security – Page 8

OpenID For WordPress

Update: 12th October 2007 – this project is to be considered abandoned. Please see How To Set Up OpenID For WordPress Comments instead. Thanks for the support and for your interest in OpenID.

THIS IS ALL HORRIBLY OUT OF DATE. THE DOWNLOAD LINKS DON’T WORK, I KNOW. GET OVER IT. More seriously now, I am working on a new version of this that actually works as a WordPress 2.0.x plugin. It’s very nice, but it’s not finished. Watch this space. In the meantime, why not take a look at OpenID Comments For WordPress (which is based on my preliminary work, here). Thanks for all the attention, guys.

As promised, I’m releasing the first usable version (v0.4) of my WordPress OpenID plugin tool. It’s very, very messy and a little buggy. Plus, installing it requires that you hack a few PHP files… use at your own risk. You’ll need a WordPress v1.5 weblog. Download this package and decompress it to your WordPress directory. It will create an openid_icons directory, a file called openid.php (the main codebase), and a file called openidform.php (the form that appears on your blog). Edit openid.php and substitute your own weblog URL in at the appropriate places (near the top). Link in the login form wherever you like. I’ve done so in my theme’s “sidebar.php” file, with the following code: <?php include (TEMPLATEPATH . '/openidform.php'); ?> In your main index.php, add a line to include the openid.php file. This will allow logins and logouts to be processed. Something like this: <?php require_once('openid.php'); ?> In wp-comments-post.php (the comments processor), substitute the following code in under “// If the user is logged in”: // If the user is logged in get_currentuserinfo(); if ( $user_ID ) { $comment_author = addslashes($user_identity); $comment_author_email = addslashes($user_email); $comment_author_url = addslashes($user_url); } elseif ($_SESSION['sess_openid_auth_code'] != "") { $comment_author = addslashes($_SESSION['sess_openid_auth_code']); $comment_author_email = "openid@example.com"; $comment_author_url = addslashes($_SESSION['sess_openid_auth']); } else { if ( get_option('comment_registration') ) die( __('Sorry, you must be logged in to post a comment.') ); } Notice the extra section, relying upon $_SESSION[‘sess_openid_auth_code’]. That’s the magic bit. And it should ‘just work’. Let me know if it doesn’t; I’ll be improving the codebase over the coming weeks and I’d like to include your suggestions. If you need any help setting it up, I can probably help with that too, or even with adapting the code to work with other applications (than WordPress). Features so far:

Authenticate OpenID users
Easily authenticate OpenID users from particular servers, including members of LiveJournal, DeadJournal, and Level9
Authenticated OpenID users can post comments

Features to come:

Cookie-based “remember me”
Ability to authenticate WordPress users (e.g. the weblog owner) by an OpenID
“Friends Only” protected posts, which can only be read by certain authenticated users
AJAX-powered log-in (to save users from having their browsers redirected excessively, and because it can be made to look swish), where supported

If you want to help code, just drop me a message.

More Geeky Fun – Hack Security Cameras

This was one of my most-popular articles in 2005. If you enjoyed it, you might also enjoy:

The Ten Weirdest Sex Toys I’ve ever seen (2009)!
A dirty-looking calendar I found at work (2011).
My beliefs about why it’s wrong to lie to children about Santa (2009), complete with pictures of naughty elves.
An argument I had (2011) with the Office of National Statistics about nonmonogamy and the census.
Open Source Shaving (2009).

Here’s a giggle – somebody’s found a cleverly crafted Google search string that will reveal the (unprotected) web interfaces of a particular kind of Panasonic web-capable security camera. Just point a web browser at http://www.google.com/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=inurl%3A%22ViewerFrame%3FMode%3D%22, then select one of the cameras (you might have to try a few before you get a working one). If you get a motorised one, you can even remotely control it! Here’s some I found earlier:

Update 17th August 2011: fixed broken link to Panasonic website!

Security Through Obscurity Reaches A New Low

PowerPizza! It’s a laptop bag that looks like a pizza box! No longer do you have to worry about your attractive laptop being an easy target for thieves – who’d want to steal a pizza box?

Fucking crazy. But I love it.

Internet Explorer Exploit Of The Day

There’s yet another killer Internet Explorer bug out there, which is manifesting itself in the form of a new trojan, Phel.A. This one only affects Windows PCs updated with SP2 (the supposedly ‘safe’ people) and works by confusing the ‘trusted’ and ‘untrusted’ zones.

