Fix for WordPress “Could not remove the old plugin” error

Posted by jerry as Uncategorized

I had been seeing the error “Could not remove the old plugin” any time I tried to auto upgrade a plugin.  A search of the wordpress forums revealed that this is apparently a common problem that does not appear to impact everyone, and there isn’t a known fix.  The error looked like this:

Downloading update from http://downloads.wordpress.org/plugin/related-posts.zip

Unpacking the update

Deactivating the plugin

Removing the old version of the plugin

Could not remove the old plugin

Plugin upgrade Failed

So, I spent some time last night trying to find out what the problem was.  As it turns out, some upgrade or plugin along the way created a bunch of nested wp-content directories.  It looked list this:

/home/mydir/public_html/wp-content/wp-content/wp-content/wp-content/wp-content/wp-content/plugins

The filesystem driver code in wordpress doesn’t handle this very gracefilly.

It turns out that the fix needed is to delete the extra wp-content directories.

rm -r /home/mydir/public_html/wp-content/wp-content

works quite nicely.  After deleting this directory, rerun the auto upgrade and it should complete successfully.

NOTE:  You should make a back up before you perform the above operation.  Deleting the wrong directory will result in a dead site.

Some cool scripts I’ve found

Posted by jerry as Uncategorized

I have way too many domain names, and last weekend I decided to try to put some of them to productive use.  I had the idea of pull all of my RSS feeds from my various sites to one common site.  Initially, I looked at LeafRSS, but it wasn’t quite what I was looking for.  If you are aggregating a homogeneous set RSS topics, then it makes sense – like Bip Bip for example.  I looked around and found rnews.  It was about as close to what I was looking for as I was going to find.  So, I set up my domain www.invires.com with a rnews pulling from all of my sites (the ones that offer feeds, anyhow).

I was pretty pleased with the result.  I had the idea to aggregate the various tropical fish forums out on the Internet into one site.  So, I registered a new domain – www.tropicalfishnews.net to serve that purpose.  I am hoping to have some time to tinker with rnews in the coming weeks.  I would very much like to add an ajax type update mechanism, and some sort of scrolling ability.  So, for each of the panes, the news would scroll down and a new entry would be added to the top, as the RSS feeds were updated.

Authentication in the real world

Posted by jerry as Uncategorized

There is an interesting prank being pulled on CEO’s and CFO’s of many large public companies that highlights the trouble of authentication in the real world.  The wall street journal has a report about a prankster who dials into a quarterly earnings call and gives a bogus name and company to the operator.  A well known name and well known company.  See, few people are allowed to ask questions on these calls to prevent just this sort of thing.  But, there is no good way to validate the caller’s identity. 

 The story was well timed for me.  I picked my son up from preschool last week with my wife – the first time I had done so.  We waited in a line of cars and as we approached the building, my wife pulled out a paper plate that was clipped to a clothes hangar.  She dutifully hung the plate from the rear view mirror.  A worker called out plate numbers via radio to signal to bring him outside to wait to be picked up.

I was really struck by this authentication mechanism.  I have to use several passwords to connect to near meaningless data at my office, but to pick up my kid, it only takes a paper plate and a magic marker. 

Damn lightning…

Posted by jerry as Uncategorized

I was awoke this morning by a storm coming in.  I really hate that sound in the middle of the night, because my kids are very afraid of storms.  I was counting to myself how long it would take to hear the first set of footsteps.

The rain picked up and the thunder rumbled on.  The kids did come down as I expected.  I convinced them to play in the family room and let my wife and I sleep a bit more.

It seemed like I had just fallen asleep when I heard and explosion and felt a blinding light shine through my closed eyes.  It was really close.  Probably hit a tree in my back yard.  Nothing seemed out of place, other than the ghost-white kids in my doorway.  The aquarium in my room was still working, and the bedroom light my oldest son turned on was sure as hell working.

My wife got up shortly after, and I went back to sleep.  (too many sleeping pills the night before – long story).  When I did wake up, I pulled my laptop out from under the bed, and unfortunately no Internet connection.

After a long morning of moving furniture and testing network ports, I found that I had 2 network cards die on me.  One in the new PC I had recently bought, and the other in the file server/firewall server in the basement.  I’ve spent a lot of money on lightning and surge protection for all of my equipment, including the cable modem, but apparently the EMP from the lightning induced a charge great enough to fry the two NICs.

