Отново JavaScript injection зараза

Blog Clean Message by SucuriА днес блогът пак се беше заразил! Последният път беше отпреди месец, когато един приятел ми помогна да открия, че имам проблем.

Днес, още като го отворих, за да направя по-горния материал, и като заизскачаха едни прозорци, ужас! Изглежда, този който ми заразява блога, отново си беше свършил работата, и нещата бяха излезли извън контрол. Налагаше се да чистя пак.

Както винаги, започнах със Sucuri Blog Check системата. Той естествено показа откъде идва malware payload-а. Изглеждаше инфекция като предишната: в постовете бяха инжектирани извиквания към скрипт от con1.sometimesfree.biz_черта_c.js

Грозно колкото си искаш. На всичкото отгоре, вече настоява и за автоматична инсталация на Chrome разширение. Пълен кошмар. Не знам кога се е появило, но изискваше незабавни действия.

Приложих същата тактика, както и преди. Свалих съдържанието на wp_posts таблицата и с помощта на Visual Studio Code премахнах всички script тагове. Добре, че беше лесно, този път дори не изискваше regular expressions search, защото заразата беше еднотипна.

След това пресъздадох wp_posts с изчистения SQL и нещата се оправиха. Или поне така си мислех аз, докато не заредих отново “изчистения” блог в прясна инстанция на Firefox (поне браузъри при мен има, различни и за всеки вкус). Въпреки уж оправения блог, заизскачаха пак едни прозорци, едни чудесии, направо #искаПлаче стана положението.

Прегледах отново сорса на блога (този път знаех кой гнусен домейн да търся) и видях, че е останала една референция към заразата, в един custom sidebar widget на блога. Изчистих я и нея.

Последваща проверка чрез Sucuri потвърди, че този malware вече го няма.

Като следващата стъпка обаче минах и забраних всички плъгини, освен JetPack. Имах и един “твърдо” инсталиран плъгин, директно във wp_content директорията. Този плъгин, уж сигурен, замина и той. Сега се надявам нещата да се подобрят. Уж няма променени файлове, но човек никога не знае.

Ако инфекцията пак се появи, ще трябва да правя едно от тези две неща:

  1. Пълна преинсталация на WordPress, като се импортира само и единствено съдържанието на блога, без никакъв код. Това не е правено поне пет години, така че може и да му е време. Със сигурност ще загубя това/онова, но не мисля, че ще е неприемлива загуба.

  2. Архивиране на блога и започване на чисто. Не ми се вярва да стигна до там, защото има изключително полезни неща.

  3. Проучване дали може ли да се сложи “write protection” на wp_posts и още някоя и друга таблици, който write protection да се маха само, когато знам че аз пиша по тях.

Чудя се още, какво следва. Много неприятна ситуация, че и се повтаря. Ако не е някой пробит плъгин, не знам какво друго да си мисля!

Creating CSV file for automatic calendar events import in Outlook/Google Cal

Today I had to create a bunch of Outlook 2016 appointments in my calendar. I wanted to avoid as much as possible the manual, one-by-one creation of the items, so I decided to lurk around for a method, which would allow me to do this work easier.

Quick Google search led me initially to the article “Create Appointments Using Spreadsheet Data”, which was showing up how this can be done with VBA macros. Although this was cool, programmatic way to accomplish the task, I was looking for the KISS principle method: just plain CSV import.

A bit more search and I was all set. The article “How to import a Calendar from Excel to Outlook” described quite straight forward process. However, I found a few discrepancies from what was desrcibed there, so I decided to sum up the differences I encountered, so the next time it’d be easier for me (and probably for my readers) to accomplish this task with Outlook 2016+.

The first difference was that there’s no XLS import in Outlook 2016. I had only CSV. This made useless to define namespace (as the article suggests), because CSV does not export that information.
The second problem, which was not outlined in the article, was which other fields I could use, in order to have more complete data (I needed Category, All Day Event, etc.). The article “Importing stuff into your Outlook Calendar (or Tasks) from Excel” led me to list of all common fields:

Subject, Start Date, Start Time, End Date, End Time, All day event, Reminder on/off, Reminder Date, Reminder Time, Meeting Organizer, Required Attendees, Optional Attendees, Meeting Resources, Billing Information, Categories, Description, Location, Mileage, Priority, Private, Sensitivity, Show time as.

