Again with the passwords

TLDR:

  • Don’t re-use passwords, ever.
  • Make the passwords you use cryptographically strong — adequate length, no stock phrases, and a mix of cases, numbers, and symbols can’t hurt. Lots of sites are dumb about these rules.
  • Use a system that works for you to generate and store them: Password Safe, KeePass, 1Password, LastPass, whatever. Google them.
  • Retire old passwords, and replace them with completely unrelated new, better ones.

Bonus Points:

  • Use a password system that replicates across all your devices (lappy, tablet, desktop, phone).
  • Save yourself some headache by generating human-readable (but still of acceptable complexity) passwords for when you do have to read from one device and type/tap into another, or read one off to another human.
  • Set your password system bug you to update your passwords periodically.

https://pw.cliff1976.net is my gift to you for generating those.

OK, long form:

We noticed something weird on this old blog. Upon reviewing on some older posts, we found links to unfamiliar businesses inserted into revisions of posts that were long done and published — like months and years later.

But those revisions were performed, according to WordPress, by Sarah. Sometimes on posts for which we know she had no editorial input.

Baroo? Who (or what) was impersonating her for the purpose of spreading their links around? We still don’t know, and probably won’t ever. Sarah changed her password on our blog some months ago and none of the link spam we could find was inserted after that point. So it seems likely we’ve plugged the leak.

Her WordPress password for our blog was of decent quality (a long enough nonsense word, mixing upper and lower-case letters), but it was of legal voting age. But I suspect the weakness here was that she was ALSO using that password somewhere else, long long ago, which somehow got hacked. Probably that username/password combo is in a list somewhere some hackers bought and sold to agents representing unscrupulous marketers.

WordPress’ post revision comparison thingie was really helpful in finding the inserted links. Compare the pink original text on the left with the green spammy text on the right. Click it to embiggen it.

comparison of pre-spam and post-spam versions of a post I originally wrote, and "Sarah" updated

Here’s how I searched in the database to find the link spam:

mysql> select p.ID, post_author, u.user_nicename, post_type, post_title, post_date, post_modified, timestampdiff(MINUTE, post_date, post_modified) tsdiff from wp_posts p, wp_users u where p.post_author = u.ID and lower(post_content) like '%a%href="http_://%' order by post_title, post_modified desc ;

Basically I’m looking for records in the wp_posts table (which includes revisions) that contain a hyperlink in the URL and have a big ol’ gap between the post’s date and the modification date. Bonus points if I can see from the post and its revisions that it wasn’t always the same author. I know there are more powerful searching methods (note the famous programmer’s adage about attacking a problem with regular expressions…and then having two problems), but this was good enough for now.

Click the above image to embiggen it. See how Lucía’s Paella was revised six million minutes after Sarah originally posted it (by the way, she’s got a much tastier paella recipe up on her recipe blog now)? That was a big red flag. But some late revisions were legit — we freshen up recipes or fix old broken links when we find them, etc. Another big red flag: “Sarah” updating a post about my facial hair, 1.8 million minutes later. Seems pretty unlikely!

We cleaned up all the offending posts we could find. If you stumble upon an old post with a link that doesn’t work, or doesn’t seem like the kind of company we, as residents of Germany would logically link to (like Australian car rentals or North American plumbers), please leave a comment and call our attention to it.

See also:

Correct Horse Battery Stable

Cutting Winter Short in Catalonia

Oops! This post has been lurking in our drafts for a couple months. Sorry about that!

We needed to get outta town for a change of scenery after getting most of the way through the winter. Plus, it was a chance to celebrate a milestone and a Hallmark Holiday.™ Barcelona was the right mix of travel effort, climate, and activity.

Continue reading Cutting Winter Short in Catalonia

Basic Pizza Sauce

This came together as the amalgamation of at least 6 different pizza sauce recipes. Skip the pepper flakes if you prefer it mild. When cooking, I like to leave the sauce slightly thinner than optimal. We make pan pizza at home, so the thick crust needs a longer bake than the toppings. We bake the crust for 10 minutes with sauce only, then 10 more minutes with cheese and toppings. The first bake allows the sauce to evaporate extra liquid.

1 T butter
1 T olive oil
1 large clove garlic, minced
1 14.5 oz/400g can whole stewed tomatoes
1/2 t dried oregano
1 t dried basil
large pinch salt
large pinch sugar
1/2 t whole fennel seeds
large pinch dried red pepper flakes (optional)
1 small onion, peeled and halved

Heat a small saucepan to medium and add butter and oil, cooking until milk solids just start to brown. Add garlic and cook for 2 minutes or until very fragrant. Add tomatoes and juices to the pan. If you like your tomatoes chunky, add them to the pot whole and break them up with a spatula; for smoother sauce, run them through a food processor first. Stir in all of the rest of the ingredients plus a half-can of water, bring sauce to a simmer and cook on medium-low for one hour or until thickened, stirring occasionally. Remove onion, taste and adjust seasoning as necessary.

Warming up in Porto

After that stunning — but chilling — visit to Iceland the first week of November, we knew we’d need a little dose of sun and warmth before diving into the long, dark Upper Palatinate winter.  We came back for basically a weekend at home in Regensburg before turning around and departing for Porto. 

Continue reading Warming up in Porto

Visit to Iceland — Day 4

We did four full days in Iceland in November 2018. Here’re the write-ups for Day 1 and Days 2 and 3.

Day 4: South Shore

It felt significantly warmer on this, our last day of adventure in Iceland. Unfortunately, that meant also it rained cats and dogs. Really would have loved my rain pants here. It was too warm for the ski pants but not dry enough for just jeans.

Reynisdrangar rock formations and hexagonal basalt cliff walls

Continue reading Visit to Iceland — Day 4

Pumpkin Risotto

Pumpkin is pretty naturally sweet, so don’t be bashful with the salt and cheese.

4-5 c/1-1.25 L vegetable broth
2 T olive oil
2 shallots, minced
3 cloves garlic, minced
500 g arborio or carnaroli rice
0.5 c/100 mL dry white wine
1 c/225 mL pumpkin purée
1 t dried thyme
1 t ground black pepper
salt to taste
2 T butter
1 c/225 g grated Parmesan, divided

Heat oil in large deep skillet to medium and bring broth to a low simmer. Sauté shallots and garlic until tender and fragrant. Add rice and stir until coated with oil and starting to smell toasty. Add wine and stir until mostly evaporated. Start adding broth by ladleful, stirring constantly. When the pan starts to look dry, add another ladle of broth. After adding about half of the broth, add the pumpkin, thyme and pepper. Taste and add salt, if needed. Keep adding broth until it’s gone. Once all broth is in, remove skillet from heat, stir in butter and half of cheese thoroughly, cover skillet and let stand for 5 minutes. Serve with cheese for sprinkling.