Pain in the *Ss

Being in USA these days is getting annoying.

I am in EDT time zone for a few days now and rest of world is still on standard (aka winter) time. That means that difference between myself and my home Croatia is one hour less than it normally is. Or is it one hour more? This is getting confusing.

I would understand if US decided to stop using daylight savings (or better, make it permanent). That way I could blame rest of world for being too backward to kill useless tradition. However, some idiots politicians decided that it would be great thing if USA could be out-of-sync with rest of world’s time zones for two weeks.

Thank you.

A Two Weeks With Windows 8

I have forced myself to use Windows 8 at home for previous two weeks. And best way to describe them would be as tablet OS.

Best example of tablet-centric behavior is seen if you search for “Computer”. You will get known “Computer” icon on which you might want to do right-click (in order to get context-menu). If you do this, context menu will appear but at bottom of the screen. So you need to take your cursor all the way down the screen. Pointless. And it is annoying that you cannot use keyboard to do that at all. Pressing context-menu key brings menu for text box and not for currently selected item. You first need to use arrow keys to go up/down and only then you can use keyboard properly. Unpolished to say the least.

Search that worked perfectly in both Windows Vista and Windows 7 is lacking. You cannot search for Printers, Devices, Programs… all those items that resided in start menu are not easily accessible by search. Yes, you can go and CLICK on Settings bellow, but that is solution that is more oriented toward tablets and guys using mouse. If you want keyboard you can get it with Win+W (very logical indeed) but at cost of time for switching. It gets even worse when you are not sure where something is.

Windows SmartScreen technology helps to annoy user further. It checks each file downloaded over Internet and, if not enough users downloaded that application through Internet Explorer, it will force you to jump through hoops to run it.

As network goes, Windows Vista/7 hid everything behind one more click than it is really necessary. However, if you had network connected, that network was shown in notification area (aka tray). In Windows 8 it shows state of whatever adapter it wants. Chance will have it that it is not adapter that you are using currently. So you can have icon with exclamation point while your network works perfectly. To show it you need to click on icon with warning.

Those were the things that I hated the most during regular work but they weren’t only ones. I think that almost every single feature of Windows 8 was unfinished and it was very obvious. I understand that it is not fair to compare beta (or consumer preview) of Windows 8 with finalized product that is Windows 7. However, I remember Windows 7 beta. I had no reservations to start using it immediately. There was virtually no downsides to it. Comparing two betas, it feels like Windows 8 was rushed…

Single excellent thing about Windows 8 is their ability to boot off the USB. And it is fortunate that they do since I am erasing them from my hard drive.

Cheap Bastards

Illustration

It is very sad to see illegal downloads driving Sony Music so poor that they cannot afford to have proper SSL certificate. It is either that or team creating these pages just didn’t give a damn.

Well, at least they do offer SSL…

Force HTTPS for WordPress Login Page

If you do have SSL certificate on your domain it would be shame not to use it for WordPress login. Since WordPress sends passwords as plain-text, it would be great thing if we would be redirected to HTTPS version for every login (even if we forget to specify it).

Solution lies in adding few lines to your .htaccess file:

RewriteCond %{HTTPS} off
RewriteRule ^wordpress/wp-(login.php|admin/)(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

This code checks whether we are going to login or admin pages. If we are and https is not protocol of our choice, it will simply rewrite request.

P.S. This example was taken from my pages where I have WordPress installed in sub-directory named wordpress) If you have it installed in some other directory, adjust accordingly.

P.P.S. Do not forget to set FORCE_SSL_LOGIN and FORCE_SSL_ADMIN also.

WordPress and Plain-text Password

If you ever did network capture of your WordPress login procedure you would have noticed that password is sent as plain text:

[plain] POST /wordpress/wp-login.php HTTP/1.1 log=admin&pwd=mysuperpass&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.example.com%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_status%3Ddraft%26post_type%3Dpost&testcookie=1 [/plain] Anyone that can watch traffic on your network can see it as clear as day. Worse still, if you traverse some proxy server (in most of companies), your password might get dumped into a log file. Whoever has access to those log files has access to your password. Do you really trust your network admin that much?

Proper way to sort this out would be to use SSL. That way connection is encrypted end-to-end and whole plain-text issue just goes away. Unfortunately, SSL certificates usually cost some money.

Cheaper solution would be to tunnel all your traffic through SSH on trusted network (e.g. your system at home). While this would alleviate thread when you are connecting from e.g. hotel, it still means that your plain-text is traveling to server unencrypted. However, in case of SSH tunnel from home, you can count (or can you?) on your provider not keeping such a detailed log.

Last thing that you might do is to force WordPress to use CHAP protocol. That way password is still visible but only in hashed form. Brute-force attacks will be possible but at least attacker has something to do. And, if password was selected carefully, it might require months and even years of computing. Only way I found to do this is by installing Chap Secure Login plugin.

Upon activating this plugin you should log-out and log-in again (that will fail). And then log-out and log-in again (in my case this was still sending plain-text). Only upon third logout/login plugin will start working properly. Snooping system again you will see something like:

POST /wordpress/wp-login.php HTTP/1.1
  log=admin&pwd=0a1dbb73659c24dd237ec254022af7daef410404665cc7f4be22b69e1e2b1845&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.example.com%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_status%3Ddraft%26post_type%3Dpost&testcookie=1

This looks much better.

[2014-10-29: I had this plugin fail with Suffusion. After its (manual) removal I was unable to log on anymore. Solution was to remove cookies.]