Security: What should I do about Java

0
java

What Java is:

Java is a programming language developed in 1995 by Sun Microsystems . It is now managed by Oracle. The interesting thing that Java introduced is the concept of bytecode running on a virtual machine so one set of code could run “anywhere”. More history is available here, if you are interested: Java History.

Most programs are compiled into machine language that is targeted for a specific hardware and operating system. A program compiled for Windows will not run on a Mac (at least not without a special emulator), etc. What Java does differently is it doesn’t generate machine language code that the hardware understands, but instead generates “bytecode” which is code that a special Java virtual machine understands and executes. If there is a Java virtual machine for a piece of hardware then it can run any Java bytecode. This “compile once, run anywhere” concept generated lots of buzz, although in the real world, it is not as simple as writing one program that works everywhere.

It is now used for lots of different projects, including the Android operating system and native Android apps. You may or may not have Java installed and operational on your computer. I have it on all my machines because I develop for Android.

What Java is not:

The biggest issue with the current alarms regarding Java is that it is very easily confused with JavaScript.

JavaScript is a server side scripting language originally created by Netscape in 1995. The two languages are not related – they have different syntax and are used for different things, but thanks to a very poor naming decision by Netscape, they are forever linked together. (For more info on JavaScript – go here.)

Let’s just say it in unison – all together now: “Java is not JavaScript”.

Years ago, there were some very serious security issues with JavaScript and many people disabled it in their browser. Today, it is a solid technology and it is a key player in how we use the web today. Your experience on most sites is affected negatively by disabling JavaScript and I always recommend that it be enabled.

Is this security warning real?

It is real for a few reasons. First, there is a significant security hole in Java that is yet unpatched and is being used by hackers right now to access personal data and install malicious software on computers. Second, many people do not even realize that Java is installed on their computer.

This issue needs to be taken very seriously. The good news is that the way these current exploits work is that they take advantage of Java through the browser. You can safely leave Java installed on your machine as long as you update your browser settings so that Java access is not allowed.

How do I know if I’m at risk?

Oracle provides an online tool that checks your current Java version:

Verify Java Version

The nice thing about this tool is if Java is disabled in your browser or if Java is not installed, then the tool will tell you that “No working Java was detected on your system.”

Important note: If you use more than one browser, be sure and run this check on all of them!

How do I disable Java in the browser:

I don’t really want to reinvent the wheel – this information is already widely available. Here are some links that explain how to disable Java in the browser:

Here is a pretty comprehensive set of instructions for all major browers:

How to Unplug Java from the Browser

Since dealing with IE is a major pain, here are some instructions for Oracle that are supposed to work for Java 7u10+:

How do I disable Java in my web browser?

(I tried to follow their instructions and my Java Control Panel did not match what is shown – your mileage may vary.)

UPDATE: Wow, I work with computers 10 hours every day and I had a rough time getting Java to disable in IE. I followed all the guides and non of the options worked. I finally figured out that I have the JRE (Java Runtime Environment) installed in two places:

  • C:\Program Files\Java\jre7\bin
  • C:\Program Files (x86)\Java\jre7\bin

Starting the Java Control Panel from the Windows Control Panel was giving me the older version of the panel without the new option to disable Java in the browser. By manually running javacpl.exe from the second location listed above – I was able to access the updated panel with this option. This enabled me to successfully disabled Java in Internet Explorer on my computer.

UPDATE 2: Looks like the massive publicity about this issue forced Oracle to move on the issue faster than they werre initially planning. There is a new release (Version 7, Release 11) that patches the two security flaws that allow malicious browser applets to exploit the local machine. Update Here.

, ,

Dynamic Copyright Year in WordPress

0

yearsCopyright dates are typically hard-coded into custom themes so now that we have crossed the threshold into a new year, it is a good idea to double check your site and make sure the correct dates are showing up.

It is an even better idea to just have the theme update them for you automatically – which is very easy to do.

Start by adding the following function to your theme’s functions.php:

function copyright($start_year, $site_name) {
  $year = date('Y');
  echo "© Copyright ";
  echo $start_year;
  if($start_year != $year) echo "-$year";
  echo ", $site_name, All Rights Reserved.";
}

Then, add the following to your footer template in place of your existing Copyright notice:

<div class='copyright'>
<?php copyright(2012, "Trionic Labs, LLC"); ?>
</div>

The first argument to the copyright function is the year your site first started publishing. The second argument is the site name.

, ,

Bootstrap for WordPress

0

I love Bootstrap as a starting point for new projects and Initializr is even better as it packages everything up nicely and adds extras if you want them. However, most new projects for me are WordPress based.

I’ve been meaning to make a standard starting theme but usually getting work done takes precedence over creating tools. However, I finally just decided to spend the time and do it right.

The result is this parent theme: bootstrap_wordpress which takes Responsive Bootstrap, and adds in Modernizr and Respond.

My implementation just takes the Initializr structure, removes a few empty files and adds WordPress functions.php and style.css. I’ve also added a very simple layout using index.php, header.php and footer.php. The point here is not a WordPress theme that works and has extra features – instead it is merely a launch point for a clean HTML5 reponsive project.

I’ve also included a child theme sample, which is where you want to implement your theme. Hope someone finds this useful…oh wait, I already have.

, , ,

Easy OpenGraph in your WordPress Theme

0

There are dozens or more plugins that provide social capabilities. My experience has been that often they don’t work properly with the current incarnation of Facebook’s OpenGraph. Another common problem is that it is so easy to have multiple plugins (say a Social plugin and an SEO plugin) that both add OpenGraph settings and end up canceling each other out.

Rather than relying on a plugin, it is very simple to add the basic OpenGraph tags to your theme by adding the following code to functions.php:

add_filter('language_attributes', 'opengraph_scheme');
function opengraph_scheme($attr) {
  $attr .= " xmlns:fb=\"http://ogp.me/ns/fb#\"";
  return $attr;
}

add_action( 'wp_head', 'opengraph_elements', 5 );
function opengraph_elements() {
  if ( !is_singular()) return;

  global $post;
  echo "<meta property=\"fb:admins\" content=\"FB_ID_HERE\"/>\n";
  echo "<meta property=\"og:title\" content=\"".get_the_title()."\"/>\n";
  echo "<meta property=\"og:type\" content=\"article\"/>\n";
  echo "<meta property=\"og:description\" content=\"news\"/>\n";
  echo "<meta property=\"og:url\" content=\"".get_permalink()."\"/>\n";
  echo "<meta property=\"og:site_name\" content=\"".get_bloginfo('name')."\"/>\n";

  $image = "http://yourdomain.com/DEFAULT_IMAGE.png";
  if(has_post_thumbnail( $post->ID )) {
    $thumbnail_src = wp_get_attachment_image_src( get_post_thumbnail_id( $post->ID ), 'full' );
    $image = $thumbnail_src[0];
  }
  echo "<meta property=\"og:image\" content=\"".esc_attr($image)."\"/>\n";
}

Fairly straightforward code – but here are a few hints:

  1. Either set an Admin facebook ID in the fb:admins line or remove that line.
  2. Set a default share image.
  3. This snippet uses the Featured Image from WordPress. For sites that don’t use that feature, the code can easily be reworked to use an attached image instead
  4. Notice that we are using the “full” size image. Facebook wants images at least 200×200 and they generate their own thumbnail, so it is best to just give them the full image and let them deal with it. Giving them a thumb that turns out to be undersized will result in no image appearing.
, ,

WordPress 3.5 – Cannot Upload Media

0

Well, the first upgrade (for me) went fairly poorly. The site continued to work just fine but the authors could not post or upload new media. Clicking the media button on a post did nothing and the media manager “Add Media” option did not load the Media drag & drop area.

Diagnosis involved opening up the WordPress backend in Chrome, clicking Add Post and then using right click to “Inspect Element”. In the lower right, there was an javascript error indicator so I clicked that and it was revealed that the following url (of which names have been changed to protect the innocent) was giving a 404 instead of a set of scripts all concatenated together:

http://unknown-site.com/wp-admin/load-scripts.php?c=0&load[]=jquery,utils,plupload,plupload-html5,plupload-flash,plupload-silverlight,plupload-html4,plupload-handlers&ver=3.5

What this means is that WordPress is supposed to consolidate all the scripts together and then deliver them via that load-scripts.php call instead of delivering them one at a time. I believe this is something that was available in an earlier version of WordPress but I’m not sure if this site was utilizing that feature prior to the upgrade (and in the midst of an outage where all the authors were sitting doing nothing and waiting for the site to start working again – there wasn’t really time to do that kind of analysis).

Bottom line is – either 3.5 turned this feature on and it is not compatible with this site’s configuration/plugins or this feature was in use before and the upgrade has now broken it. (More updates should give more insight.)

However, if you are having this issue there is an easy work around – just add this line to your wp-config.php to disable script consolidation:

define( 'CONCATENATE_SCRIPTS', false );

Time to go start performing more updates to see if this is a real issue or simply an isolated perfect storm situation.

