You know, I may feel many things in my life are beyond my control, but my blog is not one of it. Nope, my blog is mine, completely under my control.  What I say goes, what I say stays.  My blog is my country and I’m the dictator.

I therefore feel not unlike Robert Mugabe when Morgan Tsvangarai went all democratic on his ass, when something that I didn’t explicitly OK’ed appears on my blog.

So it was then, quite by accident, that I looked at my own RSS feed and saw some new stuff that I didn’t rubberstamp appear there.  Sneaky YARPP (Yet Another Related Post Plugin) had unilaterally decided to not only insert some related posts into my feed (new feature!), but also to reward itself with a promo link back to its own website below every single entry - without asking or even telling me!

YARPP is a free piece of software from the Wordpress Plugin Repository.  It doesn’t require me to pay for it, it doesn’t even require me to link to it in exchange for using it.

Of course, it’s a great piece of software and we all have to eat, so donating a link is the least I can do to thank the creator for his hard work, right?

But for crying in a bucket, ask me first! Don’t go and be clever and write yourself into my country. Subverting a dictator will cause heads to roll.

When I auto-upgraded YARPP it came with these new features. One’s automatic inclusion in your RSS feed and two is an automatic link underneath every entry (which on an RSS feed with 10 items listed means 10 links to YARPP).  And it’s on by default - disable it in the plugin settings.

Here’s a link mitcho, please don’t take liberties on my blog like that again - there are other plugins that does that same thing out there.

If you enjoyed this post, do subscribe to the 1Earth RSS feed!

I love it when I log into my WordPress admin area and it tells me that  a new WordPress is available. I love upgrades. Yes, really.  On this occasion, however, I lost the battle when I came face to face with the Wordpress 2.6 Upgrade and a 404 Error.

First it’s very important to note that in WordPress’s 3 Step Upgrade Guide, there is in fact a Step 0. Step 0 reminds you, and wisely so, to back-up your WordPress install, because as good as the WordPress community is, they are all still human.  So if a bug in the code sneaks in or you’re trying to cyber while you upgrade and not paying attention, then a back-up is a very handy fall-back for if your site falls down.

Moving on - last night I downloaded the new Wordpress 2.6 with trembling hands, anticipating the new features, the improved speed and that new software smell.  I followed the instructions for the upgrade (backup, delete & upload, click upgrade) and after I did something nice for myself, when I logged back into 1earthadventures, everything seemed fine.

But then I noticed in my Feedjit that somebody had landed on a 404 error page, which shouldn’t happen.  As I clicked on a single post, before it even loaded, the title turned to “Oops!” that signified the serving of a 404 error page.  Turns out that all my single posts under Wordpress 2.6 were inaccessible and got a 404 error page instead.

As my main page worked, the obvious error was with the URIs and at first I thought perhaps my fancy URIs were turned off by mistake.  Checking the settings in the admin area, this was proven to be false.  I checked my .htaccess file just to make sure none of the conditions in there where accidentally erased, but that too was untouched.

Next I turned to Google and said a prayer, which was answered in the form of several WordPress forum posts.  But alas, the Wordpress 2.6 upgrade had only been release a few hours prior and the only help the forums proved to be was to show me that I wasn’t the only one having this 404 error problem.

A moment ago I searched for this again and stumbled across this bug report, which outlines the problem.  In essense, for those of us who use index.php in the URI, this problem will persist until they fix it, or until you fiddle with your code and temporarily fix it yourself (read that bug report for what to do).

The problem has been escalated and is now considered critical and is destined for Wordpress 2.6.1. Obviously it will affect a lot of bloggers, so lets hope everybody backs up first. But it should, as far as I understand it, only affect those of us who use index.php in our URIs.

In the meantime, I’ll figure out to get rid of index.php in my URI without screwing up all my links in the search engines.  In one of the posts the moderator said that if you’re hosted on Unix/Linux, then you really shouldn’t need to index.php in the URI - as that work-around came about for the benefit of those hosted on Windows IIS.

