Macrotone Blogs

Macrotone blogs upon Joomla, our products and other matters.

Joomla 3.5.0. released

joomlaThe Joomla! Project and the Production Leadership Team are proud to announce the release of Joomla! 3.5.0.

Introducing 34 new features, including support for the recently released PHP 7 scripting language, which significantly increases web site speed.

This version of Joomla! supports the most recent release of PHP, the most popular programming language for developing web applications. PHP 7 was recently announced with significant performance improvements and is now available for use by the general public. With Joomla! 3.5 users can now enjoy the benefit of that performance improvement.

Joomla's new email update notification plugin periodically checks for available Joomla! updates and bug fixes, then emails administrators to notify them. 3.5's new statistics collection plug-in gathers the system environment in use. The raw data collected is anonymised before transmission and access to the compiled data is publicly available at https://developer.joomla.org/about/stats.html.

To have a full list of the features please visit our GitHub Repository.

Official release details are located here.

Joomla 3.4.8 released

joomlaThe Joomla! Project and the Production Leadership Team are proud to announce the release of Joomla! 3.4.8.

This is a bug fix release for the 3.x series of Joomla This release fixes some bugs related to session management from Joomla 3.4.7. The project understands that many of our users are now on Christmas Holiday's so we would like to emphasise that this release only contains bug fixes and whilst we strongly encourage our users to update as soon as practically possible, this update can be left until after any holidays.

What's in 3.4.8

Joomla 3.4.8 fixes some issues found in the 3.4.7 release on Monday to do with browser sessions. All reported bugs from the 3.4.7 update have been fixed in this release:

For known issues with the 3.4.8 release, see the Version 3.4.8 FAQ in the documentation site.. Please note that it is expected that you will be logged out as soon as the update is complete.

Official release details are located here.

Canvas Fingerprint code tracking

fingerprintThe topic of the moment appears to be ‘Canvas Fingerprinting’ with a number of articles available on the web. It is the latest development in use for tracking the movement of users on the web. You do not need to click on a widget to be tracked, just visiting the site is sufficient.  It exploits the subtle differences in the rendering of the same text to extract a consistent fingerprint that can easily be obtained in a fraction of a second without the user being made aware.

A research paper concluded that code used for canvas fingerprinting had been in use earlier this year on 5,000 or so popular websites, unknown to most of them. Most but not all the sites observed made use of a content-sharing widget from the company AddThis.

The mechanism: Canvas Fingerprinting works in a similar way to cookies, by keeping a record of which sites are visited. When a browser loaded the AddThis widget, JavaScript that enabled canvas fingerprinting was sent. The script used a capability in modern Web browsers called the canvas API that allows access to the computer’s graphics chip, which is intended for use with games or other interactive content.

An invisible image is sent to the browser, which renders it and sends data back to the server. That data can then be used to create a “fingerprint” of the computer, which could be useful for identifying the computer and serving targeted advertisements.

But of several emerging tracking methods, canvas fingerprinting isn’t the greatest: it’s not terribly accurate, and can be blocked.  The Electronic Frontier Foundation (EFF) recommend their own ‘Privacy Badger’ or the Disconnect add-on.  

The list of sites that still track you is at this address.

So much for privacy.

Pavlovian approach to Password Management.

Engineers as Stanford recently unveiled a new password policy that shuns one-size-fits-all security.  This has been followed a system proposed by Lance James, the head of the cyber intelligence group at Deloitte & Touche.   This proposes a system that provides rewards or penalties based on the passcode choices people have made.

The example given is one as follows:

A user who picks "test123@#" might be required to change the password in three days under the system,. The three-day limit being based upon calculations showing it would take about 4.5 days to find the password using offline cracking techniques. Had the same user chosen "t3st123@##$x" (all passwords in this post don't include the beginning and ending quotation marks), the system wouldn't require a change for three months.

An interesting concept, and on that would avoid forcing users who have made a sensible password choice from being forced to change their passwords because some other less careful users choose ‘easier passwords’.

The full article is here.

Privacy Badger– an interesting Browser plugin

There is an interesting plugin for Chrome and Firefox currently in ‘Alpha’ release from the EFF (Electronic Frontier Foundation) who brought us ‘HTTPS Everywhere‘ named ‘Privacy Badger’.

Privacy Badger is described as a browser add-on that stops advertisers and other third-party trackers from secretly tracking where you go and what pages you look at on the web.  If an advertiser seems to be tracking you across multiple websites without your permission, Privacy Badger automatically blocks that advertiser from loading any more content in your browser.  To the advertiser, it's like you suddenly disappeared.

More details upon the EFF website.

