Popular WordPress plugin pulled after discovery of password-stealing backdoor

password_security_hole

The precise number of websites out there running on WordPress may not be known, but one thing is for sure — there are a lot of them. Two reasons for the popularity of WordPress are the ease of set up and the availability of a huge range of plugins. One popular plugin, Custom Content Type Manager (CCTM), has just been pulled from the WordPress Plugin Directory after a backdoor was discovered.

The plugin has been installed on thousands of websites, and a recent update — automatically installed for many users — included a worrying payload. In the hands of a new developer, Custom Content Type Manager made changes to core WordPress files, ultimately making it possible to steal admin passwords and transmit them in plaintext to a remote server.

Security site Sucuri was alerted to the problems by a user, and immediately launched an investigation. A new file, auto-update.php, was discovered. Analysis of the code revealed it to be a backdoor that could download files from the suspicious-sounding wordpresscore.com. Another file, CCTM_Communicator.php, includes code that intercepts usernames and URLs of sites that have the plugin installed.

Custom Content Type Manager had laid dormant for 10 months but new owner, wooranker, was making use of an established install-base. It’s not clear whether the change of ownership was legitimate or the result of an account hack. Towards the end of last month, wooranker started to use the backdoor to deliver additional files to users who started to notice that their sites were being hacked.

Custom Content Type Manager has now been pulled from the WordPress Plugin Directory, but if you still have it installed, you need to take action. Version 0.9.8.8 of the plugin is the updated version that includes compromised code, but the previous version — 0.9.8.7 — contains a separate security flaw. As such, the last version considered safe is 0.9.8.6. If you’re reliant on the plugin, the advice is to roll back to this version. Sucuri suggests the following steps:

  1. Deactivate the Custom Content Type Manager plugin.
  2. Check consistency of all core WordPress files. You can reinstall WordPress to achieve this. At least, make sure that the following three files are not modified (For WP 4.4.2 you can get the originals here):
    1. ./wp-login.php
    2. ./wp-admin/user-edit.php
    3. ./wp-admin/user-new.php
  3.  Now that you removed the credentials stealing code in the previous steps, change passwords of all WordPress users.
  4. Don’t forget to delete users that you don’t recognize. Especially the one with the support@wordpresscore .com email.
  5. Now remove wp-options.php in the root directory.
    1. Delete the Custom Content Type Manager plugin. If you really need it, get the last good version 0.9.8.6 here and disable automatic plugin updates until the malicious plugin versions are removed from the Plugin Directory. By the way, don’t install CCTM versions older than 0.9.8.6 either. They have a known security hole and we see hackers checking websites for this (along with many other vulnerabilities).
  6. You might also want to scan all other files and the database for “wordpresscore”. Just in case.

Photo credit: bannosuke / Shutterstock


Original URL: http://feeds.betanews.com/~r/bn/~3/0ijE5J_RGaU/

Original article

MDWriter: A markdown desktop editor with steroids powered by the web.

README.md

A markdown desktop editor with steroids powered by the web.

 

Features

  • Save to Markdown
  • Export to HTML and PDF
  • Syntax Highlighting
  • Editor and highlighting themes and font size changer
  • Outlook, Gmail and Yahoo support
  • Blogger support (experimental)
  • Word counter
  • Markdown syntax helper and shortcuts
  • And a nice UI 😀

Getting Started

Clone from source

$ git clone git@github.com:kurai021/MDWriter.git
$ cd MDWriter/

Install Dependencies

  1. Install npm dependencies
    $ npm install
    
  2. Install Bower dependencies
    $ bower install
    
  3. Build Highlight.js Bower package (/app/assets/components/highlight.js) as seen in the documentation
    node tools/build.js :common

Test

Testing in browser

  • For testing in browser you need to change {app: ‘firefox-aurora’} in gulpfile.js for your browser order.
  • run gulp browser in the terminal

Testing with NW

  • run gulp test in terminal

Build

  • Actually you can build this proyect for GNU/Linux, OSX and Windows only in x64, but if you want to make a build for x86, you can add this in gulpfile.js in this line
    platforms: ['linux64', 'osx64', 'win64'],

ToDo

  • Actually jsPDF is unstable, is necessary to find a module that does the same function or create a module from scratch for HTML5 to PDF.
  • Some bugs in the word counter must be solved.
  • In file name is necessary to clean the name -> /foo/bar.md to bar.
  • Change font size in live.
  • Support for Blogger, Tumblr and WordPress (maybe Ghost).
  • Print support?.
  • Optimize the code
  • Create a task for minification.
  • Delete all bower dependencies and use only node package?