I’ll explore that and hopefully I can beat the Wordpress 2.6 Upgrade and 404 Error dilema before the 2.6.1. fix.

Update 080717 - Wordpress 2.6 404 Error Fix/Solution

Thanks to the feedback from amy-wong.com and Kerry Webster, I’ve solved my 404 Error issues.  First I went into my WordPress settings and in the custom URI I simply removed “index.php” from the string.

I can’t remember why I chose to have index.php in the first place, but I didn’t want to remove it because I thought my links from other websites and in search engines wouldn’t work.  But as Amy Wong confirmed, the links still work as they simply direct themselves to the new URI sans index.php.  I tried this in my 2.5 install first to test it, before I upgraded - because that pesky “index.php” is what broke my 2.6 install.

Oh, the trick above apparently is guaranteed to work if your site is hosted on an Apache server (on Linux), but if you’re hosted on Microsoft’s IIS you might have problems - as index.php was left in there for the poor people on IIS.  Kerry Webster created this work around, but Kerry, I suspect, is a server admin, so you might not have the access required for this stunt and I’m not entirely sure your host will be keen to try it.

Anyway, after that, I once again installed WordPress 2.6 and *tada*, it worked like it should. No more 404 Errors.  So yay! for upgrades! Yes, it bombed at first, but the upside is not only do I have a fresh release of WordPress, but also much tidier URIs.

Rock on, WordPress!

If you enjoyed this post, do subscribe to the 1Earth RSS feed!

In Part 3 it’s just a question of getting it to work.

To get gnuGP working in Thunderbird is a simple matter of installing gpg4win, and the Enigmail plugin. But Thunderbird is an opensource community project and everything is easier.  I’m doing all this for an Outlook user - Outlook 2007 no less.  According to gpg4win.org, it’s only been tested up to Outlook 2003 SP2.

I have to confess, at first, I thought it didn’t work in Outlook 2007, but turns out I kept on trying to decode an empty message. I didn’t put a value in the body variable of the PHP code I published in Part 2 and kept on sending myself encoded, but empty messages.

But, the default install of gpg4win does in fact work with Outlook 2007. Here’s how it worked for me - I have all the latest service packs for Office installed, in case it makes a difference:

1. Download gpg4win from gpg4win.org;
2. Install everything except Claws Mail, a mail client in itself (GPGol is what’s going to do it for Outlook);
3. Run GPA and either create a key pair, or import a key pair your already have;
4. If you generated a key pair, upload the public key to your server before you send yourself a test message;
5. Close everything and restart your computer;
6. Send yourself a message using the PHP script above after you’ve uploaded the key you’ve imported into GPA;
7. When you next run Outlook 2007, you’ll see an new GPG option at the bottom under the Tools menu. This is good news. There are also new tabs in your mail options, but the defaults should work;
8. When you receive the message you sent yourself in 6, open it.  If everything worked on the server side, you should see a message with several lines of meaningless characters and numbers;
9. You will notice a new tab at the top of your received message window, called extras. In this tab will be one lonely unmarked icon.  If you click this, a prompt box will ask you to type your secret phrase, and if you get it correct, your message will miraculously be decoded.
10. Depending on the settings, the key will be valid for 5 or 10 minutes, meaning you can decode more messages in that time by just clicking that icon (not having to type your pass phrase again).  If you don’t save the message when you close it, it will be encoded again when you close and relaunch Outlook.  If you do save it, the message in your inbox will stay decoded.

If this method didn’t work for you, try launching WinPT.  A key will appear on your taskbar next to the time.  Copy the entire encrypted message out of your email message (CTRL+C will do the trick), right click on the key and choose clipboard -> decypter/verify. A window with the decoded message should appear.

If that still didn’t work, check that you have the public key on the server that generated the message, that matches the private key you have in your GPA that you’re trying to decode it with.  They work in pairs and being the powerful encryption security that it is, it’s kind of strict.

And there you have it.  A closed security system using SSL, PHP and gnuPG through which people can send you all sorts of sensitive information in complete safety.

If you enjoyed this post, do subscribe to the 1Earth RSS feed!