Longaccess: pass your digital assets to your heirs

longaccessOne question that is often asked is how one preserved ones’ digital assets and pass them on to your heirs.  We recently read about a new service that may offer a solution.

Longaccess promises to be a cold storage of sorts for your digital life. It's a cloud-based service that operates off Amazon's S3 data centres, but unlike other file lockers such as Dropbox or Google Drive, Longaccess aims to be less accessible, but more dependable. It describes itself as a ‘safe’ on the Internet, a location where one can store files fully encrypted and secured, safe and ready to be accessed for decades.

Longaccess is not a file syncing service, nor is it  a file sharing service.  It is a service for storing files for long periods of time. Files that are NOT updated, or changed at all. Every time a file is created and uploaded to a Longaccess Archive using the desktop application, one gets an Archive Certificate.  This is a simple text file, that contains all the information required to access the data in the future:

- Anyone with access to the Archive Certificate can access the corresponding Archive data: Nothing else is required, not even a username or password.

- Access to the Archive data is impossible without the corresponding Archive Certificate. No one, not even the owner, nor Longaccess, can decrypt the Archive without the Archive Certificate.

One can think of the Archive Certificate as a full entitlement to access the data of a specific Archive. If one gives a copy to someone else, they can also access the data.

There are a number of questions re cost etc. that immediately spring to mind, including how they can guarantee they will be around in a decade or so, question which they try to answer on their web site.

Sounds interesting and may well be a way to preserve those ‘old’ photographs for posterity.  One that may well be worth watching for a future opportunity.

Observation of Visitor Private IP addresses

It has been observed for some time that some of our site visitors, usually of the less desirable types have been ‘presenting’ Private IP addresses, as reported by our site protection software.

An IP address is considered private if the IP number falls within one of the IP address ranges reserved for private uses by Internet standards groups. These private IP address ranges exist:

10.0.0.0 through 10.255.255.255
169.254.0.0 through 169.254.255.255 (APIPA only)
172.16.0.0 through 172.31.255.255
192.168.0.0 through 192.168.255.255

Private IP addresses are typically used on local networks including home, school and business LANs including airports and hotels.

Devices with private IP addresses cannot (?) connect directly to the Internet. Likewise, computers outside the local network cannot connect directly to a device with a private IP. Instead, access to such devices must be brokered by a router or similar device that supports Network Address Translation (NAT). NAT hides the private IP numbers but can selectively transfer messages to these devices, affording a layer of security to the local network.

Standards groups created private IP addressing to prevent a shortage of public IP addresses available to Internet service providers and subscribers.

Despite the above, which is standard(?) Internet criteria, we have observed visitors using addresses in the 192.168 range for over a year.  However since the beginning of the month (February 2014) we have seen a large number of addresses in the 172.16 range as well.  Something has obviously changed as these should not be possible.

Searching on the web,  has not revealed any other site that reported the problem? Whilst not an issue for ourselves, since we do not use the IP address information for any purpose other than providing an assessment of where our visitors original from, it might well pose a problem  for other sites.  It is suspected that the only ‘real’ way to stop the practise would be to block the IP ranges, such that a visitor using an IP address from outside the local network, that has a value within the ranges, being effectively ‘blocked’ from accessing any information upon a site, although this should not, according to the criteria above be required.

Web Site Security

b2ap3 icon joomlaJust read a short article in the December issue of the Joomla Community Magazine titled ‘Ten Arguments That Threaten the Security of Your Website’ that is well worth reading.  It applies equally well to any web site but obviously the emphasis is upon Joomla.

The point about always keeping your website up to date with the latest patches in particular is one that I usually have to use every week, when looking at reported problems our component users are experiencing.   Usually the Joomla version is several if not many versions behind current.  Perhaps one might miss or not have time to always be upon the latest release but there is really no valid reason for being, in some cases over a year behind.  It is just asking for trouble.

I recommend it for a worth while read, it is reasonably short, but quite concise, and unfortunately so true in many respects.

Problems with ReCaptcha display

ReCaptchaWe have been seeing a strange problem on our site where the ‘ReCaptcha’ challenge was not always being displayed when it should have been. Most notably this is/was seen on the site registration page, but was not just restricted to that page. A complete page refresh often resolves the problem and shows the Captcha block.

We today saw that a change is proposed for the next Joomla update. It is mentioned in this post from OSTraining, which in turn refers to the fix itself which is extracted from this joomla.org doc.

The basic problem seems to be that Google changed the URL’s of the Recaptcha API location, which doesn’t completely explain what we are/were seeing, but implementing the fix cannot do any harm and may even resolve the problem.

