If you recently installed WordPress 2.6 and is unable to use Windows Live Writer, don’t worry. The problem is that that by default WordPress disables xml-rpc and atom api. Windows Live Writer requires xml-rpc to be turned on.

You can turn on XML-RPC using WordPress dashboard from Settings -> Writing -> XML-RPC option. Refer to the following screen shot,

If you recently upgraded from 2.5.1, you would be wondering what the fuss is all about! Interestingly the above two options are enabled by default when you upgrade from 2.5.1 to 2.6.

You may be wondering why XML-RPC is disabled by default. XML-RPC is used by a lot of hacking tools built around WordPress trying to exploit security vulnerabilities such as weak passwords. So by disabling XML-RPC, a lot of current hacking attempts can be prevented.

But for external tools such as Windows Live Writer, XML-RPC is a must. So in the end it becomes a trade off between flexibility and security. But as long as you keep your WordPress installation updated and use strong passwords, chances of getting hacked is minimal.

Another interesting thing I noticed while configuring Windows Live Writer for a WordPress 2.6 is that WLW is unable to detect WordPress 2.6 installation and RPC configuration. I had to manually select the WordPress and location of the RPC php file as shown below,

Starting from WordPress 2.6 (code named  Tyner), a new feature called post revisions is added in WordPress. This is a versioning system for WordPress posts and allows you to revert to an old version of a post if needed. You can also compare between versions to see the difference.

This is a good feature if you are using WordPress UI for writing your posts. But if you are using an external tool, you might not need this feature.

One of the problems with post revisions is that if you do a lot of editing, a lot of different versions are generated and are stored in the MySQL db. Over a period of time your database becomes bloated and performance of your blog can get affected. Unfortunately on the WordPress dashboard there is no option to disable post revisions.

So it is no wonder there are couple of plugins being released to add the post revision disabling option. But I am not a fan of plugins because many of the plugins come with security holes and many of them affects performance of the blog. So my mantra is to keep the number of plugins to a bare minimum.

Fortunately there is another way to disable post revisions in WordPress 2.6. You can edit wp-config.php and add the following line it,

This command sets a flag which instructs WordPress to avoid creating versioned copied of a post.  If you replace ‘false’ with a number, WordPress will ensure that the number of version generated for a post is limited by that number.

Another feature recently added to WordPress is the auto save feature. This saves your post every 60 seconds automatically when you are using the WordPress editor. If you don’t want this feature or you want a different interval, you can add the following entry in wp-config.php,

The second parameter indicates the number of seconds after which the post is auto saved. You can set this to a large value to avoid frequent auto saves.

Where does WordPress store post revisions in DB?

You may be wondering where WordPress 2.6 stores post revisions in DB. If you are looking for a new table you are mistaken. All the post revisions are stored in the wp-posts table itself.  For the old revisions the post status is stored as ‘inherit’ and post_type as ‘revision’. The post_parent in this case is set as the id of the currently published post.

How do I delete old revisions of WordPress posts from MySQL DB?

You can use the following SQL script to delete all old revisions from MySQL DB. For large WordPress databases, this will improve performance of the blog.

Normally I wait for sometime before upgrading WordPress installations. But this time I jumped to WordPress 2.5 when I came across serious security issues in 2.2.x series. Some of my blogs which ran under 2.2.x versions were badly hacked and I had to spend a lot of time recovering them! The hacker modified most of my posts and cleverly inserted hidden links. Also he installed a backdoor php file in the current template folder! This ensured that even after upgrade he can control my WordPress blog.

I detected the problem only when I realized that my blog is no longer in the Google search index!

The WordPress hacking became so widespread that Technorati has special process in place to quarantine infected/hacked WordPress blogs! There are reports of WordPress 2.5 vulnerability, but it is better to upgrade to 2.5 than stick with 2.3.3. The important thing is to upgrade as soon as a release is out rather than cling to a version for which hacking scripts may be sold in warez forums! So I am keeping my thumb on the WordPress upgrade button waiting for 2.5.1 

After the upgrade I came across an interesting  issue when I tried to post through Windows Live Writer. It responded with an error message - Invalid response document returned from XmlRpc server. I initially thought that it is a bug with Windows Live writer and compatibility issue with WordPress 2.5. Then I tried posting the same from the WordPress admin. When I tried to upload an image I got the following error,

- Fatal error: Call to undefined function wp_constrain_dimensions.

Then I realized there is some problem with the WordPress 2.5 upgrade. Here is how I resolved the problem. First I deleted all the php files in the WordPress root folder (except wp-config.php) and then deleted wp-admin and wp-includes folder. After ensuring that all old files are deleted, I uploaded WordPress 2.5 files again. That resolved the issue with Windows Live Writer!