In Part 2 of the mission of the week, we look at how to set it all up on HostGator.  The chosen host, because that’s where I host my websites, you see.

HostGator SSL, gnuPG (GPG) and PHP how-to

As it took me the entire day to piece all of this together, I thought I would share the love and spare somebody else (maybe you) a lot of trouble.  It’s kind of HostGator specific (especially the paths) as they are my host.  I found other how-to’s didn’t work for me, because of different paths.

I’m assuming you’re going to use all the free features, like I did, so that’s what I’m explaining.

• To get a SSL going, determine the name of your server: open a terminal window on Linux or a command prompt in Windows and type telnet yourdomain.com 25. You can also use the IP address instead of yourdomain.com.  It will log on with some text and also reveal the name of your server - something like mohawk.websitewelcome.com.  Your secure files can thus be called by going to https://mohawk.websitewelcome.com/~username/thefile.php - where username is the name of your HostGator account user name.

I couldn’t Telnet from work.  They block the Telnet port, but leave LimeWire and MSN wide open.  Why? This I do not know. Anyway, from home on my private ADSL it worked a charm.  That’s all you need to do to enable the SSL - just call your web-form through https and you’re secure - you’ll see a little lock icon in the bottom righthand corner of your browser, and if you click on it you can get more information about the certificate issuer.

• You can generate a key pair through Cpanel under Manager openPGP key. Just fill in all the fields and click generate.  It can take a moment.  However, if you’re using Windows, you’ll have to download gpg4win, which as the name suggests, is GPG for Windows.  You can also generate the key pair here, and only upload the public key to Cpanel. The advantage is that your private key is not on the server, ensuring an extra step of security.
  

• The public key is what your PHP script will use to encode your form data and that’s why it needs to be on the server.  At first, HostGator said GPG is not installed by default, but I could see a .gnupg directory in my home directory, so I thought they might be wrong.  They emailed me some time later and said that it is in fact installed, and that it can be accessed through ‘usr/bin/gpg’.  I also had call the directory above, which was at ‘home/yourusername/.gnupg’.

• This little snippet of PHP, which I got from 1and1.com) will take whatever you feed it, user you public key which you loaded / created in Cpanel, run it through gnuPG and send an encrypted email to the address of your liking:

// replace this with the user name or e-mail address that you used for your PGP key pair
$pgpuser = “email.used@inyourkey.com” ; // The email used to generate your public key

// Recipient of the email
$testemail = “any.old@emailaddress.com”;

// Replace with your subject
$emailsubject = “Encrypted Email Subject”;

// The from field
$emailfrom = “From: yourwebsite@sentit.com”;

// Feed your text in here
$body = “To test if your decryption work, put some text here or feed in the variables from your submitted forms”;

// Tell gnupg where the public key is that is should use to encode your message
// This is usually in your home directory, below the public_html (mine is .gnupg)
// change this to the correct path of your web space. One hostgator: home/username/.gnupg
putenv(”GNUPGHOME=/home/username/.gnupg”);

// create a temporary, unique file name to work from
$infile = tempnam(”/tmp”, “PGP.asc”);
$outfile = $infile.”.asc”;

// we write the various bits and bobs into the temp file
$fp = fopen($infile, “w”);
fwrite($fp, $body);
fclose($fp);

// Call the other directory of gnuGP (this will work on hostgator) and run the command
// When you call this line, it will do set off the actuall encoding process
$command = “/usr/bin/gpg -a –always-trust –batch –no-secmem-warning -e -r $pgpuser -o $outfile $infile”;

// Call the line that will encrypt your temporary file
system($command, $result);

// The encryption is now loaded in the system, so delete the temp file
unlink($infile);

if ($result == 0) {
$fp = fopen($outfile, “r”);

if (!$fp || filesize($outfile) == 0) {
$result = -1;

} else {

// read the encrypted file
$contents = fread ($fp, filesize ($outfile));

// delete the encrypted file
unlink($outfile);

// send the email and write something nice if it was a success
// otherwise moan bitterly and wonder what went wrong
// Errors are usually either your username, or more like the paths to your gnuGP
// contact your Tech Support for your paths - the ones shown here works for hostgator.
mail ($testemail, $emailsubject, $contents, $emailfrom);

print “Thank you!! Your encrypted booking information has been sent.”;

}
}

if ( $result != 0) {

print “There was a problem processing the information.”;

}

}

When you call this script as is above, it will encode the hard coded text in the $body variable and send it to the email address specified in $testemail.  You will then have a lovely gnuPG encrypted email that you can do nothing with… unless you read on and complete the mission.

