SuperSatellite

Breaking ground

// March 19th, 2008 // No Comments » // Scripts, Web

UPDATE: Sorry if you tried to sign up on the forums overnight on 08.03.19.  Turns out there was a bug in the registration system.  I fixed it first thing this morning (08.03.20), and it should work fine now.  Please contact me if you experience any further problems.

I remember a time, many moons ago, when SuperSatellite.com had forums. Back then, I did band and event promotions for the area. phpBB was version….2…point…something. It wasn’t new, I’ll tell you that. Like 2.0.2 or something. But, the forums had a modest, bustling following, and it was well liked. Until we stopped doing that sort of thing. Those forums vanished long ago (well, technically they broke down, sat broken and unused for months, then went away, but you get the idea), and will never be back.

But, that doesn’t mean there isn’t a place for forums around here. As a matter of fact, I’ve been looking for an excuse to play around with the new phpBB3, which came out recently. Given these issues, I set up http://dotcms.supersatellite.com/ (you’ll also note the new link in my header nav for dotCMS, which can take you there) as a sort of test. One, to test the new forum software. But two, to provide some support and community forums for those people wishing to work with others on things related to dotCMS. As of now, nothing like that exists besides their mailing list. The friendly folks at dotMarketing are planning some new community sites and tools this year, but those are still a ways out. Besides, that’s really the glory of open source, isn’t it? Communities coming up on their own and doing their own thing. I’ve got it up and running, and started several forums to see how things work from their. I’m totally open to suggestions for improving the forums as a tool for the dotCMS community.

So, that’s what I got. I’ve been digging around the backside of phpBB3, and I will tell you, it is a totally different beast from 2. They’ve added quite a bit to it, and have tried to bring it up to snuff against the commercial alternatives. For free, they have done well. For now, I’ll keep it there on that subdomain, but if it gets enough traffic, I’ll probably migrate it all over to its own domain name. I’m interested in what kind of conversation this is able to drum up.

Secure OpenID with MyVidoop

// January 30th, 2008 // 1 Comment » // Scripts, Web

The other day I started talking a little bit about my experiments with OpenID, a new, portable, and universal authentication scheme for web sites. I’ve been continuing this since then, and have some newer information I want to share with you. Originally, one of my primary concerns was that of security. For general purpose use, I mentioned that MyOpenID.com seemed to be an all right solution. It is. The problem was that there were still holes that seemed ripe for exploiting since it was still password based, and required nothing special to get into beyond that. But, a site called MyVidoop.com (who comes up with these names?) really raised the bar in my opinion (click here to get an OpenID from them). At the end of this blog, there will be a couple white sheets you can download that will have more information on what I’m about to share. So, if you don’t think I tell you what you want to know (girls tell me that all the time), look there. There’s also a short video about how OpenID works.

MyVidoop appears to have been created with the idea of securing OpenID as priority number one (well, making money was probably number one, but security a close second!). And next to MyOpenID, they blow them away. Some of you might be familiar with the kitten captcha. This clever system suggested using image identification as a captcha method in place of current text obfuscation techniques which are constantly being broken. That introduced the need for human level cognition to process the form, eliminating most bots from the equation. MyVidoop used this style of technique with regard to authentication. Instead of a static password you type in each time, you identify 3-5 image groups when you set up your account, then when you log in, you select images from a grid that match your groups. This is connected to a pass key (each image has a letter associated with it) which is never the same twice since the grid, images, and letters tied to them change on each log in. The only static information used in the process is the categories of images, and only you know them. Thanks to other steps, there is no effective way for a bot to glean that information or put it to use.

It’s rather clever, because it inherently defeats two account cracking methods: brute force and keystroke logging. Since the login key is never the same twice, a compromised key does no good. Since it is random each time, there’s no way to brute it effectively. But what about phishing? This is where it gets interesting. MyVidoop has created a token based system for security. If I go to a site to register, MyVidoop will ask me about the computer I am at. It will send a token, either to a predefined email address, or even as a text or voice message to my cell phone! And yes, it’s immediate. You must have this 6 digit token to even be allowed to see the image grid. This makes phishing nigh impossible since tokens only come to you. It’s also a level of security unheard of with other sites. Even my bank doesn’t personally check with me about a login. Once you have entered the token, you can have it remember the computer for the future (such as a home system or laptop you use frequently) so that you aren’t getting tokens at every single login with a computer you trust. Likewise, there is no way to provide an effective man-in-the-middle attack, because a token is good only once, and you need a human component to decrypt categories, assuming you bypassed the token and were able to capture a grid. This login information never leaves an OpenID provider, regardless of who it is. It’s similar to LDAP in that all the web site gets back from the provider is a yes or a no with regards to if a person is who they say they are (along with information they require, like an email address, which you say is okay for them to have). At no point are login credentials handled by the originating site.

All in all, this seems quite effective at preventing an ID from being lifted. To emphasize OpenID’s portability, I’ve already changed my server and delegate to point away from MyOpenID to MyVidoop by changing the code in the header of my website (WordPress has a handy plugin for this called WP-Yadis). I would speculate that eventually, other providers will follow suit to try and keep up. At the moment though, MyVidoop is the only company offering this level of security for your ID.

Like other services, it supports useful features like multiple profiles, and also ID forwarding. Unlike others, they have an affiliate program that will pay you to get others to sign up. That situation is very win-win. They are funded through companies like SmartUSA.com, and have mentioned selling images spots like ads, so Pepsi might show up in the beverages category, or Cessna in airplanes, Fend in musical instruments, etc. Besides funding the site, they pass that back to affiliates (and thank you for that).

Lastly, consider a comparison. Assume that you get an email from a phisher that tricks you into going to their site to log in (tsk, tsk, you should be ashamed for not catching that!). In scenario one, you are using MyOpenID. You go in, and they load up the login screen with a wrapper that logs your password (you did check the URI (Uniform Resource Identifier) of the page you are on, right?). Like any site that requires a static log in, they can lift and reuse your credentials. It’s not so much a fault of OpenID as it is static logins, but it can be worse since OpenID allows access to so much. One password later and you’re compromised. With MyVidoop, first it asks for the token. That gets sent only to you, so the phisher can’t intercept it. Once you use it, it’s done, so if the token is logged, it can’t be used again. You are shown a screen next, with an image grid. You enter the letters matching your image categories. The letters have a random association, so it can’t determine what the connection to images is, and that key is also only good once, so the phisher can’t reuse it. Even if they capture the grid, human intervention is required to figure out what categories you might be using. These scams usually rely on automated bot systems, so stopping to physically check each grid isn’t cost effective (this would also hold true for trying to do it with a Turk, in theory, if enough people do it). Even if they got the categories, step one, the token, will prevent them from getting to the grid in the future.

To be fair, other services like MyOpenID, do offer an option to use an SSL certificate to log yourself in, which is much better than passwords, but it isn’t the default mechanism and you must dig it out of the Account Settings area to enable it.  It’s also only really useful with computers that you use regularly since the certificate must be installed on the machine.  What I would like to see, is someone attach OpenID login to one of the PayPal/Verisign style RSA keyfobs.

You’ll notice on the right you can now log in directly with OpenID on this site, and there’s a link there to go get an OpenID from MyVidoop. If you want to get started in OpenID, I’m not sure there’s a better place at the moment. Video and PDFs below.

Vidoop Secure White Paper
Sweet Security, Free for Your Websit

dotCMS: An Introduction

// January 29th, 2008 // 14 Comments » // Scripts, Software, Tech, Web

I felt it was time to take a closer look at a content management system I am getting very involved with. One might say I’m drowning in it. I prefer to think of it as being choked by it, heh. Really, it’s a very interesting system, and a fantastic tool for the price (free!). I have worked with a number of CMS (Content Management System)’s over the years: Coranto, e107, Joomla, Mambo, WordPress, Drupal, and a few others that I’m sure I’ve forgotten about. It’s easy to get locked into one or two for various purposes, which had been true with me for a long time. The problem is, my short list there is only good for small to mid range sites. Now I’m webmaster for a site of better than 10,000 pages and 70+ editors. Those open source solutions don’t easily or always comfortably scale up to those needs.

That’s where enterprise grade content management comes into play. Swinging big price tags, naturally. You start learning names like RedDot, OmniUpdate, Hannon Hill Cascade Server, Serena Collage (discontinued), and Ektron cms400.net. You also learn they don’t come cheap, some breaking the $80,000 mark. $15,000 in this group is cheap. In some cases, you don’t even have to host it. But the support, features, and scalability you get from this class of tools is in a different league. Wouldn’t it be nice if you could get the best of both worlds though? Something like a Typo3 or Zope/Plone system, but with enterprise grade support and a learning curve within reach of your users? A tool that was open source to boot? Generally there just isn’t demand for this sort of software, at least not enough to make a successful project, it’s enterprise grade and enterprise cost because it’s an enterprise market. However dotMarketing has stepped up to the plate. They have developed dotCMS to augment their design and consulting business, but released it free, charging only for support.

I need to be fair though. dotMarketing really stood on the shoulders of the work done at the Liferay Portal project, that’s where it started. Liferay is the underlying framework that drives dotCMS, written in Java, and running on top of Apache Tomcat. But they forked the project and went a long way towards customizing everything you see and interact with. It isn’t just a fancy admin theme dropped over someone else’s work. It is also tied together intimately with Apache Velocity, which is very slick for writing dynamic templates. Needless to say, this isn’t a simple one-off , self contained type of application. It’s build on several different technologies, all open source, to try and provide the best of each tool to the end user. When you download it, everything is packaged up that you need though, you don’t have to hunt anything down separately.

This does make it more complex than other open source CMS options. Systems like WordPress or Drupal can be installed to any server that runs PHP and a flavor of database server. On the other hand, dotCMS requires you to have root access to the server to install things like the Apache Tomcat server. This requirement has hurt dotCMS’s market penetration, as many web site owners do not have that kind of server access, opting instead for cheaper hosting solutions. That is a shame, because dotCMS is easily one of the most powerful open source options available, with a much shallower learning curve than equally flexible solutions (I’m looking at you Typo3). It’s also pretty resource intensive, so you won’t be dropping this onto a lightweight web server you built five years ago on an old AMD K6-2 system you had lying around. Plan on needed a couple gigs of RAM and a modern processor to heft it. You can run it in a dev environment in a PC okay, but not with less than a gig of RAM (I know, I tried, I failed). It might be open source, but it is truly enterprise grade, and is built for an environment that reflects such.

Part of what makes dotCMS so good is the way they approach content. As an administrator, you can create structures. These structures result in a form-like input system, that allows you to pull out some or all data for a type (say, a news posting, or product review). Any structure can easily be attached to an RSS feed. Each structure is unique, but can be dynamically related to one or other other types of content in other structures. For instance, you have a structure for “blog posts” and one for “comments,” and the comments can be related to blog posts. But you could also relate certain comments to articles, or news postings as well. This is a basic CMS feature used in most systems, but with dotCMS you see exactly how it works, and can modify or expand it. Better yet, create your own. Players related to teams related to sports. The flexibility allows you to develop to your heart’s content. And you don’t have to be a programmer to do it. Admittedly, relationships aren’t super easy to understand out of the gates, but an example or two gets you going. They really got things right with regards to how content should be created and used, and did a good job taking the cork out of the bottle for the end user to go nuts with it.

Speaking of examples, they do have a complete demo site running that allows you to both test things, and also see how certain things are accomplished. This can be very useful if you want to duplicate some kind of functionality, but need an example. They also outline plenty of macros that allow you to easily accomplish common tasks, like creating slideshows, navigation, MP3 players, RSS feeds, and more. One thing their demo site doesn’t showcase is that it can even run multiple domains through one back end, so you could be running demo.site.com, and blogs.site.com, and www.site2.com all through that one instance of dotCMS.

If you would have asked me before, I probably would have said that Drupal or Typo3 had the best permissioning systems available in open source. That’s no longer even remotely true. dotCMS has a fantastic permissioning system that allows granular access to both content and admin areas. Groups are used to define what a user has access to at the back end, while roles determine what they can use, see, and access with respect to content. This combines with a workflow system that can be used to make sure content is properly reviewed and approved before it hits the page. It’s simple, and it works. Well. On the user side, you can easily tie into an LDAP or Active Directory environment, though it requires manual set up. Users can be tracked through the system to provide some basic analytical data, and attached to CRM functionality to label, organize, and communicate with them. This goes far beyond any other competitive product in open source.

Where it’s lacking: documentation. Right now, it’s pretty scattered and different documents can be out of sync with others. I understand this is changing, and that they are moving to a system a la Apache’s documentation method. It is definitely needed. Luckily, their mailing list is pretty active, and they tend to be responsive on bug reports. I think it would be nice to see a little more stuff built in by default. For instance, dotCMS can be a blog, or host them, but you have to build the structures and relationships yourself. Tools like that are common enough that it wouldn’t hurt to just have it already set up. There is also no file structure, in the normal web sense, so no FTP (File Transfer Protocol) type functionality, you have to upload through the system or via WebDav, if your server supports it.

I will be at the dotCMS Open Minds Conference next week in Miami. After that (and maybe even during), I’ll be following up with some more detailed information regarding their CMS. I’ll get a bit more into how certain things actually work, and what we’re doing to make it work to our advantage. In the mean time, their portfolio can give you an idea of what the system is capable of.

Update (08.04.21): If you are looking for additional support, be sure to either check out the dotCMS mailing list, or visit our newly established forum community. Also, expect new and improved documentation and support tools from the dotCMS development team around the 3Q of 2008.

Creating a profanity filter

// December 6th, 2007 // 9 Comments » // Scripts, Web

So, today I wrote the dirtiest function I have ever written in PHP. I typed more profanity at once than I think I ever have in the past. As part of a new AJAX (Asynchronous Javascript And XML) live search query displayer I wrote for our Google Mini, I had to do some filtering to make sure naughty phrases wouldn’t show up. This is a pretty straightforward script you could incorporate into different applications, like a shoutbox, or comment form.

Alternatively, you could swap in preg_replace() or eregi_replace() instead of preg_match() and censor phrases that way. In this example, I use preg_match() just to test the query, and if the filter matched, I excluded the query from display entirely. I have this set to match anything that occurs in a query, so if the word “butt” was a filter term, it would catch “butts,” “butthole,” and “buttmunch.” That saved a lot of extra typing and filtering. Yes, it increases the likelihood of a false positive, but in this case we weren’t too concerned about an overly aggressive filter.

If the filter makes a match, it returns a boolean value of true. From there, do as you will. You could build in your own handler code as well (especially if you just wanted to censor individual words).

If you have a better idea or refinement, comment below and I can tweak this appropriately.

For The Audiophiles

// April 2nd, 2007 // 3 Comments » // Scripts, Web

This one goes out to those of you that love your music and want to get the most out of it.  You rip your CDs to MP3 (or .ogg for you really geeky types), you own an iPod, you’ve hooked your computer up to your stereo, and back it all up to an external hard drive for those travel scenarios.  Ubiquitous.  That is the word for the day.  Despite all of your efforts, you still fall short.  You don’t want to wear an iPod at work.  The external hard drive is great for planned trips to a friend’s house, but does little if a friend wants to just see if you have a single song.  Let me be clear that this is not a review.  I’m not going to dig in to all the different features of a bunch of different web applications, because I’ll do nothing but a disservice to the ones I’m not as familiar with.  Instead, this is simply my journey and thoughts on the matter of media streaming through a web page.

