Category Archives: Technology Tips

Major Website Security Flaw Makes Vunerable One-Third of Websites

Experts have reported a major flaw in the security software used by millions of Web sites, including those of banks, credit card companies, e-mail and social media services. The flaw, dubbed “Heartbleed,” makes possible the exposure of users’ names and passwords, the content of their communications, and their data to anyone who knows how to exploit the weakness.

It’s as if your front door wasn’t locked. Someone could get in as long as it’s not fixed. We should be clear that this does not mean that anyone has already gained entry or that any of your information has necessarily been stolen. What it does mean is that your information and sites are vulnerable to access, theft and disruption until such time as a fix is applied.

What can you do about it?

The problem is related to software installed on servers. Fixes are available and being implemented by most web service providers. We here at DataPlex are providing advisory services, helping other companies to secure their websites as quickly as possible. Let us know if we can help you.

Once a website has been fixed, it may still be necessary to replace security certificates used for secured communications and change user passwords. We will recommend the extent these steps are necessary after the fix has been applied and we have been able to examine the servers in question.

We hope every server on the Internet gets patched, but, alas, that is not typical. Some servers will remain vulnerable, and the only way to tell is to run a test, such as the test available at filippo.io/Heartbleed/. Go to that site and type in the URL of the website you intend to visit, e.g. www.google.com (Google is safe, this is just an example). You should be concerned only about websites using https, also known as SSL and TSL or that are simply known as “secured websites.”

Our best, and we wish you a safe and productive web presence.

What to do about Bots that kill AWS Micro Instances running WordPress

For one of our customers, we leveraged WordPress and its powerful capabilities to create a rather large website consisted of hundred of pages. Because the expected traffic is to be low, we installed their site on a economical AWS Micro Instance which performed well. In the middle of last night, however, the instance’s CPU utilization percentage hit 100% for nearly one hour. Anyone else accessing the site during this period would have had a sluggish if not unresponsive experience.

AWS Micro Instances are great for testing and deploying simple websites that, by their design and market, won’t be required to work very hard. That said, websites are at the mercy of whoever accesses them from the rest of the Internet. Too many accesses during too short of period can overrun the resource allotment of a Micro Instance.

In our investigation, we discovered that a bot called Aboundexbot was the culprit. The Aboundexbot bot wanted to crawl the entire site and quickly at that, an act which threw the CPU Utilization to 100% because AWS micro instances, as their name implies, are limited to a certain amount of CPU activity per unit of time. Unfortuately, Aboundexbot did not throttle it’s access as do other better behaved bots, and it apparently does not have a built-in mechanism (such as a timeout) to detect when it may be overtaxing a site.

In any case, we decided that we just didn’t want Aboundexbot and perhaps some other badly behaved bot to visit our customer’s site so as the keep the site performing well. Our thought was to add a corresponding “disallow” entry to the “robots.txt” file. However, whereas this is a simple task for a regular website, it is more challenging for a WordPress-based site if it has been installed in the domain root. In that case, all of the site’s root file access go through WordPress’s dynamic page generation, including access to the theoretical “robot.txt” file.

In the WordPress wp-includes/ folder, there is a file called functions.php in which there is a function called do_robots() which dynamically creates a “robot.txt” file on demand. But it’s not very sophisticated, allowing for just two types of output depending on the Site Visibility setting under WordPress’ Dashboard > Settings > Privacy page.

We could have added a plug-in that provided finer robot.txts control, and we still might do that, but to get a solution in quickly, we decided to simply enhance the do_robots() function as follows (our code addition in boldface):

function do_robots() {
  header( 'Content-Type: text/plain; charset=utf-8' );

  do_action( 'do_robotstxt' );

  $output = "User-agent: *\n";
  $public = get_option( 'blog_public' );
  if ( '0' == $public ) {
    $output .= "Disallow: /\n";
  } else {
    $site_url = parse_url( site_url() );
    $path = ( !empty( $site_url['path'] ) ) ? $site_url['path'] : '';
    $output .= "Disallow: $path/wp-admin/\n";
    $output .= "Disallow: $path/wp-includes/\n";
    $fbotmore = file_get_contents('./wp-content/robots.txt');
    if ($fbotmore !== false) $output .= $fbotmore;
  }

  echo apply_filters('robots_txt', $output, $public);
}

We are currently on WordPress version 3.3.1. Because different versions of WordPress may have different code for this function, use your programming know-how to add the above two boldfaced lines to the function in the most appropriate way. Note that this is not a permanent change as any significant WordPress upgrade will overwrite this change in the functions.php file.

