Recently in General Category

This is sort of scary.

For those not familiar with security terminology, this article states that websites which allow uploading of Flash files are vulnerable to a security hole that lets bad guys run code that has all the security accesses of the webserver combined with those of the unsuspecting person who runs that file.

For instance, an attacker could send a specially coded Flash attachment to their victim in a gmail message. When the victim loads the attachment, it gets to do anything the gmail server could do with the victim's account; reset the password, delete messages, send messages (spam!), etc.

The scariest part is that there's not really a fix without significantly changing the way Flash works behind the scenes. In the meantime, you should avoid flash that isn't directly provided by the website you're going to. For instance, the Flash slideshow on the WOU homepage is OK because we wrote it, but if you go to somebody's personal website like "http://www.wou.edu/~joeblow" then you should be careful unless you personally know that Joe Blow isn't the kind of person to play nasty tricks.

Actually that's not really the best example, because even if Joe Blow has one of these malicious Flash files on his webspace on our server, it wouldn't profit him much because there's nothing much our webserver can do other than show you web pages. The WOUPortal and the Sun Java Email system are on separate servers, so they wouldn't be vulnerable to Joe Blow's attack. Of course, Joe Blow could send you a Flash attachment in an email, and if you open it in the Java email system, it could do nasty things to your email account.

This security hole isn't easy to exploit, but it is theoretically possible. I recommend limiting the Flash files you run on the Web; there are browser extensions to help you do that. If you use Firefox, an extension called NoScript can block Flash files (and malicious javascript code as well) on all sites except those you designate as safe. If you use Internet Explorer, you can install Toggle Flash, a toolbar button that lets you turn Flash off and on whenever you want. Instructions for both are available in (ironically enough) a flash video on the page I linked at the top of this entry. Don't worry; Foreground Security is a reputable company, so the video is safe to watch.

I mentioned that I didn't like the keyboard on my mini, and it turns out a lot of mini-9 owners share that feeling. I was looking around on the forums at mydellmini.com last night and found out about a different keyboard you can order from Dell for fifteen bucks. Apparently by shrinking the spacebar and backspace keys by a fair bit, and slightly narrowing the others, they've gotten a much more normal arrangement. I tried to order it, but apparently it's out of stock; they're going to email me when it gets back in.

I did find out about another deal, though; they were selling 2GB memory modules for thirty bucks. Oddly enough, had I ordered my mini originally with 2GB, it would have added $50 to the price, so I grabbed the chance. I want to run Windows XP in a virtual machine on the thing, and that takes a fair chunk of RAM.

Wait, you may say, aren't you running Windows already? Nope, though you can get the Dell Minis with Windows, it's more expensive that way. To get the best price you need to get them with Ubuntu Linux. In case you're not really up on the computer world, Linux is a free operating system (well, technically a group of free operating systems) very similar to Unix, which has been around since the 1970s and is still used on a lot of servers, including many here at WOU.

Linux has been around since the 1990s, but until fairly recently, you had to be a serious computer geek to get much use out of it. The Ubuntu project is one of several efforts to change that, and it's been very successful, combining the many open-source programs and systems to build a variant of Linux that's probably the easiest ever for non-geeks to get into.

It's so easy that when I decided I didn't like the somewhat idiot-proofed version of Ubuntu that came with my Mini, I was able to completely wipe and reinstall it with version 9.04, the latest and greatest, in just a couple of hours. I'm liking 9.04 (AKA "Jaunty Jackalope" in Ubuntu's naming scheme) a lot better than the version I started with, and I only had to fix one little problem for it to work perfectly on my Mini. There are a bunch of very useful instructions available at ubuntumini.com so I didn't have to spend hours hunting around for obscure snippets of information as I did when I tried installing other versions of Linux on other machines in the past.

Anyway, back to work. After a slow few months, I'm starting to feel like I'm getting some programming mojo back, and that feels pretty good. Hopefully things keep looking up, because I'm behind on some stuff that really needs to be finished soon.

A couple weeks ago, Michael Ellis clued me in on a nice little deal from Dell; through their Faculty/Staff/Student purchase program, they have great prices on their mini laptops, also known as netbooks. (If that link doesn't work, go to www.dell.com/epp and choose Higher Education from the menu.)

Just for being part of WOU, you get a 7% discount at any time, though to take advantage of it you'll need to create a dell login and give them your V-number to prove you're really associated with WOU. They also have $50-off deals that come and go on various systems from week to week; if you don't see the deal on the model you want, wait a few days and look again, and repeat until you do see it. Make sure you're logged in with your dell account, or it might not show you the deals!

You can find their netbooks on this page. I got the Mini-9, and I'm happy with it except for the narrow keyboard which has several keys in odd places. The brand-new Mini-10v is almost the same price, but with a slightly wider screen and a more normal keyboard.

I'll probably be posting more about this thing as the days go by.

Since the security certificate on our main webserver was set to expire soon, I've been getting these email messages at webmaster@wou.edu saying "Reminder - SSL Certificate for www.wou.edu expires in 5 Days", counting down every day until the expiry date. I didn't pay attention to them at first, because I already knew the cert was about to expire. Then after we renewed the cert (Thanks, Summer!) the messages still kept showing up.

I took a closer look and found out that the messages don't even come from Thawte, our usual certificate vendor, but from some place called "certstar.com". They pretended our expiring certificate came from them, though, and told us we should renew it by clicking the handy-dandy link they provided.

Well, I wasn't born yesterday, so I didn't touch the link, but I was curious enough to go to their main site. It looks reasonably professional, but they don't secure it with one of their own certificates; they got one from Comodo instead. That's a real red flag. For all I know, they just take the money and run. Even if they have legitimate certificates to sell, it's really slimy to send those deceptive emails to people.

I wonder how many people out there have gotten fooled?

So, um, yeah, I haven't posted anything to my blog in way too long. Time to fix that.

Here's my current project list with a bit of explanation on each (I'll go into more detail on some of these later, because many of them won't make sense unless you're actually in UCS.)

• User account renaming - Setting up a process to change people's usernames on request. Actually a lot harder than it sounds.


• User account deletion - We need a process to delete user accounts when they are no longer needed. This will be run every year or so.


• Blog server upgrade - The new version is ready for testing... check it out at http://www.wou.edu/blogadmintest.


• Course catalog information on web - We're working on a way to more easily update and display stuff like course descriptions and degree program requirements on the Web.

Future projects:

• Rewrite Websmith - I want to redo websmith in a different programming language (PHP instead of Perl) that will allow a lot tighter integration with the website, and creation of new features.


• Automatic K: drive folders - We're planning a system (probably for next year) that will let faculty request folders on the K: drive for specific classes, and have them be automatically created. Right now we spend a lot of time doing this manually.

That's it for now. I'll go more in-depth on some of these later.

Erm, yeah, I was going to start posting here more often, wasn't I. No excuses, really, just busy... but it only takes a couple of minutes to post something if I'm not perfectionistic about it. So let's see if I can keep up with this a bit better.

This isn't an official outlet for WOU or UCS news or policy or anything like that; I'll probably be talking about that stuff, but using my own voice and not worrying too hard about making it sound just right.

So anyway in the next while I'll be posting about the projects that have been keeping me busy recently. But I have to get back to one of them right now, so it may be a day or two...

Oh, yeah, I forgot to mention I'm going to be on vacation next week; we're heading for the historic city of Deadwood, South Dakota, in the heart of the Black Hills. We've been looking forward to this for months!

I'll be back on September 5th. In the mean time, refer web conversion questions to Stewart Gilbert, and all other questions to the UCS Service Request Desk.