How to Contribute?

If you want to contribute to this project, create a issue with “request to contribute” as a title and a brief description of what do you want to do, so I will add you as a colaborator.

License

Check LICENSE for information.

Donations

If this project was useful for you, you can donate some BTC -> 19bAJaFzHRTYPW5SrbzzfPbZ5jLAEotCVa


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/pF2F2_oNmN4/MDWriter

Original article

ActorDB – the ideal datastore for microservices

Good intentions…

Lets imagine you’re a developer at a company that sells widgets. There is lots of widgets of different types. You have suppliers, you have clients, you have a sales department, accounting, human resources, the works.

You use Oracle, SQL Server, or another enterprise DB vendor because that makes the most sense. You need transactions, stored procedures, you need a complete relational database to model your company on. You can’t afford any errors and you must use transactions to prevent them.

Of course you are now married to your database and your chosen DB vendor. But that is just how things are done.

But…

After this point you can try as hard as you can in your code. The natural tendency will always be towards a monolith. When your data model is a monolith, your code naturally follows the pattern.

It may start out working great, but after years of upgrades and changes, it inevitably starts collapsing under its own weight. Sometimes in particularly bad cases (i.e. government projects) the architecture implodes before it is even deployed. The problem is that you can only design for what you know. The system is built for what the situation is now and you have no idea what the future will be.

The company of course changed, hopefully it grew and started doing more things. It may have made some drastic changes to its core business.

A change in business structure must also require a change in how your software is supporting your business. If you want a nimble business you must also have nimble software that supports it. A monolith cannot be nimble.

An alternative path…

Problems with monoliths is what microservice architecture aims to solve. While many think microservices take things to the other extreme, it all depends on how you implement them. It is up to you to decide how micro you are willing to go. Splitting a large problem into small understandable chunks is how problems in computing are solved.

Microservice architecture data model is to logically have a database-per-service. Realistically this means you can still use a single actual database, but just have microservices work in separate schemas/tables. This is a compromise for medium/small teams so they don’t live in an operations nightmare.

Improve the alternative…

This brings us to why I think the ActorDB way of doing things is worth considering. ActorDB is a distributed database that gives you a choice how micro you are willing to get. It gives users the option to decentralise, keep using SQL, keep using schemas, use JSON fields if you want. But work in an environment that encourages splitting up the problem into smaller workable chunks. Instead of combining them into an ever increasing ever more complicated all encompassing solution.

A real life example how ActorDB encourages splitting the problem into smaller chunks:

We have created a highly secure communication app named Biocoded and ActorDB is a part of this solution. Users can be organized into circles. This means if users A and B are in circle X, they are in each other’s contact list.

Every user is an independent actor (i.e. SQLite database). Initially we had all contacts for a user in his contact table. The problem was what happens when a user leaves or enters a circle. It requires you to update every actor in the circle. This is way too ugly to consider.

The simple solution was to create a new actor type and put the list of users there and there only. The right solution was to split the problem into a smaller chunk.

But ok what about my widgets company…

Use ActorDB as a beneficial constraint. Writing queries to access all actors at the same time is not going to work well. It will force you into a design that may require more thought to implement initially, but it will force you into a design that is decoupled.

The various areas in your company are actor types. They all have their own schema and actors. Your products are actors. Divide your code into chunks that work on those individual actor types. They can be the same app, they can be entirely different apps. You can have transactions across actors. But it is something to be avoided not encouraged.

