Extra Pepperoni

To content | To menu | To search

Tag - Windows

Entries feed - Comments feed

Sunday, December 28 2008

Interview Oddity

I have wondered if an interviewer would see this blog or my homepage, or my Twitter feed, and today it happened. Bobby Brill, at NYU, not only had a copy of my resume, but he also had a copy of my System Admin Interview Questions from Rockefeller. Goldman and a few other financial companies I interviewed with a year ago used a very different interview format, but they used the same format, which makes me think they all copy from each other.

I later met with a couple people who would be teammates at NYU (whom I knew socially already), and they mentioned my interview questions as well. Alas, I didn't get to sail through purely on knowing those answers, but I'm glad they're doing someone some good, at least for entertainment.

Note: I wrote this post in November, but didn't post it immediately -- I wanted to wait until the interview process was over.

Tuesday, November 18 2008


I decided to move off WordPress due to some security concerns and other issues.

  • Plain WordPress doesn't do multiple blogs (there are several hacks, but they are immature). I want to host at least 6 blogs, without having to keep each one upgraded separately -- each of our current 3 blogs used 11 plug-ins last time I counted. Also, it's insecure. It's sadly ironic that they claim "WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards, and usability. -- but their XML export ("WRX") is invalid XML.
  • I looked at Expression Engine, but don't like the license.
  • I looked at Movable Type, but found it complicated and problematic, and they really only offer a few themes, with color/banner graphic variations (in 2 and 3 column variants, though!). Also, their support system is pretty broken; they offer corporate support, which requires payment, and they have 2 different fora, but only one of them appears to be available for unpaid users. Very confusing, and I found a bunch of bugs (in the site, not in MT); also, I like to do a lot of testing, and then migrate from test to live, and they lack good support for moving blogs around.
  • Textpattern looked good, but I quickly found significant breakage and incompleteness.
  • I looked at WordPress MU, thinking perhaps I'd live with the security risks -- after all, this content is public. Unfortunately, WordPress' built-in SSL support requires the HTTPS URLs to match the HTTP URLs (except the scheme), but I don't have 6 free IPs for blog management. No, I don't want to use funky ports to make the SSL vhosts work. The Admin-SSL plug-in can use a different SSL prefix ("Shared SSL") with regular WordPress, but not under WordPress MU. I reported this as a bug, but don't expect a fix soon.
  • Now I'm looking at Drupal, which is supposed to be very flexible (and complicated); I suspect it can handle my SSL requirements, but don't know how good its blogging features are. Goldman stalled my investigation, but now that my job hunt is winding down, I should have a bit more time to figure it out.
  • If Drupal cannot do it, I will look at EE & MT again. If I cannot (bring myself to?) get them working, I'll probably stick with a bunch of separate WordPress blogs for now.

Very frustrating!

Monday, November 10 2008

Apparently I'm Not Going to Use Textpattern

I've been looking at migrating from WordPress to Movable Type, but been stalled for a while. Recently, Kevin van Haaren mentioned Textpattern, and I was impressed by its simplicity. Unfortunately, it doesn't yet look sufficiently mature. Among other things, Textpattern cannot import from a WordPress WXR file. Movable Type can (with some massaging), even though WordPress generates invalid XML.

Textpattern can only import from a live WP database, and I don't want my test server to have access to the live server. I set it up for a test, and Textpattern threw several types of errors.

Additionally, I couldn't see Textpattern's default comment, even before importing. The import caused me to abort before I got to investigate this one, though.

So back to MT, which has annoying limitations around blog management, but no dealbreakers so far.

Wednesday, August 20 2008

MySQL Initial Setup Crib Sheet (RHEL5)

Update 2008/08/22: There's actually a simpler command to create the database, once MySQL is secured and the account exists:

mysqladmin create newdatabase -u existinguser -p.

To test Movable Type, I needed a new MySQL installation on a CentOS 5.2 (equivalent to Red Hat Enterprise Linux 5.2) system. Here's a crib sheet with the steps I took to set up a new MySQL installation.

Get and Start the Software

  • yum install perl-DBD-MySQL mysql-server # Install MySQL server and the DBD perl module that Movable Type needs to talk to it.
  • service mysqld start # Start mysqld (the MySQL 'daemon', or server).
  • chkconfig mysqld on # Set mysqld to run at boot in future.