We then located a list of other badly behaved bots and installed our collective list in the wp-contents/robot.txt file which is now included whenever our domain.com/robot.txt file is accessed.

For your reference, here is what we came up with for the contents of our robots.txt file. Note that WordPress has a few entries of its own that are placed in advance of this content.

User-agent: Aboundexbot
Disallow: /
User-agent: NPBot
Disallow: /
User-agent: TurnitinBot
Disallow: /
User-agent: EmailCollector
Disallow: /
User-agent: EmailWolf
Disallow: /
User-agent: CopyRightCheck
Disallow: /
User-agent: Black Hole
Disallow: /
User-agent: Titan
Disallow: /
User-agent: NetMechanic
Disallow: /
User-agent: CherryPicker
Disallow: /
User-agent: EmailSiphon
Disallow: /
User-agent: WebBandit
Disallow: /
User-agent: Crescent
Disallow: /
User-agent: NICErsPRO
Disallow: /
User-agent: SiteSnagger
Disallow: /
User-agent: ProWebWalker
Disallow: /
User-agent: CheeseBot
Disallow: /
User-agent: ia_archiver
Disallow: /
User-agent: ia_archiver/1.6
Disallow: /
User-agent: Teleport
Disallow: /
User-agent: TeleportPro
Disallow: /
User-agent: Wget
Disallow: /
User-agent: MIIxpc
Disallow: /
User-agent: Telesoft
Disallow: /
User-agent: Website Quester
Disallow: /
User-agent: WebZip
Disallow: /
User-agent: moget/2.1
Disallow: /
User-agent: WebZip/4.0
Disallow: /
User-agent: Mister PiX
Disallow: /
User-agent: WebStripper
Disallow: /
User-agent: WebSauger
Disallow: /
User-agent: WebCopier
Disallow: /
User-agent: NetAnts
Disallow: /
User-agent: WebAuto
Disallow: /
User-agent: TheNomad
Disallow: /
User-agent: WWW-Collector-E
Disallow: /
User-agent: RMA
Disallow: /
User-agent: libWeb/clsHTTP
Disallow: /
User-agent: asterias
Disallow: /
User-agent: httplib
Disallow: /
User-agent: turingos
Disallow: /
User-agent: spanner
Disallow: /
User-agent: InfoNaviRobot
Disallow: /
User-agent: Harvest/1.5
Disallow: /
User-agent: Bullseye/1.0
Disallow: /
User-agent: Mozilla/4.0 (compatible; BullsEye; Windows 95)
Disallow: /
User-agent: Crescent Internet ToolPak HTTP OLE Control v.1.0
Disallow: /
User-agent: CherryPickerSE/1.0
Disallow: /
User-agent: CherryPickerElite/1.0
Disallow: /
User-agent: WebBandit/3.50
Disallow: /
User-agent: DittoSpyder
Disallow: /
User-agent: SpankBot
Disallow: /
User-agent: BotALot
Disallow: /
User-agent: lwp-trivial/1.34
Disallow: /
User-agent: lwp-trivial
Disallow: /
User-agent: Wget/1.6
Disallow: /
User-agent: BunnySlippers
Disallow: /
User-agent: URLy Warning
Disallow: /
User-agent: Wget/1.5.3
Disallow: /
User-agent: LinkWalker
Disallow: /
User-agent: cosmos
Disallow: /
User-agent: moget
Disallow: /
User-agent: hloader
Disallow: /
User-agent: humanlinks
Disallow: /
User-agent: LinkextractorPro
Disallow: /
User-agent: Offline Explorer
Disallow: /
User-agent: Mata Hari
Disallow: /
User-agent: LexiBot
Disallow: /
User-agent: Web Image Collector
Disallow: /
User-agent: The Intraformant
Disallow: /
User-agent: True_Robot/1.0
Disallow: /
User-agent: True_Robot
Disallow: /
User-agent: BlowFish/1.0
Disallow: /
User-agent: JennyBot
Disallow: /
User-agent: MIIxpc/4.2
Disallow: /
User-agent: BuiltBotTough
Disallow: /
User-agent: ProPowerBot/2.14
Disallow: /
User-agent: BackDoorBot/1.0
Disallow: /
User-agent: toCrawl/UrlDispatcher
Disallow: /
User-agent: WebEnhancer
Disallow: /
User-agent: TightTwatBot
Disallow: /
User-agent: suzuran
Disallow: /
User-agent: VCI WebViewer VCI WebViewer Win32
Disallow: /
User-agent: VCI
Disallow: /
User-agent: Szukacz/1.4
Disallow: /
User-agent: QueryN Metasearch
Disallow: /
User-agent: Openfind data gathere
Disallow: /
User-agent: Openfind
Disallow: /
User-agent: Xenu's Link Sleuth 1.1c
Disallow: /
User-agent: Xenu's
Disallow: /
User-agent: Zeus
Disallow: /
User-agent: RepoMonkey Bait & Tackle/v1.01
Disallow: /
User-agent: RepoMonkey
Disallow: /
User-agent: Zeus 32297 Webster Pro V2.9 Win32
Disallow: /
User-agent: Webster Pro
Disallow: /
User-agent: EroCrawler
Disallow: /
User-agent: LinkScan/8.1a Unix
Disallow: /
User-agent: Kenjin Spider
Disallow: /
User-agent: Keyword Density/0.9
Disallow: /
User-agent: Cegbfeieh
Disallow: /
User-agent: SurveyBot
Disallow: /
User-agent: duggmirror
Disallow: /