Your code follows your data model. A decoupled data model will lead to decoupled code.

http://www.actordb.com/

Written by Sergej Jurecko


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/lIWAbCD-E2s/actordb-the-ideal-datastore-for-microservices

Original article

WordPress Plugin Comes With a Backdoor, Steals Admin Credentials In Cleartext

An anonymous reader writes that a WordPress plugin for managing custom post types has apparently been forcibly taken over by an Indian developer who has added a backdoor to the code which lets him install files on infected sites. “This backdoor also allows him to download files which add his own admin account to the site, and even alter core WordPress files so every time a user logs in, edits his profile, or a new user account is created, the user’s password is collected (in cleartext) and sent to his server. WordPress hasn’t moved in to ban the plugin just yet, despite user complaints.


Share on Google+

Read more of this story at Slashdot.


Original URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/csYwIrElkA4/wordpress-plugin-comes-with-a-backdoor-steals-admin-credentials-in-cleartext

Original article

The Plain Person’s Guide to Plain Text Social Science

Figure 1: A plain-text document toolchain.

Figure 1: A plain-text document toolchain.

As a beginning graduate student in the social sciences, what sort of software should you use to do your work? More importantly, what principles should guide your choices? These pages offer some answers. The short version is: you should use tools that give you more control over the process of data analysis and writing. I recommend you write prose and code using a good text editor; analyze quantitative data with R or Stata; minimize error by storing your work in a simple format (plain text is best), and make a habit of documenting what you’ve done. For data analysis, consider using a format like RMarkdown and tools like Knitr to make your work more easily reproducible for your future self. Use Pandoc to turn your plain-text documents into PDF, HTML, or Word files to share with others. Keep your projects in a version control system. Back everything up regularly. Make your computer work for you by automating as many of these steps as you can.

To help you get started, I provide a drop-in set of useful defaults to get started with Emacs (a powerful, free text-editor). I share some templates and style files that can get you quickly from plain text to various output formats. And I point to several alternatives, because no humane person should recommend Emacs without presenting some other options as well.

The rest of this page tries to provide some motivation for why you should care about having better control over your work materials. Rather than dive straight in to describing various tools or recapitulating their manuals, on this page and in the other parts of this guide I want to encourage you to begin thinking about this issue in a way that will lead you to some solution that works well for you—maybe the specific ones described here, but maybe not.

You can do productive, maintainable and reproducible work with all kinds of different software set-ups. This is the main reason I don’t go around encouraging everyone to convert to the applications I use. (My rule is that I don’t try to persuade anyone to switch if I can’t commit to offering them technical support during and after their move.) So this discussion is not geared toward convincing you there is One True Way to organize things. I do think, however, that if you’re in the early phase of your career as a graduate student in, say, Sociology, or Economics, or Political Science, you should give some thought to how you’re going to organize and manage your work. This is so for two reasons. First, the transition to graduate school is a good time to make changes. Early on, there’s less inertia and cost associated with switching things around than there will be later. Second, in the social sciences, text and data management skills are usually not taught to students explicitly. This means that you may end up adopting the practices of your advisor or mentor, continue to use what you are taught in your methods classes, or just copy whatever your peers are doing. Following these paths may lead you to an arrangement that you will be happy with. But maybe not. It’s worth looking at the options.

Two remarks at the outset. First, because this discussion is aimed at beginning students, some readers may find much with which they are already familiar. Second, although in what follows I advocate you take a look at several applications in particular, it’s not really about the gadgets or utilities. The Zen of Organization is not to be found in Fancy Software. Nor shall the true path of Getting Things Done be revealed to you through the purchase of a nice Moleskine Notebook. Instead, it lies within—unfortunately.

When talking to undergraduates or graduate students on this topic, and when teaching classes that use these tools, I increasingly run into the problem that it’s hard to get started without backing up a bit first in order to talk about how the computer they are using works. I think the reason for this is the rise of the flat-screen, touch-based model of computing, most obviously on phones and then very secondarily on things like Apple’s iPad or Microsoft’s Surface tablet. Now, most people who need to write long documents (like papers or dissertations) or work in an involved way with data do not use a tablet as their primary device. But it does seem clear that some kind of touch-screen interaction is the future of computing for most people. Indeed, once you consider phones properly you realize it’s the present of computing for most people.