The last issue I had was to find out how to do the Out of office status of the events. Each single event had to be marked as “Out of office”, so this information had to be present in the import file. This article informed me what the values of “Show Time as” column had to be, in order all this to work:

  • 1: Tentative
  • 2: Busy
  • 3: Free
  • 4: Out of Office

My final CSV looked like this (showing just the first row with column names, and the first data row):

Subject,Start Date,End Date,All day event,Categories,Private,Show Time as
This is All Day Event,1/15/2017,1/15/2017,1,MyCategory,1,4

If you save the above code fragment as CSV, the import in Outlook 2016 would be pretty straight forward. It’ll create an all day event with title “This is All Day Event”, marked as Out of Office, on Jan 15, 2017, with category name “MyCategory”.

The coolest thing was when I tried this CSV for Google Calendar too. It worked there as a charm, with the following exceptions:

  • It added two default reminders for each day (sick! Why, Google?)
  • It did not respect the Category name (I guess this is fair)
  • It did not respect the out of office status (well, Google just does not support that, right?)

Except from this, the data was correctly imported there too.

Setting up Thrust Gamepad GXT 39 to work with Elite:Dangerous

Trust GXT 39 Wireless Gamepad is great gamepad, which is quite nice for playing with Elite:Dangerous. I did not want to go to the ridiculously expensive (and large) joysticks, so I decided to try how it’ll work with a gamepad, which I can hold with my hands.

Overall: it’s great, but setting up Elite to work “my way” with it turned out to be a hassle.

Finally, after many attempts, this is my permanent (for now) setup, based on “Generic Joystick” setup from Elite. This post here is for my own future reference, but I thought someone could find it useful for his own needs, too!

To configure it, First of all, start/set “Generic Joystick” setup (warning: this will override your current setup, if it’s custom).

Now do the following customizations:

Setting the Pitch/Roll/Yaw/Vertical Thrust axises mapping to the left/right joysticks of the gamepad

  • Set “Yaw Axis” to [Joy-XAxis], no invert
  • Set “Roll Axis” to [Joy-ZAxis], no invert
  • Set “Pitch Axis” to [Joy-YAxis], no invert
  • Set “Vertical Thrust Axis” to [Joy-RZAxis], WITH invert

clip_image001

image

clip_image001[7]clip_image002clip_image003

 

Setting additional Landing mode controls

For Landing mode, set Thrust Up/Down/Left/Right to JOY-POV1-UP etc., like on the picture below:

image

This will give you nice extra control, when your landing gear is deployed.

Gamepad Buttons Configuration

My gamepad buttons are configured according to the following table:

No Action
1 Target Ahead
2 Thrust Up
3 Thrust Down
4 Engine Boost
5 <<FREE>>

Still looking for what to put there!

6 Interface focus
7 Secondary Fire
8 Primary Fire
9 Enable FSD
10 Deploy / Retract Hardpoints
11 <So far, cannot find way to activate>?
12 <So far, cannot find way to activate>?

Here’s how the button mapping looks:

image

Pre-flight Checklist

For final verification, here’s also my pre-flight checklist:
image

Have fun! And if you found this useful, drop me a line here. Also, if you have suggestions, let me know Smile.

You’ll find me in Elite:Dangerous as CMDR DonAngel.

HTTPS @ doncho.net

image

Let’s Encrypt failed me. At least failed my expectations that I’ll be able to get and happily use HTTPS certificate, which is free, reliable and usable in a shared hosting environment.

It seems the current phase of the project is not intended for users like me. It’s more oriented towards hosting companies and/or self-host server owners, who can do and handle all the scripting magic, which is needed in order to get HTTPS certificates installed and automatically maintained. The automatic tools still work only on Debian/Apache, so… I do not see a chance for me in near future.

Driven by all this, I asked my hosting company Superhosting.bg if they will start supporting Letsencrypt’s certificates anytime soon. Superhosting already supports quite a lot of options for people, who want HTTPS, but it seems Letsencrypt are in too early stage in order to get official support by the bigger hosting companies.

I’m very lucky to know both guys, who created Superhosting. They’re both great guys, but that’s more or less a given, knowing they created such excellent hosting provider service (in my opinion, best in class for Bulgaria, at least). Metodi advised me and helped me a lot to get convinced to try a paid HTTPS certificate instead. HTTPS is important for me, despite the fact that I’m just hosting a personal site. Having in mind all above, I decided to stop waiting for free services like Letsencrypt and to trust RapidSSL’s certificate at this stage. Hopefully, this will satisfy all my personal needs for the coming years (with Metodi’s kind help I got 3 year’s long certificate). Once this time passes, I’ll reevaluate the situation and will decide if I shall renew, or if I shall switch to something different.