Fortunately, I had some NICs laying around and got things running again, but that’s pretty frustrating.  I am glad that it was nothing more serious, though.

kindle hype

Posted by jerry as Uncategorized

I’ve been bombarded with kindle news everywhere I go today.  “It’s going to revolutionize the e-reading market”.  Really?  How big is the e-reading market?  Amazon seems to have really made the device as integrated and friendly as possible, but the reality is that you’re still stuck reading on a small screen.  I don’t like reading emails on my blackberry.  I hate web surfing on it, but I will in a pinch.  I cannot see myself “curling up” with a PDA-sized device to read a book.  It’s just not going to happen.  The really goes back to the days of the palm pilot.  I remember downloading ebooks to it, thinking to myself how cool it will be to have all these books with me wherever I go.  But, I never read one of them.  It was just not comfortable.  I have a hard time reading a book on a 19″ LCD monitor. 

The price is pretty steep as well.  Buying the box for $399, then needing to spend $10 to $20 per book just doesn’t seem likely.  I like gadgets as much as the next guy, but I do not see myself spending money on this.  In fact, I’ve been in a mode of device contraction.  I had a phone, a pocket PC, and an ipod.  Now, I’m down to a blackberry and a ipod, and if I could get rid of the ipod, I would.

Having said all of that, the EVDO access to content is pretty slick.

Google to buy Sprint?

Posted by jerry as Uncategorized

Google’s open wireless phone initiative has been discussed frequently, but apparently now there is rumor of Google wanting to buy Sprint.  Certainly it seems to make sense as a way to jumpstart things, but I see a couple of critical flaws that will almost certainly render this just a rumor:

• Sprint (S) has a market cap of about $46B USD.  Google has about $18B USD of assets, and a market cap about over $200B USD.  Sprint would cost more that Google can afford.  Since Google is not in the business, there won’t be synergies similar to other telecom rollups.
• Financing of what would likely by a $50B deal will be very hard to come by in the post apocolyptic credit market. 
• Organizationally, Google and Sprint would tear each other apart, if combined.  The old telecom culture of Sprint would likely be untenable in Google’s fast paced world.
• The bits that I’ve read about what Google wants to do with their phone service leave me wondering if owning Sprint really buys them anything.  If all of the infrastructure needs to be replaced to support some fundamentally new technology that costs say $20B to implement, why would you first spent $50B on a phone company then immediately dump $20B more into gutting and replacing it’s infrastructure. 

So, to me at least, this doesn’t add up.  Given that the stock market is in the toilet, I suspect that if Google did announce such a deal, it would be a boost to the overall market, but I suspect that Google would suffer a beating on Wall Street if they did.  In fact, I would expect rumors of the acquisition to have a negative impact too.

Bad deal.  Buy a start up with the tech you want.  Hire away the talent needed from ATT, Sprint, etc.  Just don’t buy a dinosaur.

Web Site Security Guide

Posted by jerry as Security, Uncategorized

So, in the aftermath of my little incident, I decided to write an article for NetworkStrike on how to keep your website secure.  I’ve included it below: 

Background

The “cost of entry” to run a website is very low now, and we have seen an explosion of small sites on the Internet. Supporting this trend has been the availability of free and open source applications that allow site owners to do nearly anything they want, from blogs to wikis to forums. 

Unfortunately, nearly all of the software has inherent bugs that can be exploited by bad people. The exploitation of such bugs has matured in a similar fashion to the applications themselves.  Compromised web sites are a foundation to many threats currently on the Internet. Site owners are unknowingly supporting illegal activities such as:

• Hosting warez
• Hosting copyrighted files
• Hosting tools to compromise other sites
• Sending massive amounts of spam
• Host phishing sites to steal money
• Become part of command and control for botnets

Running a web site properly is truly becoming a social responsibility. If you are not part of the solution, you are likely part of the problem. 

This guide outlines some general and basic security measures that you MUST take if you want to make sure your site is not defaced or otherwise compromised.

Key elements needed in a web hosting platform

Try as you might, if another site on the server you share does not follow prudent security measures, then your site it still vulnerable. Suphp executes php scripts as the user-id and group-id of the account – not the userid/group id of the web server.

This will allow more restrictive permissions on your directories and will prevent an attacked from being able to read your php files.