While it is not strictly impossible, it remains very difficult to do your academic, social-science work on a device of this sort. This is likely to be the case for some time. The tools we have are not designed up for them. That’s not surprising. But I think there is an underappreciated tension here. Two ongoing computing revolutions are tending to pull in opposite directions. On one side, the mobile, cloud-centered, touch-screen, phone-or-tablet model has brought powerful computing to more people than ever before. This revolution is the one everyone is talking about, because it is happening on a huge scale and is where all the money is. In practice it puts single-purpose applications in the foreground and hides from the user both the workings of the operating system and (especially) the structure of the file system where items are stored and moved around.

On the other side, open-source tools for plain-text coding, data analysis, and writing are also better and more accessible than they have ever been. This has happened on a smaller scale than the first revolution, of course. But still, these tools really have revolutionized the availability and practice of data analysis and scientific computing generally. They continue to do so, too, as people work to make them better at everything from slurping up data on the web to presenting it there. These tools mostly work by gluing together separate, specialized widgets into a reproducible workflow. They are “bitty” or granular because the process of data analysis is that way as well. They do much less to hide the operating system layer—instead they often directly mesh with it—and they also presuppose a working knowledge of the file system underpinning the organization of the things the researcher is using or creating, from data files to code to figures and final papers.

The tension is that, increasingly, people—people like the target audience of this article—entering the world of social science wanting to work with data tend to have little or no prior experience with text-based, command-line, file-system-dependent tools. In many cases, they do not have much experience making effective use of a multi-tasking windowing environment, either, at least in the sense of making applications work together in the service of a single goal. To be clear, this is not something to blame users for. Neither is it some misguided nostalgia on my part for the command line. Rather, it is an aspect of how computer use is changing at a very large scale. The coding and data analysis tools we have are powerful and for the most part meant to allow research products to be opened up and inspected. But the way they work clearly runs against the current of everyday, end-use computing, which increasingly hides many implementation details and focuses on single-purpose tasks. Again, specialized tools are necessarily specialized. The net result for the social sciences in the short to medium term, I think, is that we will have a suite of powerful tools that enable an amazing variety of scientific activity, developed in the open and mostly available for free. But it will get harder to teach people how to use them, and perhaps even to convince people to try them.

The problem is that doing scholarly work is intrinsically a mess. There’s the annoying business of getting ideas and writing them down, of course, but also everything before, during, and around it: data analysis and all that comes with it, and the tedious but unavoidable machinery of scholarly papers—especially citations and references. There is a lot of keep track of, a lot to get right, and a lot to draw together at the time of writing. Academic papers are by no means the only form of writing subject to constraints of this sort. Consider this sensible discussion by Dr. Drang, a (pseudonymous) consulting engineer:

I don’t write fiction, but I can imagine that a lot of fiction writing can be done without any reference materials whatsoever. Similarly, a lot of editorials and opinion pieces are remarkably fact-free; these also can spring directly from the writer’s head. But the type of writing I typically do—mostly for work, but also here—is loaded with facts. I am constantly referring to photographs, drawings, experimental test results, calculations, reports written by others, textbooks, journal articles, and so on. These are not distractions; they are essential to the writing process.

And it’s not just reference material. Quite often I need to make my own graphs and drawings to include in a report. Because the text and the graphics are all part of a coherent whole, I need to go back and forth between the two; the words inform the pictures and the pictures inform the words. This is not the Platonic ideal of a clean writing environment—a cup of coffee on an empty desk in a white room—that you see in videos for distraction-free editors.

Some of the popularity of these editors is part of the backlash against multitasking, but people are confusing themselves with their computers. When I’m writing a report, that is my single task, and I bring to bear whatever tools are necessary to complete it. That my computer is multitasking by running many programs simultaneously isn’t a source of confusion or distraction, it’s the natural and efficient way for me to get my one task done.