Superhosting Support guys and girls assisted me greatly in migrating all blog’s contents from http://blog.doncho.net to https://doncho.net, where from now on all my content will keep living. The previous http://doncho.net contents were archived, but they were nothing but a start page, which was redirecting to my (very outdated) family picture gallery and my actual blog. The picture gallery will keep living where it is, as I have no nerve or intention moving it under (for example) https://doncho.net/pics. One day this gallery will be put to a deserved rest, but not before I find a better, easier way to migrate the Coppermine content under a better, more reliable gallery (which I still have not found).

So, feel free to update your links. Blog.Doncho.Net is still there, but it’s highly advisable, from now on, to access my content via https://doncho.net. 

Радиоелектронни лампи

Покрай едно пренареждане на шкафове, майка откри пакет с радооелектронни лампи, купени преди време с цел максимално удължаване на живота на някогашния ни телевизор “Рубин 714”.

Телевизорът отдавна го няма, но лампите са все ощ тук.

Понеже са и с обща употреба (поне за няколко съм сигурен, че не са само за телевизора), вместо да ги изхвърлим предпочитам да ги пусна тук, и вероятно и в OLX, за да се продадат и да свършат работа някому.

Съхранявани са в кутията, в която са купени, т.е. нямам основания да мисля, че времето им се е отразило кой-знае колко.

Ето списъка на лампите:

  1. 6П45С, 2 бр.
  2. 6Ф1П, 3 бр.
  3. 6Ж52П, 2 бр.
  4. 6Ф12П, 2 бр.
  5. 6П14П, 2 бр.

И идея си нямам колко струват, нито пък дали не са вече наистина безполезни неща за изхвърляне. Надявам се, ако някой знае, да даде съвет.

Have you heard about Classeur.Io?

Classeur.IO is cloud and Chrome[OS] based application, which allows you to easily write with Markdown, both local, cloud-based notes, and also post directly to your blog.

This is a test post, which I’m making with it. Let’s see how it’ll go.

I just installed it and I’d like to see if/how it will support the immediate blog post. So far I believe it’s all working OK, but let’s see…

Note: You can use Markdown to format your text.

My iClever Bluetooth Keyboard

Few weeks ago a very close and trusted friend of mine (thanks, Atanas 🙂 ) sent me a link to this excellent iClever Bluetooth travel keyboard. As I was already quite in need for pocket, travel keyboard, it took me only 5′ to review and purchase it from Amazon.co.uk.

I own the thing since a few weeks and every time I use it to do my typing (i.e., type on the tablet an e-mail, blog post or whatever longer), I’m quite delighted what a good solution this keyboard is to my typing need.

The keyboard is small when folded up, but it’s large enough to allow hassle free typing with both hands. It has very smart (and I hope – strong enough to ensure long living) folding mechanics, which allow transformation from its “working size” to “pocket size” in a second. It also has a pouch, which not only protects the keyboard while folded, but also protects the other items the keyboard is close to in the bag, as it’s aluminum body, which could otherwise scratch another sensitive item in your bag (i.e., your phone or tablet).

The keyboard also has four silicone tips, which make it almost stick to the surface while I’m typing. This is a feature, which I like a lot, because most of the pocket keyboards (or at least those I had my hands on) lack this and you need to always relocate the keyboard, which (naturally) moves as a result of your action on the keys. Thanks to these bands, the keyboard stays very solid on the surface you put it on.

I’m using the device with an Android tablet. However, the manufacturer claims that it should work with Windows and iOS too (it has Win key indeed), but I never tried that myself [yet].

Setup is pretty much out of the box: you turn it on (turns on by unfolding), long press the “Bluetooth link” button, pair and you’re good to go. My only trouble was with the fact that I’m Bulgarian Phonetic user and the default Android hardware keyboard settings do not include this keyboard layout. However, FDroid and the Phonetic Layout for External Keyboards resolved this perfectly. Honestly, I’d be pretty screwed, if this was not existing, so thanks guys (modest donation is on its way!).