To test your change to the do_robots(), just access from your favorite browser your domain.com/robot.txt file. Did it work? Let us know.

Hopefully, this change will keep the micro instance from being overtaxed by zealous bots. If you get a bot that simply ignores the robot.txt file, you may have to resort to adding a “deny from” entry in your server configuration, but in our experience we haven’t seem many of those.

Death To The QR Code?

Recently, a business journalist posted an article suggesting that the use of QR codes should be dropped. He says in part “Mobile barcodes can be confusing and can waste time. And as mobile technology progresses, they probably aren’t even necessary.”

We disagree.

DataPlex QR CodeThis is one of those “insights” where the author doesn’t make his case. On one hand he presumes that technology will remain static and that the barriers to QR Code scanning — locating the right scanning app, waiting for the camera to focus, etc. — won’t improve and therefore users will be turned off. On the other hand, “near field communications” may arise in the next generation of smartphones to render QR code scanning obsolete. Which is it, is technology static or evolving?

We think that QR codes are a perfect ‘tweener technology that has virtually no extra printing cost and works with all smartphones. Yes, you have to be sure to use a compatible application, but once you figure that out for QR Codes (and again for Microsoft Tag codes), you’re set. Launching the app, waiting for the camera to focus and having the app autodetect the QR code and link to the corresponding URL takes no more than a few seconds. That is much faster than typing in a URL or keywords, if you don’t make mistakes or get distracted before you finish.

Also, when coupled with the right type of business software such as that based on our web-based, Rapid Enterprise Deployment engine known as AmpUp, the added cost of putting together a QR-code marketing campaign is negligible, so therefore the resulting ROI can be huge. Such systems can produce all of the differing QR codes, maintain a database, and then provide URL landing pages with corresponding and compelling content. Through web dashboards, company execs continuously monitor a campaign’s performance and even tweak it midstream if necessary.

The author suggests also that image recognition is a reasonable alternative. Not so. Mobile devices do not have the processing horsepower to implement broad-range image recognition, so they would have to upload the captured image to a capable server and receive the results. This might work for low-frequency use, but all the cell carriers now impose limits on data bandwidth, so this type of solution would really only be economically attractive when using WiFi networks, a severe limitation indeed.

It’s more likely that the author is taking a devil’s advocate point-of-view to make people think through their adoption of new technology, a process we employ as part of our technology strategy consulting services. If that is really the case here, then this author is to be commended.

Please feel free to contact us if you are thinking of using QR codes.

Business Card QR Codes and the Apple vCard Problem

by Harry Tarnoff

You may have heard the buzz on “quick response codes” – QR codes, typically one-inch square barcodes that are appearing on advertisements, coupons, in stores, even on T-shirts and shopping bags. The idea is someone interested in the product, store or event could whip out their cellphone, take a picture of the code and have the phone’s browser instantly bring up their associated web page with more information. Wouldn’t it be nice to do something similar on business cards so that someone can scan a code and have the contact information automatically added to their electronic address book?

As we opened up our new offices in Downtown Los Angeles, we wanted to do exactly this, not only because it would make it easier for the people to whom we gave our business cards to add us to their devices’ contact list, but it would also demonstrate some high-tech capability on an otherwise non-technical piece of paper – perfect for a technology strategy company. Well, it’s good that we know technology because there were a couple of issues along the way, the solutions for which we are more than happy to share.

