WordPress Spreadsheet 0.62 is a security patch release that fixes several SQL-injection holes. All users are strongly advised to update their plugin. As usual, you can download a zip file containing wpSS v0.62 from the WordPress SpreadSheet website.
Changes in this release:
I finally got around to switching my calendar from Yahoo to Google this weekend. It was, to say the least, an arduous process, and so I’ve written up some tips on syncing a Yahoo calendar with a Google calendar and the rest of the world’s iCalendar standard. Officially, Yahoo claims it will eventually provide its calendars in iCalendar format, someday… so I just hacked it, today.
I’ve been disappointed in the glacial pace of Yahoo’s web tools development for some time now, but I have been using Yahoo calendar for several years and I didn’t want to lose my appointment history, what with random phone numbers and emails and etc recorded in the entries. But since I abandoned Microsoft Outlook for Thunderbird mail a couple of years ago, I’ve been unable to sync my desktop calendar with my online calendar. In fact, I had pretty much given up bothering to keep a desktop calendar, although I had played with Mozilla’s Sunbird and felt it had promise. Now that the Lightning calendar extension for Thunderbird has finally become relatively mature (0.8 is due out shortly), I had decided to it was time to keep a synchronized desktop calendar again.
The process was not without pitfalls however, especially since Yahoo calendar does not export standard iCalendar files. It exports in a marginally useful CSV format that broke both the auto-import function in Google calendar and broke the automated Yahoo CSV to iCalendar convertor I link to in the resources section below. While in Google Calendar I just had to delete the erroneous calendar, Lightning hung so badly when importing the converted iCalendar file that I had to kill the process manually and the go into my Thunderbird profile directory and rename the (sql-lite) SDB file that Lightning uses to store calendar entries, losing the (mercifully few) entries I had put in by hand. I’m still not sure if the failures were due to the sheer quantity of entries (since the CSV file represents repeating events as single events, there are many more entries than in iCalendar format), or if the problem lies in the failure of the Yahoo CSV exporter to put a valid timestamp in certain fields (again apparently for repeating events), or something else, like problems with how Yahoo exported some long lists of tasks I had in the description field. In short, I had to edit the CSV file with OpenOffice before it was acceptable to Google Calendar or Lightning to import.
But all the difficulties are not just with Yahoo. There are also some quirks as to how Google Provider imports and works with with calendar files, particularly in that Google Provider doesn’t cache the online calendar locally and hence won’t fetch your calendar if you aren’t online (e.g., in an airplane). A more robust solution is to use the Java-based GCAL daemon to cache the calendar locally, and then just point Lightning to the synchronized ics (iCalendar) file.
While some useful links to my internet research follow later in the Resources section, first I’ll give a step-by-step synopsis of what actually worked.
Instructions:
Resources:
How to apply div tags from within the WordPress RCE using the content filter in order to get a rounded corners, floated text box
The problems were:
The solution for the client was to…
A place that was once loved to death, Lake Isabelle looks well on the way to recovery. There are still too many hikers here, but most stop at lake and do not continue to the Glacier. Fools.
This is a photoessay: All photos should appear in higher resolution when clicked.
WordPress Spreadsheet 0.61 is a maintenance release that fixes a bug when the plugin was run on WordPress installations that used custom permalinks. As usual, you can download a zip file containing wpSS v0.61 from the WordPress SpreadSheet website.
Changes in this release:
The gang and I went backpacking up to Crater Lake from the west side of the Indian Peaks. This is a photoessay: All photos should appear in higher resolution when clicked.
WordPress Spreadsheet 0.6 is a new development release that offers numerous new features and bug fixes over the previous major version. As usual, you can download a zip file containing wpSS v0.6 from the WordPress SpreadSheet website.
Changes in this release:
Please read the release notes for greater detail.
Because of the heat lately, Francoise and I headed out on a 6 am hike this morning. Just our luck—we get up early but have cloud cover and cooler weather, but we still appreciated the early morning start. And it turned out to be a spectacular hike. As you can see from the photo, there were literally seas of chicory flowers shimmering on lower Big Bluestem this morning—making it clear how the trail gets its name. As it turns out, Chicory are day-bloomers—they rarely last into the heat of the afternoon, but hopefully the cloud cover will persist long enough for the build-up-a-thirst hike we have planned for tonight. In any case, they will probably be there the next few mornings, and are well worth the effort.
Early morning also proved to be the right time to see abundant wildlife. In addition to sundry deer and rabbits, we spotted a faun. But the wildlife highlight of the morning came a bit later when, near the junction of the Mesa trail and the northernmost Shadow Canyon cutoff, we almost walked straight into a large black bear (see photo). 