A lot of academic writing is just like this. It can be tricky to manage. It’s even worse when you have collaborators and other contributors. So, what to do?

Let me make a crude distinction. There are “Office Type” solutions to this problem, and there are “Engineering Type” solutions. Don’t get hung up on the distinction or the labels. Office solutions tend towards a cluster of tools where something like Microsoft Word is at the center of your work. A Word file or set of files is the most “real” thing in your project. Changes to your work are tracked inside that file or files. Citation and reference managers plug into them. The outputs of data analyses—tables, figures—get dropped into them or kept alongside them. The master document may be passed around from person to person or edited and updated in turn. The final output is exported from it, perhaps to PDF or to HTML, but maybe most often the final output just is the .docx file, cleaned up and with the track changes feature turned off.

In the Engineering model, meanwhile, plain text files are at the center of your work. The most “real” thing in your project will either be those files or, more likely, the Git repository that controls the project. Changes are tracked outside the files. Data analysis is managed in code that produces outputs in (ideally) a known and reproducible manner. Citation and reference management will likely also be done in plain text, as with a BibTeX .bib file. Final outputs are assembled from the plain text and turned to .tex, .html, or .pdf using some kind of typesetting or conversion tool. Very often, because of some unavoidable facts about the world, the final output of this kind of solution is also a .docx file.

This distinction is meant to capture a tendency in organization, not a rigid divide—still less a sort of personality. Obviously it is possible organize things on the Office model. (Indeed, it’s the dominant way.) Applications like Scrivener, meanwhile, combine elements of the two approaches. Scrivener embraces the “bittyness” of large writing projects in an effective way, and can spit out clean copy in a variety of formats. Scrivener is built for people writing lengthy fiction (or qualitative non-fiction) rather than anything with quantitative data analysis, so I have never used it extensively. Microsoft Word, meanwhile, still rules large swathes of the Humanities and the Social Sciences, and the production process of many publishers. So even if you prefer plain text for other reasons—especially in connection with project management and data analysis—the routine need or obligation to provide a Word document to someone is one of the main reasons to want to be able to easily convert things. HTML is a great lingua franca.

This article is mostly about the Engineering model. But many people use the Office model, and you may end up working with (or for) some of them. In those cases, it is generally easier for you to use their software than vice versa, if only because you are likely have a copy of Word on your computer already. In these circumstances you might also collaborate using Google Docs or some other service that allows for simultaneously editing the master copy of a document. This may not be ideal, but it is better than not collaborating. There is little to be gained from plain-text dogmatism in a .docx world.

Next: Keep a Record of Your Work


Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/AZ2DxkR3Y0A/

Original article

Free Online Access to the Ohio Revised Code

      The full text of the Ohio Revised Code is available online for free at http://codes.ohio.gov/. This site is maintained by LAWriter LLC, an online legal research service company based in Cincinnati, Ohio. LAWriter provides an unannotated version of Ohio’s statutes. Updates to the Ohio Revised Code are typically published 24-48 hours after […]


Original URL: http://cmlawlibraryblog.classcaster.net/2016/03/03/free-online-access-to-the-ohio-revised-code/

Original article

SSD prices plummet again, close in on HDDs

The price computer makers paid for solid-state drives (SSDs) dropped by as much as 12% over the last quarter, and the most popular drives are now within striking distance of their hard disk drive (HDD) counterparts.

In the first quarter of this year, MLC-based and TLC-based SSDs respectively saw price declines of 10%-to-12% and 7%-to-12%, respectively, according to DRAMeXchange, a division of TrendForce.

A 128GB SSD now retails between $38 and about $49 (Amazon price). A 250GB SSD runs anywhere from $52 to $81 (Amazon price).

To read this article in full or to leave a comment, please click here


Original URL: http://www.computerworld.com/article/3040694/data-storage/ssd-prices-plummet-again-close-in-on-hdds.html#tk.rss_all

Original article

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: