Archive for the ‘Announcements’ Category

The festering realities of Bluehost: In which I learn about “unifiedlayer.com”

Sometimes my outgoing email bounces for reasons I don’t understand from a variety of recipients. I usually try to contact the postmaster to find out why. This weekend, I actually got a response from one:

My apologies for the delay in replying.  Your email went into the gmail spam folder and so was not forwarded out to where I could respond immediately.

Going directly to “spam”? That’s not good.

The postmaster continued:

The reason that your email is blocked is because it originated at unifiedlayer.com. Unifiedlayer is one of the worst spam originators. They host spammers and they really don’t care, so I don’t have much choice but to block many of their mail servers.

Finally, some concrete information. I searched for “unifiedlayer”, finding common searches like “is unifiedlayer unsafe” and “unifiedlayer spam”. Go ahead and do those searches yourself. You’ll find that overall trust in unifiedlayer-originated mail is somewhere up there with body cavity searches, STDs, and politicians.

So I did what pretty much anyone would, I called my service provider. Bluehost told me that unifiedlayer was an in-house product, that they were well aware of the spam problem, that they worked on it really really hard (that’s a paraphrase, not a quote), and like every other thing that Bluehost gets wrong (and gets wrong repeatedly), that if I were just willing to pay a tiny bit more per month (five bucks in this case), they’d allow my “ericasadun” domain email to go through a different originator.

I am so sick of Bluehost.

If you have any advice on how I can transfer my web site and my email away from this festering heap, please drop me an email (I’ll probably get yours even if you don’t get my reply) and help me find an alternate home. I’ve heard good things about Digital Ocean, for example, but I don’t even know where to start in terms of moving over ten years worth of email.

At least I’ve been through the process of reinstalling WordPress and have my backups.

Thanks in advance.

In which I get hacked, Part 6

Last weekend, Bluehost closed down my site. After spending significant time on the phone with support, I came to the conclusion that I needed to nuke the entire site down to the ground. The WordPress install was simply too corrupt to continue or repair.

Since my secure shell access was revoked at the time, I used their control panel to entirely remove my public_html folder. They ran a scan on my account, found no further malware, and allowed me back in.

To recover, I re-installed a fresh copy of WordPress using Bluehost’s control panel tools. I then used CyberDuck (for sftp) and secure shell to upload my wordpress database and image uploads. That’s the site you’re reading today.

I reverted my theme back a few years to a version I knew was safe. I use  a customized version of the open source Frank theme. Rather than pull down a new copy, I wanted to keep my tweaks that supported the ads on the right side of the screen. They don’t produce much money but they help offset the hosting costs involved in running this blog..

I also  installed the following plug-ins, some old, some new:

  • ActivityLog: “Get aware of any activities that are taking place on your dashboard! Imagine it like a black-box for your WordPress site. e.g. post was deleted, plugin was activated, user logged in or logged out – it’s all these for you to see.
  • Really Simple SSL: “Lightweight plugin without any setup to make your site SSL proof
  • WP fail2ban: “Write all login attempts to syslog

And on a less security note:

  • oEmbed Gist: “Embed source from gist.github.
  • WP to Twitter: “Posts a Tweet when you update your WordPress blog or post a link, using your URL shortener.

Most importantly, I use Updraft Plus: “Backup and restore: take backups locally, or backup to Amazon S3, Dropbox, Google Drive, Rackspace, (S)FTP, WebDAV & email, on automatic schedules.” 

My daily database backups and my weekly upload backups (only for the current year, I already have backups for previous years) ensured I could get my site back up and running within hours of the most recent hack.

I still hate WordPress. I still wish I could run a static site and get comments and other great stuff in one convenient package. However, WordPress does the job I need it to do. It’s simple to write posts and interact with you.

My website is all about this connection. I don’t do any e-commerce. It’s basically a passion project rather than anything I do for business related reasons. I like having somewhere I can get thoughts out of my head and share them with other people. Beyond that, I don’t really have any important agendas and I don’t have the time in my life to perfect my security or delivery tools.

I want to thank everyone who sent me feedback of encouragement and support during my latest hack. I appreciate the comments and the suggestions. I now have a great list of static solutions (including github.io and DNS redirect) to fall back to if I must. Yes, I’m sticking with the crappiest solution right now. I’m doing so because it’s the path of least resistance and not because I don’t prefer your suggestions.

For those with more time and more investment, the popular consensus seems to be using Jekyll/github.io with disqus comments. Other suggestions included Hugo (gohugo.io), GetGrav (getgrav.org, “No Ruby, supports comments, fun to play with”), Ghost (ghost.org), and AWS Lightsail.

I don’t know why anyone would want to hack my nothingburger of a site but I’m glad I have friends out there who helped when they did.

Swift Stories: Please share yours

I’m looking for people who have intentionally avoided transitioning to Swift or who get frustrated with Swift due to changes in the language or who have fought for Swift adoption at their place of work. If any of these scenarios apply to you, please send me an email at erica at ericasadun dot com.

Please let me know if I can use your name or not and what your personal story is in terms of Swift adoption (or lack thereof). It would really help if you let me know the big picture reasons motivating your choices.

Thank you in advance.

p.s. For those confused by this post, I’m doing a talk about Swift adoption and participating in the Swift Evolution process: “The future of Swift belongs to those who show up”.

Tap tap, hey is this thing on?

tl;dr: Erica’s site gets hacked repeatedly. Erica’s account is closed by Bluehost. Erica wails into the void. Played with DNS, with github.io, nuked wordpress install, re-installed wordpress, re-installed data, reinstalled plugins, scanned for malware, attempted to restore DNS, wailed into void, some semblance of site possibly restored. Maybe.

postscript: I’m posting this as a test to see if my site is back and alive. If so, please make sure to use https and not http to connect. Fingers crossed.

 

In which I get hacked: Part 5

Last week, it started again. Numerous people on Twitter from various sites around the world reported my site looked like this:

Nothing on my site itself indicated any changes but something was hacking my Bluehost-sourced content and replacing it with its own. I was unfamiliar (as with all things to do with web hosting) with how this was happening, and (spoilers) I never figured that out.

What I did discover, with the help of Jared Lander from Bluehost, was how to mitigate the problem.  (Thanks Jared!) Forcing the site to exclusively use https links through a WordPress plug-in bypassed the whole “evil hackers will redirect my http content” thing. “All” it took was asking everyone to clear caches, restart web browser, or wait for the changes to propagate over time. It’s been 7 days and I have not had any reports of further issues.

The plug-in in question is Really Simple SSL, which automatically configures websites to use secure links: just get an SSL certificate, install the plugin, and activate it. It’s step 1 that’s a burden in many cases.

This cleared up the non-English main page advertising (for those who saw it) and apparently something that affected my RSS feed. I’m not entirely sure what that was, but there had been some stray BOM characters leaking into that which resolved once the SSL/https problem was addressed. Dave Jones wrote me that my feed, which hadn’t been validating, began working properly after the plug-in.

Much as I hope that my issues are over, I’m assured by a number of people contacting me that it’s not possible to run a secure website anymore without the help of professionals.

I’ll do the best I can. I’ll keep backing up my content. But that’s about all I can do.

Thank you again to everyone who reached out to me with support, feedback, and information.

In which I get hacked: Part 4

My site was broken into again last night and was down until this morning. What fun.

Welcome to another day of hackage fun.

This morning, the odd “consig.php” with its Base 64 contents and eval was back, along with an updated “.htaccess” file. I called up Bluehost support. They restored a safe version of “.htaccess” and suggested I talk with their “security people”. I said sure.

After a longish hold, they transferred me…to an entirely different company, who for starting at just $40 or so a month (and up), would provide me with a fire wall. The sales pitch was strong, as was their disdain and pricing structure. I thanked them for their time and hung up.

It was time to call back Bluehost again and yell at them a little. This time, they offered to set up an SSL certificate for 90 days at a time.

This might be even more exciting if their own certificate didn’t seem to be wonky:

I also deinstalled and re-installed my plugins, and generally followed the advice passed to me this morning by Jan Östlund in his helpful tweet.

Frankly, it’s been a pretty dreadful day. Of course, the kind words of support from everyone have been a lovely counterpart to the misery of doing sys admin work. I’m surprised so many people have had to deal with this exact situation before. At least I’m not alone.