I always find reports like this interesting, so I’ve written an exploit of my own. If you’re still using Microsoft Internet Explorer, and you’d like to see why you shouldn’t be:

Click here to look at a web page I’ve set up [update: link long-dead]. It looks kinda boring, I know, but – if you’re using Internet Explorer, it will slyly put a tiny application in your Startup group.
Next time you log into Windows, the tiny application will download and install a bigger application.
Next time after this that you log into Windows, the bigger application will run, and tell you why you shouldn’t be using Internet Explorer.

The information on how to use this exploit is easily available on the web. Before long, we’ll be seeing another wave of web sites that can install software on ant Internet Explorer users’ computer.

If you’re still using Internet Explorer, take a look at BrowseHappy.

A Selection Of News Items From Around The World

[this post has been partially damaged during a server failure on Sunday 11th July 2004, and it has been possible to recover only a part of it]

[more of this post was recovered on Friday 24 November 2017]

Here’s some stuff I found interesting this weekend:

Swedish health workers, in an effort to stem the growing cases of chlamydia among young people, have launched a ‘condom ambulance [BBC News]. If you find yourself ‘caught short’ in Sweden, just give them a bell and they’ll rush around to your house with a pack-of-three, for the equivelent cost of about £4.

Chinese researchers have used a carbon nanotube [Wikipedia] as a filament in a new, experimental light bulb [The Register]. This bulb emits more light and works at a lower threshold than tungsten at the same voltage, and was still functioning fine after being switched on and off 5000 times. The future of lighting?

And finally, researchers from Hebrew University in Israel may have found a solution to the problems associated with passwords. As it stands, ‘secure’ passwords are hard to remember, and often find themselves written down, whereas insecure ones can be cracker. Plus, for real security, passwords should be …

“To Test Security On Your PC, You Must First Make It Inherently Insecure”

WTF??? If you go to Symantec’s Online Virus Scanner using most browsers, you’ll be told that you need to use Microsoft Internet Explorer to continue! Isn’t this just asking for trouble? It’s like saying, “Yes, we’ll check your house is secure. Now just unlock your door…”

Just plain weird.

Reply #13106

This is a reply to a post published elsewhere. Its content might be duplicated as a traditional comment at the original source.

Sian wrote:

People are funny. I get to look at the accounts of people who have signed up for Children First newsletter updates, and their passwords make me laugh. The number of people who’s password question is just their password is scary.
I also worry for the person who put their password question as ‘opposite of goodbye’.
Guess the password guys! Yes, it’s Hello!
Password Question: Mums Name. Password: Councillor (What?? The cruelty!)
Password Question: favourite game. Password: Boggle (yay!)
Password Question: Fish. Password: Dolphin (…?)

Most popular theme is pets name, so I’m glad pets have a purpose in this day and age. Another popular theme is the Magic Roundabout which worries me somewhat.

Anyways, I’m sure this is against some sort of rule but I found it funny.

The passwords should be one-way encrypted. Your system is insecure. This is evident by the fact that you can read everybody’s passwords. =o)

Smart Alex

Alex, my incompetent co-worker, came up with the following gem in today’s meeting when talking about a product that would aid employers in securely tracking how long their employees actually spend working:

“It’s not going to have any of that… security… nonsense.”

I shall have to beat him to death later.

P.S. told you that this thing was going to get big, quick. The Register reports “All your Web typos are belong to us”, and I quote: “Already a backlash is building, with Net admins being urged to block Verisign’s catch-all domain. This could get very messy.”

Cool Thing Of The Day

Cool And Interesting Thing Of The Day To Do At The University Of Wales, Aberystwyth, #41:

Discover a major security flaw in the university network, that provides any user with half a brain, a computer in their room, some practice, and a lot of patience, the means to get the password of anybody else on your local workgroup, leaving them exposed to malicious attacks, e-mail theft, use of their print quota, and all kinds of other problems. It’s such a serious problem that I’m not going to go into further detail here, in case this e-mail gets into the hands of somebody on the network. Later, discover that this loophole has already been discovered and is abused by at least one third year student. I’ve arranged for John (who aided me in discovering the problem) and I to meet with network services management to inform them of the problem – simply because we feel threatened by it

The ‘cool and interesting things’ were originally published to a location at which my “friends back home” could read them, during the first few months of my time at the University of Wales, Aberystwyth, which I started in September 1999. It proved to be particularly popular, and so now it is immortalised through the medium of my weblog.