For a long time I had a relatively simple solution to all this that worked a bit of all right.  Of course, it involved setting up my own server.  I pulled out an old XP box I had lying around, hooked it up to my router, set up port forwarding, and created a simple FTP (File Transfer Protocol) server with FileZilla.  I kept an archive of my music library on it that was then tied to the FTP.  Now, this worked for file sharing, and making my stuff accessible essentially wherever I was, provided I wanted to download the entire song before listening to it.  Of course, it also allowed for usage beyond music.  It became obvious that the potential for the server warranted a little more investment.  I went by No-IP.com and set up a domain name with dynamic DNS (Domain Name Service) monitoring.  I did a port 80 redirect (Cox blocks incoming port 80 requests), and just like that I had a web server (after installing a WAMP (Windows, Apache, MySQL, PHP), of course.  I chose Apache2Triad.).  Granted, it was running Windows XP on a residential cable connection, but it did work alright.

So, with the framework all in place, I set out to take the next step.  I wanted to install a nice web interface to access my MP3s through, something that was simple, functional, and could be used by those friends of mine who couldn’t tell FTP from IRS (Internal Revenue Service).  I readily admit my programming skills simply weren’t up to the task for something like that.  Fortunately, the field of competitive products in the OSS arena is small.  Keep in mind, the key to all of this is having your own server.  If you rent hosting from a company, you can indeed install this, and you can share anything you put on that server media-wise.  But if you are like me, you have way too many files to put on something like that, and the uploading time alone would kill you.

A friend of mine turned me on to a program called Ampache.  It’s rather clean looking, and offers a lot of features.  Certainly viable for a number of uses.  The thing I didn’t like about it was its heavy reliance on ID3 tags, something many of you know cannot always be relied on or trusted.  Going in to list songs, the interface could very suddenly become quite cluttered looking.  Granted, it dished out a lot of information about the songs, but I felt the interface started falling apart a little there.  So, while not perfect, it was a contender.  It offered all the other features I was looking for, like multi-user support and playlists.

Normally, third time is a charm.  In my case, the second hit I got was on a piece of software called kPlaylist.  An application built on a single file, it just needs a database to access and it’s ready to go.  The most immediate thing that sold me on it was its file interface.  kPlaylist gives the user an Explorer like file tree to use to browse for music.  This fit perfectly because I already sort my music into a nice alphabetical structure.  Like Ampache, it had full support for multiple users, playlists (both public and private), and it kept track of what was popular, new, and currently playing.  It also has an improved streaming engine for those on Linux servers.  Sadly, I am currently missing out on that for the time being until I kill XP on the server in favor of Linux.  Additionally, you can also enable features like batch downloading for later listening (at this time, batch uploading is a feature for the future.  Not a big deal, since I upload my media through my network anyway).  So, I was sold.  I downloaded, installed, and configured it and have never needed to look back.

To give you a quick idea, I am currently supporting about a dozen users.  I believe that there has never been more than three people on at any given time.  With three people streaming, there isn’t anything to rebuke as far as stream quality goes.  If you want a comparison, here’s an idea of what my internet connection is like:

There are a couple other systems that I found out about after the fact.  uPHP (which didn’t have a demo available at this time), and Jinzora.  I have no first hand experience with these though, so you’re on your own.  Jinzora does have a demo up though, so go plug away on it if you like.  For now, I fully throw my support behind kPlaylist.  If it fits your needs, it won’t let you down.

In the end, Ampache is pretty solid if you are really, and I mean really, anal retentive about ID3 tags.  I simply cannot be that confident in myself.  kPlaylist offers the simplest, most intuitive interface I have seen.  Plus, it’s display window will tailor itself to your file structure, so no matter what, you know it will conform to how you sort things.  It will still scan ID3 tags, so if you prefer going that route, you still can.  It will also recognize album art, which is just pretty.  I would love to hear about any alternatives any readers might be familiar with that you like.