In which I get hacked: Part 3

This morning, Google issued me an alert that a lot of my pages were 404’ing:

How interesting. So I hopped into my webmaster console to see what was going on.

Lots of 404’s were firing, and the crawl errors were all tied to those image files uploaded to my system by the hack:

I decided it was time to restore the site from backup.

Thanks to UpdraftPlus, I moved the clock back to Mar 20th, and re-created my first two posts in the “In which I get hacked” series.

I also restored my previous authentication, which I quickly updated to a new password. Interestingly, the hack introduced a different login name to my system “zerobyte”. I’m back to my original wordpress names now.

Stuff is still a little messed up on my end as I can no longer upload pictures. The upload process gets the data to the site but the media browser is borked. I have to enter <img src="" /> tags by hand, which is super annoying.

I have my plugins mostly disabled, and will attempt to re-install each of them as well.

Again, any advice and support is greatly welcome. I apologize for losing all my previous comments after restoring from backup. I will particularly miss this gem:

Bless him.

I’ll keep updating if I learn more.

In which I get hacked: Part 2 (restored after backup)

So I’m now working through Google’s Hacked Sites Troubleshooter: https://support.google.com/webmasters/troubleshooter/6155978.

I did not know about the site: search operator, so I followed their instructions, first looking using a site:ericasadun.com websearch, and then moving on to “fetch as google”:

Sure enough I found all those malicious sitemaps that were added this morning:

I returned to my search console and deleted them:

Damn right Skippy, I do. They’re gone now.

I then returned to the troubleshooting page and requested re-indexing. It still shows one of the sitemaps that doesn’t exist anymore (and yes I checked).

I’ll check back in tomorrow and see if the hacked sitemap is gone. I also requested the “reconsideration request” from https://www.google.com/webmasters/tools/manual-action

Yeeps.

In which I get hacked: Part 1 (restored after backup)

Note: This post has been recreating after restoring my site from backup.

This morning, I woke up to a message from Google. Normally I’m very hesitant to open or click these. So I checked the full message headers (View > Message > All Headers), copy pasted the URL it was asking me to click into TextEdit, and looked at it letter by letter. It appeared legit. Someone had added themselves as a new owner for my website:

I went ahead and manually visited https://www.google.com/webmasters/tools/user-admin, selected my account, and sure enough there was a new “owner” listed as of today.  To unverify the hacker, I had to go to my website and remove the Google-specific verification file from my system:

I did that. They could just have as easily unverified me the same way.

I should point out that I not only use four-word passwords but each four-word password has additional strings of numbers and symbols following or interspersed within it. I’m not sure how my security was compromised but it was. I have of course updated my password for the site.

Next, I tried to get in to start finding files modified within the timeframe of the hack. And then, I immediately discovered that Apple has removed telnet from macOS 10.13. (update: turns out I was thinking of the wrong tool. I needed ssh, which I later used to go in to a command line.) So I went in instead using CyberDuck, an ftp client. It wasn’t nearly as easy to track through many  hundreds (thousands?) of files as it would have been at the command line but I think I got ?most? of the problem fixed.

What I found was an incomprehensible “consig.php” file, about 500 image files — each one about 4-8 bytes in size, and masses of items added to sitemap files.

If you’ve had experience with this kind of hack, I would greatly appreciate any additional advice you have. Thanks in advance.

Here’s Google’s help page about when you don’t recognize a new owner: https://support.google.com/webmasters/answer/7281924

Swift Evolution and Civility

Congratulations to Chris Eidhof for all his work shepherding SE-0199 through Swift Evolution. The proposal adds a mutating toggle function for Boolean values to reduce in-code redundancy and enhance readability.

I’m concerned by some un-collegial reactions to its acceptance, which seem to boil down to “this is too trivial a change to the language” stated through sarcasm and ad-hominem attacks: on Twitter, on the evolution forums, and even a mean-spirited Github repository.

If you are passionate about Swift, I urge you to actively participate in the public review and comment process on forums.swift.org. This proposal passed with overwhelming support and the core team has encouraged similar proposals to fill gaps in the standard library.