In a move that could potentially push AMD out of business(!), Intel has announced drastic price cut in its quad core range of processors. The popular Q6700 series process will now cost $266 down from $530. Price cuts are also offered on other processors, but is not drastic as Q6700 range.

This surprise move by Intel is going to immediately push quad core adoption. Intel’s manufacturing process costs are cheaper than AMD and hence AMD might find it difficult to compete in this area. Also AMD posted a net loss of $358 million for Q1 2008. So this Intel move could be a "terminator" move for AMD! Who knows, Intel might have plans to acquire AMD

Multi core processor power is yet to be completely utilized. We might see a sudden influx of game engines which makes use of multi core architecture.

Here is a summary of the Quad core price cut,

The complete list of Intel price cut is available here (PDF).

Many free blogging service providers and Web hosting companies will take down your blog if you link to copyrighted material. Some of these services will close your account even for posting something controversial!

Now Pirate Bay has started a new blogging service named Baywords which won’t take your site down for linking to copyrighted material or for writing on controversial subject.  So what is the catch?

First of all you cannot post anything you wish! You can only post stuff which are legal under Swedish law. I think services such as these may force Sweden to change the laws sooner than we expect! Secondly Baywords will push advertisement onto your blog. Not a pretty thing for many!

There is another problem. Baywords may see an influx of blogs which are illegal in US or other countries. This may cause the entire domain to be banned in those countries. Hence hosting your personal blog on Baywords may not be a good idea if you are looking for traffic. The only people who will find this useful are those who are publishing daily links to warez or ebooks (copyrighted material).

Baywards is running on a multi user version of WordPress software.

Mark Dowd has detected a serious security flaw in the Adobe flash plugin which allows an attacker to take complete control of a computer . Adobe Flash Player 9.0.115.0 and earlier are affected by this critical issue. Flex 3.0 and AIR 1.0 which uses flash are also affected.  Flash plugin is installed in various browsers(Firefox, Internet Explorer etc.) and is heavily used by Web 2.0 sites such as YouTube for video streaming. This exploit makes use of the NULL pointer attack to even modify the flash executable!  In the hands of a malicious programmer, this knowledge can quickly turn to a big disaster.

Vulnerabilities in various online software is nothing new. For example, various vulnerabilities are continuously found in WordPress and various WordPress plugins. But what makes vulnerability in flash so much damaging is that flash is installed on almost all browsers and it is independent of the operating system you are running! An attacker can run a torrent site or a game site and then embed a malicious flash file in it. When you access the site, the flash file gets executed and it will use the exploit to get hold of your system!

Mark Dowd is a researcher in IBM Internet Security Systems and wrote the flash exploit details in a document titled “Application-Specific Attacks: Leveraging the ActionScript Virtual Machine”. This can be download from here. According to the article, even Windows Vista is vulnerable to this exploit!

Vista’s ASLR features require that the binary is compiled with the / dynamicbase switch available on recent Microsoft compilers. Essentially, using this switch sets a flag in the PE header (0×40 in the DllCharactersitics member of the optional header) that will indicate that the binary should receive a random base address when loaded. Since flash does not use this switch, ASLR does not cause the Flash DLL to be moved in memory in Windows Vista, and hence can still be reliably exploited. Combining this with the previous point, it is possible to generate an SWF file that will reliably exploit both IE and Firefox on all recent versions of the Windows operating system, including Vista.

For a detailed step by step look at Dowd’s flash exploit, check out this article. It is long, but is a gold mine for future cyber criminals!

Adobe was quick to address this flash security issue and has released a patch for it on April 8, 2008. According to the patch summary,

Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. It is recommended users update to the most current version of Flash Player available for their operating system.

Due to the possibility that these security enhancements and changes may impact existing Flash content, content developers are advised to review this March 2008 Adobe Developer Center article to determine if the changes will affect their content, and to begin implementing necessary changes immediately to help ensure a seamless transition.

That means some of the flash files out there may not work after the patch is installed.

Flash supports auto updates and hence the security patch should get auto installed. But there is no guarantee. There will be thousands of browsers where the auto update is disabled and hence are vulnerable to this attack. Even if auto update is enabled, many would be cancelling it not knowing the seriousness of it.

This incident raises another question. Is it safe to browse Web sites? The answer is - It is relatively safe if you avoid browsing suspicious Web sites. There could be other vulnerabilities that are found by cyber criminals and are being exploited through keygen/serial key sites or torrent sites.