Secure MySQL

MySQL uses internal accounts which are totally separate from UNIX accounts. My MySQL installation came with 3 distinct root accounts (without passwords); a RHEL4 system configured MySQL with a pair of anonymous accounts! The MySQL RPM suggests securing the default accounts with mysqladmin, but the website points out that mysqladmin doesn't get all the accounts. Fortunately MySQL offers instructions on how to secure the initial accounts manually.

mysql> select host, user from mysql.user;
| host           | user |
|      | root | 
| localhost      | root | 
| mmm.reppep.com | root | 
3 rows in set (0.00 sec)

In WordPress, each blog has its own account and database (that's how I configure them, anyway). In Movable Type, a single account & database will be used for my whole Movable Type installation, which makes administration simpler.

  • Secure both root accounts by setting strong passwords.
  • Delete both anonymous accounts.
  • Create a new account for the blog.

To make sure I really did configure a required password for root, I logged out of MySQL and then tried to login without a password (which is how got in initially). This failed, telling me I had successfully disabled passwordless root access. Then I logged in as root with a password, to continue setting up MySQL tables. Note that I never supply passwords on the command line, because that's insecure. Instead I supply the password when prompted by the mysql command, which keeps it out of command history and ps output.

  • mysql -u root # Log into MySQL, which doesn't yet have a root password.
  • Delete the non-localhost root account.
  • Set passwords for root@ & root@localhost.
  • Log out of mysql:
[root@mmm ~]# mysql -u root
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.0.45 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> drop user 'root'@'mmm.reppep.com';
Query OK, 0 rows affected (0.00 sec)

mysql> set password for root@ = password('unencryptedpassword');
Query OK, 0 rows affected (0.00 sec)

mysql> set password for root@localhost = password('unencryptedpassword');
Query OK, 0 rows affected (0.00 sec)
mysql> exit;
[root@mmm ~]# mysql -u root
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
[root@mmm ~]# mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.0.45 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> exit;
[root@mmm ~]# 

Create a MySQL Database & Account for Movable Type

mysql> create database movabletype;
Query OK, 1 row affected (0.01 sec)

mysql> grant all on movabletype.* to movabletype@ identified by 'unencryptedpassword';
Query OK, 0 rows affected (0.00 sec)


I'm not covering MySQL backups here, but I use http://sourceforge.net/projects/automysqlbackup/.


  • use movabletype;
  • create user dotclear@localhost identified by '****';
  • grant all privileges on dotclear.* to dotclear@localhost;
  • show databases;

Monday, June 9 2008

This Must Be 2008 -- Blogs Are Everywhere!

When Amy mentioned to Joyce (of Scarce) that she now has a blog, Joyce was amazed and impressed at how cutting-edge Amy is. There's definitely a geographical factor here, because at my picnic earlier the same day, we figured out that of the 6 adults and Julia present (all Brooklynites), every single one of us has a blog.

Devjani's is firewalled. Julia's Journal runs on hand-crafted HTML rather than blogging software, but that's because it dates back to mid-2002; I will move it over at some point. Sharon has two. In addition to Extra Pep, I edit Securosis.

Friday, April 11 2008

WordPress upgraded

Half because WordPress really needs to stay upgraded, and half in hopes of fixing the Admin-SSL bug which was blocking posting, I upgraded to WordPress 2.5, a compatible beta of Admin-SSL (now under new management), and a few other plug-ins.

Not knowing how well the upgrade would go, I did the safe thing -- I installed WP 2.5 separately from the live Extra Pepperoni site, installed and configured all the plugins I use (with my personal patches), created a new MySQL database, and configured everything, including a couple test comments (not as myself). After I got it working, I brought down the old site, moved the new one in place, reconnected it to the old MySQL DB (with all posts and comments), clicked the button to upgrade, and we're up.

Unfortunately, there's still a problem with comments. When I log into a new account to comment, I get a link to https://secure.reppep.com/wp-admin/profile.php, which is bogus; it needs to be https://secure.reppep.com/ep/wp-admin/profile.php. If you have an existing account (Tony), you might be able to login through https://secure.reppep.com/ep/wp-admin/ and comment, but it seems that viewing an actual post (which must be non-SSL) still loses its association with the login session, so you can visit the HTTP site as an anonymous user, or use the HTTPS site as your registered user, but the plaintext side has no access to comment, and the encrypted side doesn't show the posts you would want to comment on. Hopefully BCG will be able to fix the problem in Admin-SSL. He's already fixed the Preview function.