The vCard and the QR Code

The generally accepted format for a electronic business card is called a “vCard.” It has been around since the mid-1990′s and is supported by all the major email and CRM programs. A vCard file can be attached to an email message or linked on the web. It is a readable text file with fields for names, addresses, phone numbers, and other personalized data.

QR or Quick Response codes represent an improvement over their UPC bar code ancestors because they can reliably carry more information for easy access by a business’ customers. Instead of a series of parallel lines as with UPC bar codes, QR codes are in a two-dimensional matrix with blacked out squares at certain row-column intersections, much like a crossword puzzle. Customers use smartphones to scan these codes to see more information – typically a web page associated with the codes – about whatever it is that these codes are associated with.

Let’s now say you want to put the equivalent of your vCard on your business card as a QR code. It may be a natural thought to simply put all of the vCard information directly into the code. This is not a good idea. Besides the code becoming too detailed and harder to scan, when someone scans it using a typical scanner app, they would get only the vCard text. The vCard information does not get added automatically to the Address Book unless the app itself is aware that the data represents a vCard and adds it to the Address Book itself. Your potential customers lacking an appropriate scanner application could become frustrated.

What you do instead is what the advertisers do, that is put a single web link into the QR code. This approach has wide support and will undoubted work fine. After all, that is the primary purpose of QR codes, to be scanned and take a user to a predefined web address.

The plan, then, is to create a code that takes the user to a web address which has a vCard file. The device’s browser, seeing that the “web page” is a vCard, will download the contact information and allow the user to add it to the Address Book.

The Apple Mobile Device Issue

While this approach works on virtually all desktops, notebooks, and many mobile devices including those based on Android, there is a big snag when it comes to Apple mobile devices. For years, Apple has supported vCards as the only easy way to export Address Book entries.  However, Apple’s mobile device browsers do not support vCard files. If you scan a link to a vCard file, all you get is a “Safari cannot download this file” message. Oops.

While this oversight will most likely eventually be fixed, it is probably not prudent to march forward adding QR codes to business cards and hope that Apple fixes this problem. Some kind of hopefully temporary workaround is in order.

You could email the vCard to the Apple device. The device will then ask the owner to confirm adding the data to the Address Book. The disadvantages to the approach are:

  1. It is not automatic since the user needs to enter an email address on which to receive the vCard
  2. The user has to give up his e-mail address which he or she may not want to do
  3. Emails are not always fast and reliable, so the user is forced to wait and possibly retry

The Solution

Fortunately, we have a much better workaround. It requires an entry in Google Places (or Google Maps) and administrative rights to a website.

Our DataPlex entry with Google Places has a bunch of business-related information and is a fine place to send someone who scans in the QR code from the back of our DataPlex business cards. The solution is to forward someone on an iPhone or iPad to this alternate URL. If you haven’t already, set up your entry in Google Places.

The Technical Part

The key part of the solution is adding a URL rewrite rule. Although the following is for Apache, there is a similar process for Microsoft’s IIS.

Here are the lines to add to the .htaccess-file on the website for the folder that contains the vCard:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} .*Mobile.*Safari
RewriteRule ^(.*)vcard.vcf$ http://maps.google.com/maps/place?hl=en&georestrict=input_srcid:0d6a82b1f62d0d2b

Your technical staff should, of course, change the third line with the “RewriteRule” to link to the proper map reference. If it is not already active, your staff also should enable the mod_rewrite module.

How this works is, when an Apple mobile user snaps a pic of the QR code in some scanner app, that app launches Mobile Safari to bring up that web page. The .htaccess tells the Apache server, when it sees that the “user agent” (browser ID) has contained within it the text strings “Mobile” and “Safari” to redirect the browser to the URL specified in the RewriteRule.

You can continue to use the same QR code pattern and URL but update the information on your website-based vCard and in Google Places without having to necessarily reprint your business cards.

Demonstration

Visually, what happens after the Apple mobile device user snaps the pic of the QR code, is, within seconds, he or she is looking at a Google Maps page for the business. Once there, the user can click on “more info” (the right-facing arrow in the blue circle) and then “Add to Contacts” at the bottom of the page. It is a bit unfortunate that the Add Contacts button, along with those for “Share Location” and “Add to Bookmarks” are off the bottom of the screen so the user would have to scroll down, but most experienced Apple device users would know this.

