Again with the passwords

TLDR:

  • Don’t re-use passwords, ever.
  • Make the passwords you use cryptographically strong — adequate length, no stock phrases, and a mix of cases, numbers, and symbols can’t hurt. Lots of sites are dumb about these rules.
  • Use a system that works for you to generate and store them: Password Safe, KeePass, 1Password, LastPass, whatever. Google them.
  • Retire old passwords, and replace them with completely unrelated new, better ones.

Bonus Points:

  • Use a password system that replicates across all your devices (lappy, tablet, desktop, phone).
  • Save yourself some headache by generating human-readable (but still of acceptable complexity) passwords for when you do have to read from one device and type/tap into another, or read one off to another human.
  • Set your password system bug you to update your passwords periodically.

https://pw.cliff1976.net is my gift to you for generating those.

OK, long form:

We noticed something weird on this old blog. Upon reviewing on some older posts, we found links to unfamiliar businesses inserted into revisions of posts that were long done and published — like months and years later.

But those revisions were performed, according to WordPress, by Sarah. Sometimes on posts for which we know she had no editorial input.

Baroo? Who (or what) was impersonating her for the purpose of spreading their links around? We still don’t know, and probably won’t ever. Sarah changed her password on our blog some months ago and none of the link spam we could find was inserted after that point. So it seems likely we’ve plugged the leak.

Her WordPress password for our blog was of decent quality (a long enough nonsense word, mixing upper and lower-case letters), but it was of legal voting age. But I suspect the weakness here was that she was ALSO using that password somewhere else, long long ago, which somehow got hacked. Probably that username/password combo is in a list somewhere some hackers bought and sold to agents representing unscrupulous marketers.

WordPress’ post revision comparison thingie was really helpful in finding the inserted links. Compare the pink original text on the left with the green spammy text on the right. Click it to embiggen it.

comparison of pre-spam and post-spam versions of a post I originally wrote, and "Sarah" updated

Here’s how I searched in the database to find the link spam:

mysql> select p.ID, post_author, u.user_nicename, post_type, post_title, post_date, post_modified, timestampdiff(MINUTE, post_date, post_modified) tsdiff from wp_posts p, wp_users u where p.post_author = u.ID and lower(post_content) like '%a%href="http_://%' order by post_title, post_modified desc ;

Basically I’m looking for records in the wp_posts table (which includes revisions) that contain a hyperlink in the URL and have a big ol’ gap between the post’s date and the modification date. Bonus points if I can see from the post and its revisions that it wasn’t always the same author. I know there are more powerful searching methods (note the famous programmer’s adage about attacking a problem with regular expressions…and then having two problems), but this was good enough for now.

Click the above image to embiggen it. See how Lucía’s Paella was revised six million minutes after Sarah originally posted it (by the way, she’s got a much tastier paella recipe up on her recipe blog now)? That was a big red flag. But some late revisions were legit — we freshen up recipes or fix old broken links when we find them, etc. Another big red flag: “Sarah” updating a post about my facial hair, 1.8 million minutes later. Seems pretty unlikely!

We cleaned up all the offending posts we could find. If you stumble upon an old post with a link that doesn’t work, or doesn’t seem like the kind of company we, as residents of Germany would logically link to (like Australian car rentals or North American plumbers), please leave a comment and call our attention to it.

See also:

Correct Horse Battery Stable

Cutting Winter Short in Catalonia

Oops! This post has been lurking in our drafts for a couple months. Sorry about that!

We needed to get outta town for a change of scenery after getting most of the way through the winter. Plus, it was a chance to celebrate a milestone and a Hallmark Holiday.™ Barcelona was the right mix of travel effort, climate, and activity.

Continue reading Cutting Winter Short in Catalonia

Warming up in Porto

After that stunning — but chilling — visit to Iceland the first week of November, we knew we’d need a little dose of sun and warmth before diving into the long, dark Upper Palatinate winter.  We came back for basically a weekend at home in Regensburg before turning around and departing for Porto. 

Continue reading Warming up in Porto

Visit to Iceland — Day 4

We did four full days in Iceland in November 2018. Here’re the write-ups for Day 1 and Days 2 and 3.

Day 4: South Shore

It felt significantly warmer on this, our last day of adventure in Iceland. Unfortunately, that meant also it rained cats and dogs. Really would have loved my rain pants here. It was too warm for the ski pants but not dry enough for just jeans.

Reynisdrangar rock formations and hexagonal basalt cliff walls

Continue reading Visit to Iceland — Day 4

Visit to Iceland — Day 1

We met my parents, sister and brother-in-law halfway: in Iceland. We finally managed to get the six of us together on vacation in the same place, scratch off another country on our list (and crack into Scandinavia along with it), and see some really cool (and cold) stuff.

We opted for a travel company’s package instead of doing all these things ourselves:

  • accommodations and breakfast
  • car rental and driving
  • admissions, scheduling
  • POI-selection based on weather, etc.

We had a limited amount of time and the travel agency packed in quite a lot to see for the time available. I don’t think we could have done that better than they did. But that also meant a lot of time spent on the bus. Was it worth it? Continue reading Visit to Iceland — Day 1

Pasteis de Nata

While in Porto on vacation this month, we took a class on baking Pasteis de Nata, a custard tart we fell in love with in Lisbon a few years ago. This recipe is originally from our course instructor as part of the class, with our own notes and adaptations added.

Equipment

  • stand mixer with kneading hook, or a hand mixer with beaters (be prepared to knead by hand in that case)
  • rolling pin you can use to whomp on the butter through the dough
  • 2 sauce pans
  • whisk

Dough Ingredients

Makes a double batch of puff pastry, about 20-24 cupcake-sized pasteis shells in total.
* 500 g flour
* 250 ml water
* 250 g unsalted butter, chilled
* salt

Notes on Dough Ingredients

  • In the class we actually used margarine. Our instructor, Joana, explained that it works better than butter under less-than-optimal conditions, like at normal room temperature, or when you’re not rolling the dough out on a marble countertop. I’m thinking about making this dough outside on the patio next time.
  • Joana didn’t specify the amount of salt. Our first batch at home was with a half-teaspoon, and it didn’t seem like enough.

Dough Instructions

  1. Combine flour, water, and salt in a stand mixer with a kneading attachment and knead for 4-5 minutes. Alternatively, combine and then knead by hand for 10 minutes. You want a soft, not-very-sticky dough, that springs back at you when you poke it. Let it rest for at least 5 minutes after kneading.
  2. Roll out the dough on a large floured surface in as cool a place as possible. We opened our doors and windows (in November!) to drop the room temperature down to about 15,5 °C and that seemed to help. You want a rectangular shape, about 45 cm in the long dimension, with the dough a half-centimeter thick. Put the block of chilled butter (perhaps cut it into two skinny squares) in the middle of your rolled-out dough and fold the edges of the dough over it, like you’re wrapping up a present (and you are — the butter is the present to yourself).
  3. Beat the heck out of that butter-wrapped-in-dough package with your rolling pin. You want to flatten the butter inside its doughy sleeping bag. Try to maintain the rectangle shape; rotate the dough 90° every few whomps with the rolling pin. Sprinkle flour to cover up any spots where the butter might be leaching through. If the butter has warmed up during this process, stop and refrigerate your dough and don’t proceed until the butter is cold again.
  4. Fold it again, this time in thirds, like you’re mailing a letter of confession to your cardiologist. Let it rest for at least 10 minutes. Roll it out again to the rectangular shape. Do this at least two more times. On the last roll-out, sprinkle a little water onto the surface of the dough and then smooth it around with your hands.
  5. Starting on the long side of your rectangle, roll up the dough like it’s a treasure map (it is) you’re going to stuff into a bottle and set adrift on the open sea. Stop rolling when you get about half way and cut the roll away from the remaining flat dough. Put that roll aside in your freezer for another batch of natas. Roll up the remaining half of the dough in the same way.
  6. Cut the dough roll into about 1-inch segments. Each segment will become one pastel. Take a segment of the roll, rotate it onto its side (so the the layers inside the roll are visible to you), and with wet thumbs and fingers, squish the segment into the cupcake pan, drawing the dough up the sides of the cupcake mold from the center of the segment with your thumbs. It’s OK to have thinner pastry coverage at the bottom; you want it to be thicker around the edge at the top.

Custard Ingredients

200 g Sugar
175 ml water
1 lemon peel
1 cinnamon stick
17-20g corn starch (more starch = stiffer custard)
25 g Flour
250 ml Milk
5 egg yolks, lightly beaten

Instructions

  1. In a small saucepan, combine sugar, water, lemon zest and cinnamon stick. Let it come to boil in at medium heat. You don’t have to stir (much). Just let it come to a healthy boil.
  2. When it starts boiling, count 1 minute and remove from heat. Set it aside.
  3. In another pan, first combine flour and corn starch and then add the milk. Whisk it before putting it onto the stove. Cook the milk, flour and starch on low heat, always whisking.
  4. When the texture thickens, take it off the stove. Remove the lemon peel and cinnamon stick from the infused syrup you made and discard them. Gently, add the syrup to the milk, whisking it until it’s fully combined. Let it rest a little while before adding the egg yolks, tempering first.
  5. Whisk everything together, pass it through a strainer (if you didn’t temper the eggs effectively and have scrambled bits) and pour it into the dough cups, about 3/4 of the way full.

Baking Instructions

You want it as hot as your (home) oven can go. We get ours up to over 250 °C. Make sure it has plenty of time to preheat — at least 30 minutes. We turned the convection fan on for the bake. Ours were done after about 12 minutes of bake time. Don’t touch them while they’re baking, and try to let them cool a little before you put them in your mouth. They should pop out of your cupcake pan quite easily (thank you butter!) once they’ve cooled a bit. You can sprinkle them with sugar, cinnamon, both, or nothing.