References

1. IBM article on Flash player invalid pointer vulnerability

2. Mark Dowd’s research paper on ActionScript VM (PDF)

3. Detailed look at Mark Dowd’s research paper

4. Flash player security patch from Adobe

In Windows Vista, the default location of “my documents” folder is “c:\users\username\documents”. In this path “username” stands for the Windows Vista user account on which you are logged on.

“My documents” folder is the default directory where applications are supposed store output files. For example if you are using Visual studio, the default location for new projects are under “<my documents folder>\visual studio 2008\projects”. This means that most of the user data that you want to backup will end up in “my documents” folder.

It is possible to point “my documents” to an alternate folder. I normally point to a different drive and then backup the drive on a weekly basis. Changing “my documents” folder location is easy,

1. Right click on “c:\users\username\documents” folder.

2. Select properties and then from the properties window select the location tab.

3. Change the location to an alternate location. Click on apply. Windows will ask whether you want to move all the files to new folder. Select “Yes”.

Now your “my documents” folder is changed to the new location.

When you transfer your domain from one host to another, you change your nameserver configuration. But the problem is that sometimes it takes a while for the nameserver change to propagate through the DNS server of your ISP. Sometime the DNS configuration is cached on your computer or browser session. Here are some tips to remove DNS cache and also to see hosting server changes immediately.

Clearing DNS Cache on Microsoft Windows

From the command prompt (start=>run=>cmd) enter the command ipconfig/flushdns. This will purge the DNS resolver cache.

This will remove dns cache entries from your machine. But you will still have a problem if your ISP DNS cache is holding the old DNS entry. There is a simple trick to bypass DNS mechanism in Windows.

Search for the file named “hosts” inside Windows folder. In my Windows Vista machine this is located inside c:\windows\system32\drivers. Add a new line like the one below(replace domain with your domain and IP address with the IP address of the Web host machine where your domain is relocated).

www.dailytechnotes.com   74.53.227.162

“hosts” is first searched by Windows to resolve a domain to an IP address effectively short circuiting the ISP DNS.

Clearing DNS cache on Linux

On linux you can use the command sudo /etc/init.d/nscd restart  to clear DNS cache. This assumes that nscd is already installed in your linux box.  On ubuntu you can try restarting the networking service using the command sudo /etc/init.d/networking restart.

The above mentioned Windows trick can also be applied on linux machines. In linux you need to modify /etc/hosts file and add your domain and domain hosted server ip as given below. You need restart the networking using sudo /etc/init.d/networking restart for this to work.

www.dailytechnotes.com   74.53.227.162

Clearing DNS cache on Mac

On a Mac OS X you can clear DNS cache by typing the command lookupd -flushcache.

Clearing DNS cache from browsers

DNS is also cached at browsers. Most of the time this is cleared when you close all the browser sessions. In Firefox this can be forced by clearing the private data from tools menu.

World Precision Instruments has a “cool gadget” for the humane research purpose. It is called Rodent guillotine and as the name says it is a guillotine to get rid of the rat you just experimented on! According to the product page,

The small animal guillotine has been completely redesigned for ease of use and extra added safety features. The blades are drawn together by magnetic force to ensure a clean and precise cut through very strong bones and skin.

There is a large base for stability, long handle for extra leverage, spring action so the blades can not fall down unexpectedly, hardened stainless blades for endurance, simplified construction for easy maintenance. The fluoropolymer coated surface on the base makes cleaning easy.

The guillotine is considered one of the most humane methods to dispense with a subject (emphasis mine).

To me the most scary part was the pricing. There are three guillotine sizes and the smallest one costs $600! The largest one costs $1240 is intended for “large animals”.

If you are using your own WiFi router and if you forget the WEP or WPA key, the easiest option is to create a new key! After all you have complete access to your router!

But what if you are connecting to an external WiFi router? The problem is once you enter the key, Windows remembers the key for the network and it won’t ask again. After a couple of days you have forgotten the key. You still have access to wireless network, but you want to find the key Windows is using so that you can back it up! Another scenario is when you want to configure the same wireless network on a different machine.

Fortunately there is a freeware tool(WirelessKeyView) which can display WEP/WPA wireless keys stored by Windows. You can download WirelessKeyView from here.  You can see this software in action below.

This utility can recover network key only if it is stored by ‘Wireless Zero Configuration’ service of Windows XP and by the ‘WLAN AutoConfig’ service of Windows Vista. Also note that you need to have administrator access to machine for this to work!

Programs such as this work using Windows API which expose WEP/WPA keys!