We will watch it for a while and see whether it completely solves the problem, but recommend it is implemented on your sites if you are experiencing ReCaptcha problems.  It does require FTP or SSH/Telnet access to change the plugin code.

Update 29/11/2013: Doesn't solve the display problem, so still investigating.

Implementing Online Storage - DropBox

b2ap3 icon dropboxWe have been investigating the use of ‘Cloud services’ in particular for backup and synchronising devices and discovered just how easy it was to use.   One attraction is that there is a ‘free’ no cost option, and there appears to be a wide variety of providers.  We have used Amazon Cloud Drive, Google Drive and also Microsoft’s SkyDrive but they didn’t easily integrate into all of our environments and we wanted to automate the use of the service.

Before we jump straight in, one often asked question is what is online storage?  The answer is of course, that online storage, or "cloud" services as they're also known, it that it is ‘storage space’ help somewhere in the ‘internet cloud’ that appears (often) as a virtual hard drive that's shown on your desktop and linked directly via the internet to the suppliers online space.  Exactly where it is stored is not really important, just that it is accessible.

They are easy to use, as one just opens the folder on the desktop and copies or pastes a file (or files) whether they be documents, music files, photos etc., and the files get synchronised across to the ‘online’ space.  If one has multiple devices (or machines) then each device, with the ‘providers’ software installed can see and access to files.

It is also possible to ‘share’ the files with other users as well,  once they've installed the same service.

Security

Data security is the number one concern since one is relying on the service to keep your files and documents secure.  If your account is hacked, your files are immediately available. However, there are several things you can do to prevent this:

  • Frequently change your passwords and don't use the same passwords as your email accounts. As a lot of these services require you to use your email address as your ID, it makes it easier for the bad guys to crack your password.
  • Use some encryption upon the files which is encoded with a password for sensitive files stored on the ‘online service.

And of course the ‘old’ standards still apply:

  • Install (free?) antivirus software and malware software, and keep it up-to-date.
  • Avoid opening any links or attachments that could be potential security risks.
  • Beware of phishing emails and any messages from unknown senders that request your bank details.

Note: Other ‘online storage’ users usually can't see your private files unless one deliberately invites them or places the files in the "public" (or shared) folder.  As expected everything in your public folder is, by definition, accessible to anyone.

As we said at the beginning we wanted to specifically concentrate on the ‘offsite’ storing of ‘backups’, in particular our web server.  Fortunately we make use of Akeeba Backup Pro, which allows easy integration into a number of providers.  We chose to look specifically at DropBox which since its launch in 2008 has become well know with techies, and has become one of the biggest names in online storage. It is also available upon a number of devices and has a simple, user-friendly interface. It can be downloaded on to PCs, Macs, iPads, iPhones, BlackBerrys and Android devices.  It also has an online version of the service, which you can use on any PC where Dropbox is not installed - just log in online.  IT is this flexibility that particularly appeals.

It initially comes with 2GB of space, but this can be boosted by introducing ‘new’ friends to Dropbox.  With every new referral, you'll both gain an extra 500MB, up to a maximum of 18GB. If more is still required a monthly subscription can be added to the account.  This was more than suitable for our requirements so we read the documentation on the Akeeba site and proceeded to set up Akeeba Backup to create a backup and ran a test.  It worked perfectly, so much so that we thought we had made a mistake, but the site backup was in the Dropbox account. The automation was then set up using a cron ‘daemon’ on our web site and left to see how it performed overnight.  Checking the following day showed the backups were working well.

Next we looked at the synchronisation process between devices.  The only snag we found was that some of our devices were a ‘little long in the tooth’ and the Dropbox software required ‘up to date’ operating system versions, which were of course not available for  some of the hardware.  Apart from that the processes work well, with only the expected delays caused by the network performance.

The next thing we looked at was synchronising with our NAS, (again another device, albeit one with certain characteristics). Again installing the software package upon the NAS went smoothly just as explained in the NAS documentation., and it then automatically created a folder on the NAS and saved all the files onto the NAS from Dropbox.

So we achieved what we set out to do.  Automatically created a web site backup (via cron), and transferred it to the ‘cloud Dropbox service’. Then on our NAS box it automatically synchronised the Dropbox backup files to out local NAS storage. Job done.

All in all it was as ‘easy as pie’ and we recommend it.  In fact we wonder why we didn’t do it before, it just ‘worked’!

It is easy to see how beneficial this service could be to someone at or going to University who wanted to preserve their work in the unlikely event  of an accident or possible theft of their personal computer.

Download it now: Dropbox

Go To Top

Joomla! Debug Console

Session

Profile Information

Memory Usage

Database Queries