Some hosts will not want to use suphp, as it can cause performance problems.

Build a relationship with provider on dealing with security issues

Firewall outbound connections

 This is not always practical or possible, but firewalling traffic originating from the server – other than what is expected – can prevent backdoor tools from phoning home.

Run suhosin patch for php

Suhosin can stop the exploitation of many different types of coding weaknesses and some vulnerabilities in php itself.

Keeping up with the web software you use

• Subscribe to mailing list for any application software used as part of your site.  Nearly all such applications have an “announcement” list that is low traffic.
• Attempt to participate regularly in the forums or discussion lists for the software you use. You will often get advanced warning of security issues and interim fixes.  You will also know if the software is at risk of being abandoned and not updated.
• Upgrade after a security fix release within 3 days.  Vulnerabilities are often exploited soon after they are discovered.
• If an application you use becomes abandon, plan to migrate your site to a new tool as fast as possible.
• Try not to customize software.  This will slow down your ability to patch or upgrade, because you’ll have to rewrite code, test, etc, and that can be difficult to do when it’s not on your timeline.
• Attempt to remove ‘powered by’ and version number references.  Nearly all open source web applications proudly, but this has turned out to be an extrodinarily efficient way to systematically identify sites running vulnerable software. 
  
• Create a file with a random name in your html directory. Do not reference the file in your site. Grep your web logs daily for the file being accessed. Any hits may indicate that your site has been compromised.
  
• Scan for file differences and notify of differences
  

Your responsibilities as a site owner

• Perform frequent off-site backups.  Even if you have a local backup strategy, such as to another server, it is imperative to maintain an offsite backup.  While it doesn’t happen often, datacenters are broken into and servers are phyically stolen.
• Do not store sensitive data like credit card numbers.  Just don’t do it.
• Change account passwords regularly

Site updates

Posted by jerry as Uncategorized

So, I’ve taken some time to do things I’ve been intending to for a while.  I deep 6′d Pligg on the NetworkStrike.com site.  Pligg is a very nice package for what it does, but it really doesn’t do what I needed.  After some investigation, I settled on drupal.  Drupal turned out to be even better than I expected.  I was ready to write an RSS importer, but found that there were already some very mature importers available, and unlike a lot of tools like this, it actually worked out of the box.  I’ll be slowly getting Networkstrike back to where it was previously.  It was interesting to watch Pligg go unmanaged.  Most of the story submissions were about alien abductions and other crazy things like that.

On syslog.org, I added a new section that specifically deals with syslog-ng.  Having moderated the syslog forums for many years now, I’ve finally come to the realization that syslog-ng is a great tool, it’s just not well organized or supported on the Internet.  How-to’s, docs and whatnot are spread far and wide.  So I decided to try to fill the void.  We’ll see how useful it is.  As it’s a wiki, I’m hoping that people will opt to contribute their bit of knowledge as well.

On a related note, I added a link to syslog.org into a few entries in wikipedia.  Wow, that site must get some serious visitors, because the number of referrals from wikipedia to my site is pretty impressive.  An order of magnitude lower than google provides, but on par with what Yahoo does.

New Aquarium site

Posted by jerry as Uncategorized

So, a while back I had bought the domain aquariu.ms.  I thought it was pretty clever anyway.  For those that know me, I am a big freshwater aquarium nut, so I was looking for something that intersected my two loves – tech and aquariums.   The main part of the site is a wiki, with a blog and a forum.  I’ve been playing around with pmwiki a bunch, and I’ve figured out how to use the simplemachines forum user accounts to manage access to update the wiki pages. 

My hope is that I can get it to be a consolidated and organized place for useful information on the aquarium hobby.  I’ve found many many different resource sites out there, but they tend to be really badly organized and incomplete.  For now, I’ll be contributing to the chaos, until it gets more meat on the bones.

 The site is here: Aquariu.ms

Idea for new site

Posted by jerry as Uncategorized

A while ago I had an idea for a site that would track the stocks currently being spammed, the relative effort of the spam jobs, and the stock’s performance over the time of it being spammed.

 I had this idea that there is probably a way to make some money off of the pump and dump stock scams.  Certainly other people have thought about this before, so I do wonder if it’s a losing game, but it’s hard to tell until you are able to look at the trends and patterns of performance relative to the pump and dump scheme.  I’m interested in ideas in what and how this should be tracked.