He was placidly feeding on berries in the bottom of the draw, about twenty-five feet off the trail. He perked up his head, looked at us a moment, noted the absence of dogs, and resumed feeding. We stayed still long enough to get a few photos of him, and then as we approached closer he showed what he thought of us by turning around and taking a crap. And in the woods, no less…
Photos courtesy of FEC.
Homeward bound from a week of hiking from Eagle to Crested Butte, we stopped for one last quick jaunt up North Jones Mountain, daring the thunderstorms in the distance to outpace us. Ok, it wasn’t really that close. If it was, we would not have summited. But for a driving day, not a bad little hike. Of course, starting at a 12000 foot pass helps.
Today was a short hiking day as Paige and Seth were having their rehearsal dinner in Crested Butte, but we managed to make it to the mouth of a very intriguing valley up Copper Creek. When I was a bit younger and perhaps less wise, I and a couple of friends ski-backpacked up this valley, over Triangle Pass, and down to Conundrum Hot Springs. I haven’t back since. I must admit, I still wonder why. And today, I have to turn back too soon. But I will be back.
Sometimes, if you are lucky, you get to take a day hike in a sublime paradise. Today was my day. With two large, unbridged creek crossings to keep the riff-raff out, this spectacular high alpine wildflower hike is simply beyond words. So I won’t bother, other than to put the occasional caption on this photoessay.
Precarious Peak marks the head of a sublime valley and the trail’s end for a spectacular day. All photos should appear at a higher resolution when clicked.
They say that Ohio is a plain-spoken place. Off Ohio Pass, in a little known valley between that separates the West Elk, Storm Ridge and the Anthracite Range, a trail climbs to the base of the Anthracite massif before turning south toward Soapy Basin. To the southwest you can spot the Castles, or the Swamp Castles I prefer to think of them. Someone here had a dry, plain-spoken sense of humor, as you can no doubt tell from the picture of swamp flowers taken at the aptly named Swampy Pass. I am glad it was midday when I passed it by, though when I returned again at 3 I startled a family of ducks happily summering at 10000 feet. 
The trail, which borders a slough on the pass for some yards, gave the appearance that I was chasing the ducklings, and so I was charged by a daffy duck, wings aflap, trying to distract me as if I were a predator while the little ones hid in the tall fronds.
The biggest risk in starting the second hike of the day late, in the early evening, is that you will be seduced to linger too long, too late, to enjoy the interplay of the long light and creeping shadows. When that hike is replete with some of the most amazing wildflower meadows I have ever seen, as was Beckwith Pass, 
that call becomes a siren among sirens, keeping you and your camera until you are sure to stumble back to camp long after dark. The part of me that is still a photographer can never regret a proper dusk hike though. There could never be enough time spent in the West Elk Wilderness, one of the least visited and most spectacular areas of the state. This is the first of a series of photoessays on the blog, meaning that you can click these photos and see a higher-resolution jpg to appreciate this amazing place.
Today was the first high peak summit of the year, the nearly 12000 foot high Mt Thomas, which is really just a minor peak on the enormous massif that divides the Frying Pan River from the Colorado River Valley above Eagle. A beautiful but fairly gentle climb with excellent views of both the Sawatch and the Elk Ranges 
from atop the 12000 foot ridgeline of Red Table Mountain, it would make an excellent early summer backpack someday (note to self). The wildflowers were amazing, but what really caught my eye was this little guy. A mycologist, however, I am not. Any suggestions as to what this orange fungus is called? He was over a foot long and six to eight inches across.
Ah, those early morning hikes. We woke up early to try to get some miles in while the forest was still cool, even though we had camped at 8300 feet. 
Setting off through swaths of mosquitoes, we surprised the elusive Central Colorado Moose taking an early morning mudbath in a wallow just off the Lost Lake Trail on Piney Ridge above Vail. Between the dim early morning light and camera shake resulting from having to shake off moose-sized mosquitoes, it was less than ideal photographic conditions. However you have to take your moose photos where you can–this is only second time I’ve ever seen moose in the state.
Today’s main hike was one of those picture perfect hikes on a picture perfect day days at a picture perfect place. For the aesthetically-impaired, I’ve composed this photograph. I still wonder who had the chutzpah to put up this sign–King Bluntman?
This photo was taken near Piney Lake on the Piney Creek trail outside of Vail, looking up into the Eagle’s Nest Wilderness. Wilderness it may be, but don’t expect solitude–at least until the trail gets steep a mile or two in! 6.25 miles on this hike–but one of three today on Piney Ridge.
I’m not one to spend much time at resorts. I dislike the encapsulated, packaged feel of ‘outdoor fun’ that one finds at such places. But Randi had a conference at Beaver Creek, and so up we went. After trying–and failing–to have any reasonably nice experience hiking right from the resort hotel, we went on a short drive down US 6 and found this marvelous trailhead at the end of a side road up a promising draw. A spectacular Friday afternoon with no other people on the trail, and certainly no trucks and front-end loaders sprucing up the resort for summer.
I’ll readily admit don’t ride the bus much. I much prefer point-to-point transportation, such as riding my bicycle. But occasionally I need to go to Denver for an event, and rather jump in my car and add to that single occupancy vehicle traffic jam known as the Boulder-Denver turnpike, a few months ago I thought I’d take try to take the bus.
There’s a nifty new web service called NextBus.com that offers realtime estimates of when the next bus will arrive for my local bus service provider, RTD. You just point your browser to the appropriate web page for your route and direction of travel, and bingo, an estimate of what time a bus will be at your stop. It’s even accessible from a cell phone browser. Great idea, right? But poorly designed.
You can see from this screenshot that the NextBus service lists “Broadway at Ash Avenue” as a bus stop for the BX route (the Boulder-Denver express). But when I went to that bus “stop”, I watched a BX bus pass me by despite my attempts to flag it down. If a bus rider can’t figure out where to catch the bus, what good is a web service that tells you when it arrives there?
After an annoyed set of emails to RTD and NextBus about the matter, I discovered that “Broadway and Ash Ave” is not actually a bus stop for the BX or even the BL (Boulder-Denver Local) route, but only for other routes such as the Skip or AB. Apparently NextBus’s service only lists the time when the BX or BL bus passes a particular GPS location–not whether it is actually a bus stop for that particular route. So why is it listed as a bus stop on the BX/BL routes on NextBus?
The answer is poor design, particularly with respect to the interaction between the underlying information architecture and the user experience. One component of good user interface design is making sure that the information architecture of the system is accurate, and NextBus failed that test. Inaccurate information leads to a miserable user experience-such as having the bus you want to take pass you by and leave you stranded. That makes NextBus and RTD co-winners of the second Darwin Design Award for an interaction design that drives end-users nuts. I might have pulled back from giving them the award, but four months and several rounds of emails later they still haven’t bothered to fix the problem.
In fact, several more of the locations listed on the NextBus website “stop” selector are not actually located where the bus stops. So, for example, the stop at Broadway and 27th Way is probably the closest actual bus stop to the “Broadway at Baseline Rd” NextBus “stop”. However even that deduction remains uncertain, because the “Broadway at Service Rd” stop doesn’t even exist. Try googling such a location–or ask a native Boulderite like myself–there is no such intersection. Given that it is between “Broadway and Baseline Rd” and “Broadway at Ash Ave”, perhaps it refers to the old NIST (National Institute of Standards and Technology) entry across from Broadway and 27th Way, but the user is left twisting in the wind wondering how to interpret this nonsense.
There is an important lesson to be learned here, however. Mislabeling the GPS locator stations as “stops” is a great example of the mistake of conflating the user’s point of view and the back-end point of view. NextBus GPS location points are not ontologically equivalent to actual bus stops; they are are approximations which must be mapped. It illustrates how an ontological mistake in the underlying information architecture leads to a poor design that is useless for the end user.
A good interaction designer would pay attention to where the bus actually stops and how the stops are named in the real world of bus riders. Pushing real-time bus arrival information across the web to a browser or cell phone is a great idea. But unfortunately a great idea poorly designed risks dying early, earning the RTD NextBus system a Darwin Design Award.
Recently my server seems to have updated their modsecurity rules so that my blogging client for Firefox, Deepest Sender, didn’t work, returning a cryptic “TypeError: node has no properties” message. It took me one confusing hour to figure it all out, as naturally I was writing a post that fell into another modsecurity trap. But there was a relatively easy solution.
The most drastic would be to turn off the SecFilter setting in your .htaccess file completely, as some forums advise (bad idea–you open yourself up to lots of security issues if you turn off filtering for all the nasties your webhost’s sysadmins are trying to protect you against with modsecurity.
A better solution is to just turn SecFilterInheritance off for only the file xmlrpc.php. That’s much more selective, but it still leaves a security hole right where attackers expect it. And, as any analysis of raw access logs will tell you, there are plenty of scripted attacks on yourdomain.com/xmlrpc.php, yourdomain.com/wordpress/xmlrpc.php and so forth.
An even better solution to combine that with the Purloined Letter method. Hiding the publicly accessible xmlrpc.php by renaming it is much more secure.