Also freaky: When I log into EP as a brand-new user (to comment), I get the Dashboard, telling me I (the brand-new user) have 184 posts. I didn't think Subscriber users saw the Dashboard, but the post count is definitely bogus.

I did the initial installation as a Subversion checkout, which is very cool. Now, though, I have to create my own private WP hacks repos (easy), and figure out how to set up externals to pick up my additions.

A tip: Don't try to check out the WordPress source over AFP; the permissions weren't right, and the checkout couldn't complete; when I did it locally on the Linux server, there was no problem. I hadn't even noticed I was running "svn co" on the Mac instead of the server, but it was easy to fix once I noticed the cause.

Wednesday, March 12 2008

Extra Pepperoni Re-Hosted

After DreamHost's breach 8 months ago, I was aggravated at their poor handling of the situation, but willing to give them the benefit of the doubt, and still happy with their low prices and flexible services.

With the new bad news and worse confirmation (still with poor incident handling), though, it's time to get out of dodge.

I have moved Extra Pepperoni back onto my own hardware. I started blogging on Apple's Blojsom install, but gave up on Tiger Server for Blojsom (and Mailman) because the services kept silently shutting down, leaving me to notice they were disabled days or weeks later (no fault of Blojsom or Mailman -- Apple didn't do a good job porting SpamAssassin either). Bringing up a WordPress blog and mailing lists at DreamHost was easy and cheap, but that's no good if they are unsafe.

I'll look at moving a couple very light-duty Mailman lists off DH next, but the lists are so lightly used I'm not too concerned. There just isn't any confidential information on the mailing lists, aside from their tiny subscriber lists.

Ah, well. I now know much more about WordPress and MySQL than I cared too, but the setup wasn't too bad. I hadn't realized how many customizations and tweaks I made to WordPress until it came time to recreate them on my own system:

  1. Almost Spring theme (included by DreamHost); with minor hack
  2. PHP Markdown Extra; with minor hack
  3. MySQL admin UI
  4. WP-DB-Backup (DH included one, which I'm no longer using)
  5. mod_rewrite for permalinks
  6. Admin-SSL, with "Shared SSL" tweak, integrated into my existing SSL site (meaning EP is available through two different "sites", and I have to keep the Apache configurations reconciled)
  7. Twitter
  8. WP-Cache (DH standard)
  9. Akismet anti-spam registration
  10. Technorati pinger (came over automatically with the DB).
  11. Fix for widget.php to use legal JavaScript tag.

Friday, March 7 2008

I really was compromised

DreamHost wrote back, and the news isn't good. Someone sent them a list which is apparently circulating, of username/password pairs for "FTP" accounts; one was mine. I had hoped that if a password leaked it was my old password, which I replaced back in June (on my birthday) when DreamHost told me they got hacked. No joy, though -- the password they received was active on Extra Pepperoni (and chrispepper.com) until they sent me mail yesterday; I don't use it elsewhere and changed it last night, but that means someone had access to EP very recently. It looks like nobody ever used the account, but methinks it's time to install MySQL and WordPress on www.reppep.com, and probably Mailman too.

Crud on a cracker!


And I still have no idea how they got me.

Sunday, February 10 2008

Extra Pepperoni Is Now SSL Protected

I've been thinking about using SSL to protect logins to this blog for a while, but thought it would be too complicated. This weekend, I took the time, and thanks to Haris' Admin-SSL plug-in, it was very easy. First I used cert.command to create a certificate for www.extrapepperoni.com, then I configured my DreamHost account to provide SSL (https://secure.reppep.com/ep/) in addition to the existing http scheme; this took a while to go through. Then I installed Admin-SSL, and after a few loading errors, all authentication and authenticated access is now SSL only, while reading anonymously is non-SSL.

Note that I'm using a certificate signed by my private certificate authority, ca.reppep.com, so you'll get a warning from your browser that it's not trusted; this is normal. You can continue past the warning and get full 128-bit SSL encryption; you just don't have the assurance of a public CA that I am who I say I am.

Thanks to Rich & Sam for encouraging me to do this.