Below is the picture of the keyboard, which I made for my Amazon review. It stays next to Nexus 9 tablet, so you get the idea of the size when unfolded. The pouch is next to it, i.e. this is the size of the keyboard, when folded. The thickness of the folded keyboard is not more than 10-14 mm.

image

I highly recommend this thing to anyone, who carries on tablet and has typing needs, which are best served with a keyboard.

This blog post was, of course, typed with this keyboard.

Restoration to the Rescue

A friend of mine came to me for help. She accidentally deleted all photos from her camera SD card. And she needed help to restore them.

This is quite typical scenario. Clearly you cannot repair much, but there’re tools, which can help you to restore as much as possible.

Restoration ScreenshotRestoration (Restoration @ Software Informer) is one of these tools. Unfortunately, the product seems a bit “abandoned” (last update was to make it compatible with Win2k 🙂 ), but it works on my Windows 8.1 Pro.

Restoration works quite well. It works on “full drive level”, i.e. it scans the whole drive for deleted files (you can set a filter), and then offers you to restore them by copying, i.e. to copy the (current) contents of the deleted file to another location, where you can review if the file has been restored OK.

In the “restore pictures from SD card” scenario, it worked quite well. It scanned the SD card, and I just asked it to copy all discovered files to my hard drive. Then I was able to clear the invalid JPG files and I delivered her the files, which were good.

Restoration is also delivered as a ZIP file, which you can run from any folder. It immediately went to my “Programs” folder, together with PortableApps, and as far as it works on the OS (Windows 10, we will see…), I’ll keep it handy!

Inline Comments!

Inline Comments Screenshot

Whoa! Inspired by Medium.Com, I decided to search, download and install Kevin Weber’s Inline Comments plugin (created by  to this blog too.

Inline Comments lets users add comment with specific reference to any paragraph of the blog post, which is kind of cool, considering how hard is to quote blog texts. Now you just get one cute ‘+’ sign close to the paragraph, over which you’re hovering (no mobile support, sorry), and if you click on that, you can leave comment instantly.

The same comment appears just like any other “legacy” comment below the post, but also with handy “reference” link to the paragraph you commented.

Together with Inline Comments, I decided also to install and run WP Ajaxify Comments, as these two compliment each other in quite nice way. As this is serious change to the overall comments experience, I will watch closely how it goes. Don’t hesitate to drop me a word, if you see any problems whatsoever.

So far I’m loving it :). And I hope Inline Comments will stay for a while on this blog.

Official Crypto.SignText Add-on for Mozilla Firefox

JS.CryptoAPI signingGood stuff came from Mozilla developers this week! Stuff, which may not had been needed, if they handled better their user’s needs during their release cycle initially :).

(Few) Months ago I was quite pissed, when in release 33.0 Firefox decided to remove at once their JS Crypto.SignText API. Maybe not a big deal for them, but a big deal for me and my use of:

  • e-banking
  • government digital ID
  • etc.

There was huge buzz on the subject (Spain also jumped, seems their e-government solution is based on this “insecure API”). I also submitted very angry feedback, but alas: the only solution (and temporary too) was to revert to the current ESR release of Firefox, based on previous version and still supporting Crypto.SignText.

So I ended up having three different Firefoxes on my machine: the developer version, the ESR version and the (latest) portable version, which I anyway always keep around. ESR was good for my signing needs, but I was wondering what’d happen, when ESR moves up. Then I’d end most probably with IE only, which is serious productivity hit for my e-banking activities.

However, on Dec 16th I received an e-mail from Firefox Developer, who asked me to test new extension, which restores Firefox functionality in that regard. Initially I was a bit suspicious, checked carefully the e-mail headers and route, and trusting both Google and what I saw in the headers I decided to try the extension (in a sandbox first, of course).

It turned out pretty nicely: all the missing Crypto.SignText appeared back and I was one very happy camper again. After cleaning up my ESR release, I decided to share my experience, because someone could probably need the same solution. On my question how stable this will be as a solution to the problem, the feedback from the developers was that this will be the official supported way for adding back Crypto.SignText JS API to Firefox.

The extension is signTextJS, it’s available here: https://addons.mozilla.org/en-US/firefox/addon/signtextjs. Use at your own risk and for your own pleasure or convenience. It worked for me, hopefully it’ll work for you too. Now it’s time to donate some funds to Mozilla, so they can keep delivering better web to everyone [although my primary browser is still Chrome] 🙂