First, copy xmlrpc.php to yourownrandomname.php within your WordPress directory. (Copying the xmlrpc.php file rather than just renaming it reduces the chances that some other plugin will fail obscurely.)
Second, use the .htaccess modification method to point to your (hopefully) unique filename. Since they don’t know the filename, the script-kiddies won’t know what file to attack. Modify (or create) an .htaccess file in the wordpress directory with the text editor of your choice and insert the following directive:
<Files yourownrandomname.php>
SecFilterInheritance Off
</Files>
Third, change DeepestSender or WindowsLiveWriter, Performancing or whatever blog client you use to point to yourdomain.com/yourwordpressdirectory/yourownrandomname.php rather than xmlrpc.php.
The only downside that I can think of is that you should repeat step 1 whenever you upgrade WordPress (if the xmlrpc.php file has been changed–and it is a target for attacks, so it does).
If you also run into Error 403/404 problems when posting content or comments containing filtered phrases like “xmlrpc.php” or “href=’javascript:’” as I did on another post, you may have to also modify the .htaccess settings for wp-admin/post.php or even wp-comments-post.php. Unfortunately it isn’t as simple to give a unique name to post.php as you’d have to change the filename throughout many WordPress program files. A better bet is to install WordPress in a non-obviously named subdirectory (not wordpress or blog or blogs or WordPress or so on and so forth…), but even then a script could pick up the install directory from the http_referrer variable, so a purloined letter solution isn’t as helpful for preventing spam attacks trying to exploit WordPress’s posting engine. So if this is a frequent problem, you’ll have to think of another solution–or just turn on and off security right before you post or edit a post containing the forbidden phrases.
Resources:
http://wordpress.org/support/topic/105391
I wanted to add a quick print button to a Drupal page I was modifying the other day, as I have done in the past for other ordinary HTML/CSS sites. The code, which at its simplest reads something like:
<a href="ja vascript:window.print(); return false;">Print this page</a>
simply could not be entered into the Drupal editor. The reason? Apparently Drupal was performing some kind of regexp filter on the hrefs to ‘correct’ non-fully-qualified local addresses, replacing ‘href=’ with href=’http://LocalDrupalDomain’. Eventually I figured out I could enclose matters in the code tags and get the address tag to work and by setting the input type to PHP.
But that was only one problem. I kept getting a weird Error 403/404 whenever I tried to post the entry. My webhost’s Apache modsecurity module on my webhost also seemed to have a rule forbidding any posting matching ‘href-equals-javascript-colon’ (and yes, I have to spell that out or break up the word with an extraneous space as I did in the code above in order to sneak this past the modsecurity censors.) No doubt that rule is intended to prevent spammers and other attackers from hijacking the form processor. Some of the Drupal solutions suggest writing the javascript href using a PHP echo or print command… now that’s an ugly, but viable workaround thanks to all the slashed prefixing of quotes within quotes.
This brings me to thinking about one of the problems I have with CMS software packages like Drupal (or even blog software like Wordpress) versus hard-coded HTML/CSS websites. In an effort to make some things–like managing a large site–more convenient they frequently make other things less convenient; in this case, it took me the better part of an hour to figure out why entering a simple javascript href tag kept failing. And is a CMS really any simpler anyway? Sometimes, whether in Wordpress or in Drupal, I just want a way to have exactly the HTML I type get posted onto the CMS.
But then that’s where security concerns can still turn around and bite you. I can’t blame WordPress, Drupal or even TinyMCE for overapplicable Apache rules that protect against spammers trying to abuse the html form posting functions. Only the command-line can save us from such follies–time to go in and edit the SQL entry by hand. Oh, it is just like the days when it was just an actual file and I could use vi, in the days before every page was generated on the fly by a dynamic database… except I have to use even more obscure programs.
(Or just temporarily modify the .htaccess for the posting engine for just one moment, while I sneak a post past modsecurity, and then close the security hole back up when I am done…if I remember. But that’s another story…)
Man, what a pain. And CMS’s are supposed to make our lives simpler?
January 1, 2007
In 2007 I am challenging myself to hike 1000 miles in a year.
That’s almost 20 miles a week, or about 2.75 miles every day.
Whenever I’ve mentioned this goal to friends, the reaction has
ranged “Wow, that’s a lot!” to “No problem! That
should be easy!” to “What, exactly, counts as a hike?
How long?” to “Cool, but you should give yourself extra
mileage for elevation gained” to “Does
jogging/walking/biking count?”...
[read the rest of the first post about this blog]
Actual miles hiked in 2007:
1000.15
Mission accomplished!
All 2007 hikes thus far as a WordPress Spreadsheet
Click on a photo to read its post...