If you want to see a working demonstration of a working QR code-based vCard link, just scan the QR code below. It has the link to a vCard on the DataPlex website. If you are using an Apple device, you’ll end up in Google Maps as described above. Otherwise, you will be prompted to download the vCard directly into your Address Book or Contact List.

vCard for DataPlex

Barcodes, especially the new matrix codes such as QR, can be wonderful time-savers for businesses, but they have to be implemented smartly. If you would like to upgrade to the latest in barcode technology, let us help in your deployment of an easy-to-use yet robust system.

A Quick Primer on Quick Response Barcodes

There are regular enterprise business systems, and then there are those exceptional systems that connect to sensors and allow integration with the real-world, simplifying logistics, lowering costs and saving money. We build such systems, and one of the areas our customers ask us about are barcodes. There is a new type of barcode that is sweeping the world, and you should know about how it may improve your business.

It is known as a Quick Response code or QR code. We’ve put together this QR Code Primer in Q&A form to answer the more common questions, and, should you have more, please feel free to contact us to have a no-obligation discussion.

 What are QR codes?

QR codes are bar codes similar to the UPC codes you see at the market but they are organized into rows and columns and therefore are able to contain more information. Customers use their smartphones to scan these codes to see more information – typically a web page – about whatever it is that these codes are associated with. QR Codes caught on big in Japan a couple of years ago and are now just beginning to appear in the United States. The codes can be used for other purposes too, say, within an enterprise to improve workflow (more on that below).

What do they look like?

While the can be any size, they are square and usually not more than an inch high.  Depending on how much data they contain, the dots (or pixels) will range from large to small.

Here are some sample QR codes:

QR code #1 QR code #2 QR code #3

The first code, on the left, is lower-resolution than the others because it contains the least amount of data. As more data is put into the same size QR code, the dots shrink to accommodate. Larger dots are generally better because the scanner is better able to distinguish them. The third code shows that there can be some creativity; some people even alter the dot pattern to show readable letters or images, but that comes at a cost of lower reliability.

How does a business use them?

There are a myriad of uses, even inventive new ones such as scavenger hunts, green ticketing, and furniture assembly. Common QR code uses are for the purposes of marketing, promotion, entertainment, education, information transfer, sales and retail, and workflow:

Marketing increase a business’ exposure and market
Promotion promote new products and special events
Entertainment e-ticketing, paintball targets
Education tests, lessons, report cards, museum guides
Information Transfer transferring business card information
referencing newspaper articles and online sources
Sales and Retail payments, track units sold, units returned
Workflow sequencing, provisioning, inventory control

sample promotional use

Are there alternatives?

Yes, there are the QR code’s ancestors of single row of parallel lines like the ubiquitous UPC code, and there are other matrix bar code formats including specialty ones used in manufacturing to work across longer distances between objects with the code and the scanner. There are new codes being invented all the time such as Microsoft tags, but unless there is a compelling overriding reason, typically we recommend sticking with one of the more common and better supported formats.

What apps are already available?

General-purpose scanner apps for mobile devices are everywhere. Just go to your favorite app store and search for “qr code.” The real challenge is for a business to set up an appropriate system and then generate the codes to be useful in some way. Sometimes based on the nature of the business use a custom scanner apps needs to be developed.

How can my business make use of QR codes?

If you are asking this question, then you already have some idea of how QR codes may be able to streamline your operation or be used to promote some product, service or event.  Some uses are straightforward and require not much more that creating a landing webpage, generating a code with its URL, and printing the code on promotional materials.

cute QR coded presentAs system developers, we are also interested in the area where QR codes hold tremendous promise but not much has yet been done … with business enterprise. These more sophisticated uses require finely tuned apps particularly when the codes are used to track workflow through various states and statuses. For a large operation, the scanning of codes feeds a company-wide enterprise system to keep important databases up-to-date automatically. As one quick example, Starbucks recently announced that it is now accepting QR code-based mobile device payments at 7,500 locations.

Depending on the application, there can be some “gotchas,” even with seemingly benign uses, for example the problem we identified with Apple mobile devices.

cute QR coded presentOur experience with barcodes and scanning goes back a few years when some of our team members designed printers and scanning equipment. As a result of our rapid development ability, our customers have been very happy with our systems including the good folks behind the NBC game show “1 vs 100.” Let us know how we might assist you.