neutral arrangement. Cards are good. Send cards.

By the time you start to notice

In a short lightning interview that Ward Cunningham did with with Ron Jeffries and Chet Hendrickson, Chet has this to say about Technical Debt (emphasis mine):

“Our experience has been that by the time you start to notice that the code needs to be cleaned up, you’ve already lost a lot of time because of it, and it’s almost impossible to ever get back to where you were. We actually believe that you can never be as clean by going back a month or a week later and cleaning up than you could if you just cleaned up as you went.”

“By the time you start to notice” is a challenge. You either have to be so clean in your coding practices that you never present yourself with the need to notice problems, or you have to develop your ability to notice problems so that you can spot them sooner. I’ve never seen a team—even one doing TDD and refactoring in earnest—manage to stay completely clean, so it would seem that developing noticing skills, and helping teams develop willpower, is the way to go.

Configuration needs testing, too

This morning Google pushed a bad configuration file used by search, and for 55 minutes all search results came back with a “this site may harm your computer” warning.

Oops.

A timely reminder that configuration needs testing, too.

The question that you need answered before you push is “will the application configured in this new way behave the way I expect it to?” The details of how you’ll test to answer that question will depend on the nature of your application and its configuration data, but will probably include some tests against possible misconfigurations. In Google’s case, where the configuration error was essentially an accidental wildcard in a blacklist, a simple “verify that there isn’t a wildcard here” test would have saved them some embarrassment.

Are there simple tests that could save you from embarrassment?

A Hardware Interlude, With Pliers

When it came time to replace my always-on home Linux box, I settled on the Intel Atom in its dual-core flavor, and set about building a small system based on Intel’s D945GCLF2 motherboard. The idea of a system that draws 45 watts when running full out was compelling.

I also wanted quiet. Several reports noted that the fan that comes on the board is noisy. The guy at the local computer store who sold me the parts confirmed the problem, and handed me a Zalman ZM-NBF47 fanless northbridge cooler as a replacement.

When I put the system together, it looked like the Zalman wouldn’t fit. The CPU heatsink blocks one orientation, and RAM blocks the other. So I left the stock heatsink/fan in place. Big mistake. Lots of noise.

After a bit of head scratching and some Googling, I found the trick.

First, mount the clips on the Zalman and bring them out on a diagonal. Then, with needle-nosed pliers, bend the hooks backwards like this:

Zalman heatsink with hooks twisted backwards

Next, remove the stock northbridge heatsink and fan, clean off the old thermal grease, and lay down a new coat from the tube that comes with the Zalman. Set the Zalman down diagonally, and attach it through the back side of the hooks on the motherboard, like this:

Zalman heatsink hooked onto Motherboard

It’s a tight fit. There’s less than 1/8″ clearance between the Zalman and the RAM stick, and I bent a few of the fins up so that they wouldn’t touch the CPU heatsink. The Zalman is quite warm to touch, so you’ll want a case with good ventilation.

The result, with the board in a case with a fanless quiet power supply, is a very quiet system. If I listen, I can hear the disk spinning, but that’s it. Bliss.

I’m sure that replacing the stock heatsink/fan voided the warranty on the board, but if you insist on quiet, it’s worth the risk.

The D945GCLF2 with 2Gb seems to run Ubuntu 8.10 without any problems. The onboard video drives a 1600×1200 LCD reasonably well, though there’s no mistaking it for a gaming box. I haven’t tried audio yet. One pleasant surprise was checking /proc/cpuinfo and finding four processors listed instead of the two I expected. Each core is hyper-threaded.

Addenda: There’s a good discussion on quieting this board at silentpcreview.com. Note in particular concerns about how hot the chipset runs, and assumptions about the fan providing cooling for the passive heatsink next door. Taking a closer look at the power supply in my box, I found that it had a very quiet fan that provided airflow over the southbridge heatsink. If you don’t have airflow, the ZM-NBF47 might not be what you want.

A discussion on the Ubuntu forums has instructions for enabling lm-sensors so that you can see the chip temperatures.