UPDATE: Thanks to Ralph’s comment below, I now know that there is an incompatibility with BPS (Bullet Proof Security) and WordPress 3.5. However, the plugin author has released a new version (.47.7) that corrects this issue. If you encounter this – try updating BPS and then force it to update the htaccess rules.

UPDATE 2: I’ve encountered this same issue on another site, but disabling all plugins did not resolve it. It appears to be caused by the theme. The fix described above does solve the issue and I have not had a chance to look at the theme. It is a commercial theme – so I fear this issue may be more widespread than originally thought.

, ,

WordPress 3.5 Released

0

The latest release of WordPress is now available and you can read the official announcement Here.

The biggest changes (and most significant improvements) are regarding uploading and managing media:

If you’ve been around WordPress a while, the most dramatic new change you’ll notice is a completely re-imagined flow for uploading photos and creating galleries. Media has long been a friction point and we’ve listened hard and given a lot of thought into crafting this new system.

I’ve always loved the jazz theme behind each release. Here is the intro video with a lovely background jam (I’m setting Spotify to ‘Elvin’):

This means today will be a busy day updating sites. If you are updating yourself – remember it is always a great idea to make a database backup before doing an update. It is even more important for a major point release like this one. If you need help with that or run into a snag while updating – I’m always available to assist.

, ,

Technology Reboot

0

I love post-apocalyptic fiction, and to a lesser degree movies/television shows in the same genre. What fascinates me most about these scenarios is that they all start with immediate survival, and then (sometimes) follow up with future plans – at least for those lucky or resourceful enough to make it past the initial collapse. The question that always sticks with me is “If we had to completely reboot technology, how long would it take to get things back to where we are now?”

My son (an Engineering student) and I have talked about these ideas at length and the discussion always seems to come back to the fact that we have this amazing foundation of technology that holds up our civilization. We have engineers who can construct microprocessors, but what value is that knowledge if we no longer have the ability to mine or refine silicon? Do computers do so much for us now, that if they were lost would today’s skills have any value?  Is there any type of infrastructure that we can put into place now that would facilitate a more efficient technology/civilization reboot?

Obviously, the catalyst for requiring such a reboot is a catastrophic event that removes a significant percentage of the populace and damages or destroys key infrastructure like the power and fuel generation, power distribution, water supplies, etc.

Continue reading

, ,

SASS for WordPress Revisited

0

Late last year, I released a simple plugin to add SASS/SCSS capabilities to WordPress. I was fairly disappointed with the result since the stylesheet compiler I was using (PHamlP) had some serious flaws and was abandoned in Sept, 2010. However, thanks to a recent comment by zoombody, I became aware of a new stylesheet compiler which shows some real promise.

Thus, I have just released a new version of the plugin which employs phpsass. It also now automatically enqueues the compiled stylesheet. If you want to give SASS a try, try out this simple tutorial, install the plugin and see what you can create.

, , , ,

Nameserver Testing

0

If you ever wonder if your nameserver is working properly, try this command from a server other than your nameserver:

    host -a targetdomain.com dnsserver.com

If it works, you should get a nice list of domain records. If it doesn’t work, you will get a REFUSED message.

, ,

Javascript var_dump() equivalent

0

In php var_dump() provides a nice easy way to identify exactly what an object is and what it contains.

Unfortunately, there is no equivalent built-in to Javascript. But as with most programming languages, new features are just a few lines of code away:

function ObjectDump(obj, name) {
  this.result = "[ " + name + " ]\n";
  this.indent = 0;

  this.dumpLayer = function(obj) {
    this.indent += 2;

    for (var i in obj) {
      if(typeof(obj[i]) == "object") {
        this.result += "\n" + 
          "              ".substring(0,this.indent) + i + 
          ": " + "\n";
        this.dumpLayer(obj[i]);
      } else {
        this.result += 
          "              ".substring(0,this.indent) + i + 
          ": " + obj[i] + "\n";
      }
    }

    this.indent -= 2;
  }

  this.showResult = function() {
    var pre = document.createElement('pre');
    pre.innerHTML = this.result;
    document.body.appendChild(pre);
  }

  this.dumpLayer(obj);
  this.showResult();
}

The best way to use it is to put the above in a separate script (say object_dump.js) and include it in your page. Then dumping any object is as easy as:

ObjectDump(object, "description");

The second parameter lets you label the dump in case you are dumping more than one object or using it in a loop. The output is conveniently appended to the bottom of the page so it shouldn’t interfere with your real content.

I needed this to help identify an issue buried deep in a complex array. Hope you find it just as useful as I did!

, ,