If you enjoyed this post, do subscribe to the 1Earth RSS feed!

Mission this week: a web form that can securely accept data via a website and deliver it by email.  The solutions was secure communications with SSL, gnuPG and PHP. Let me walk you though it.

“Throw up a form on the website and we’re done”, said the people involved who didn’t know any better.

It’s true, you could throw up a form and be done with it; and have your sensitive data floating around the net for anybody who wanted to listen.

Websites and Email are not secure

There are two major weaknesses when it comes to online communications: one is between your computer and the website you are surfing, and the other is between the website that took your information and where ever it’s being sent or stored.

Ensuring security of the data I wanted to collect was thus two fold:

1. Secure information traveling between website visitor and website; and
2. once the data is collected, deliver the information securely, in this case, via email.

SSL: Secure Socket Layer

If you’ve ever visited a site that started with https, then you’ve used a Secure Socket Layer. Yahoo mail for instance, your online banking, or Ebay all use SSL to scramble information as it travels from your computer to their server - lots of juicy stuff and virtual money needs to be kept safe.

In essence, when you’re filling in a web form, you’re doing so on your computer - or client side as it’s called.  The moment you press submit, whatever you’ve filled in travels over the Internet, from computer to computer on it’s way to the server. While it’s in transit, it’s possible to catch that info and read it.

With a Secure Socket Layer, once you hit submit, the information is encoded. This scrambled information then travels over the Internet and is deciphered when it reaches the other computer.  If somebody catches it mid-air, depending on the power of their computer(s), it could take a really, really long time to decode your message.

At work, we use a reseller account with HostGator, the host I use for all of my websites. They provide a free, but shared SSL. It’s a bit ugly, as it uses the name of the shared server, but it’s free. They have a paid-for private SSL which allows you to host the SSL under your own domain.

PGP: Pretty Good Privacy

The same thing above happens to your email as well.  When you send an email, it floats across the Internet to the intended recipient and leaves a copy of itself where ever it rests.  Somebody can come and read it not only while it’s traveling, but also if they catch it before it’s deleted from the mail relay - depending on the relay it could stay there ages.

PGP (Pretty Good Privacy) is an encrypting system for email, based on the openPGP standard and in principle similar to SSL.  On your side you scramble the message with a public key and on the other side somebody unscrambles it with a private key. In between, nobody can read it, as it’s a jumble of letters and numbers that makes no sense - the public key cannot unscramble, only scramble.

Through Cpanel, the control panel in the back office of my websites, HostGator provides an openPGP system that uses gnuPG (Gnu Privacy Gateway), which is essentially the same as PGP, except it’s totally free.  This will generate a public and private key for you.

Other Implications

So the public key is used the encode the message, which is then sent to you. On your end, you use to private key to unlock the code and read your mail.  Receiving sensitive information in scrambled form and storing it that way, has advantages and disadvantages.

A major advantage is that the email is always secure.  It’s a great way to ensure that annoying, sneaky viruses that help themselves to information in your inbox doesn’t send the entire world your clients’ credit card, or worse, the result of that pregnancy test your boss’ wife who you had a fling with sent you.

On the downside, if you lose your key, your emails become as useless as it does to those annoying viruses.  Therefore, make several backups of your key and store them in trusted places.  Your emails are also only as safe as your computer, so if somebody can get to your computer, they could read it as you would. Secure your computer, use Linux.

If you enjoyed this post, do subscribe to the 1Earth RSS feed!