Web

This is really exciting news.  Development on Cocoalicious, the Mac OS X native application that front-ends del.icio.us, has started back up again.

I’ve blogged many times about Cocoalicious (starting as far back as June of 2005) and how much I enjoy using the application to manage my del.icio.us bookmarks.  I was really disappointed that development had stalled, and had even started searching for replacements to the application.  Fortunately, it looks like the new developer (who is working with the original author, not replacing him, from what I understand) is already seeking feedback and ideas for future versions.

Personally, I’m pretty thrilled with the application as it is, and have only one feature request:  please, please, PLEASE drop the brushed metal interface.  Or at least offer us an option to toggle back and forth.  I’d love to see a fresh new UI like that used by Mail.app or NetNewsWire, with the tags in a pane on the left and your bookmarks listed on the right, and a divider (like the one used now) to open, close, or resize the built-in browser.  Combine that with a new, modern unified toolbar (not Mail.app’s lozenges, please!) and perhaps incorporate some of the tag UIs that have been proposed (like this one), and you’ve got yourself one killer del.icio.us client.

I had been stubbornly clinging to WordPress 1.5.2, which worked just fine and, in all reality, provided all the functionality I really needed.  I figured it would probably be best to keep up with the newer versions of the software, however, so I decided to upgrade.

To give all credit to the WordPress developers, the upgrade process for WordPress itself was very straightforward and rather quick.  The trouble came in having to update or replace certain plugins that weren’t compatible with the newer versions of WordPress.  Combine that with some manual hacks I’d performed to help ecto work better with the Ultimate Tag Warrior (UTW) plugin, and you have yourself a real pain in the neck.

Fortunately, I stumbled across a really helpful nugget to assist in the ecto-UTW issue.  The XML-RPC Plugin for WordPress 2.1 incorporates the Robin Lu hacks (linked above), so that ecto can store tags in the keywords field and work properly with UTW.  Yay—no more manually editing code!

The rest of the problems surrounded updating the theme templates with new PHP calls to reflect new plugins; for example, you’ll note the “Recent Comments” section in the sidebar is different (required a new plugin).

Only a few things remain undone:

• The site search tags don’t seem to work just yet.  You get a “404 - Page Not Found” error when clicking on a site link tag.
• The site’s theme has not been completely updated in all places, so you’ll see different layouts in different sections of the site.  I searched for a new prebuilt theme I could apply to the site, but couldn’t really find any that I liked.  I guess I’ll just continue to tweak the existing theme.
• There are a few new plugins that I would like to use now that I’ve upgraded, but those haven’t been added to the site or incorporated into the theme just yet.

I anticipate that things should be worked out reasonably quickly, but I appreciate everyone’s patience in the meantime.

The idea behind del.icio.us is great, but for me it becomes truly useful using a “rich client” instead of a web browser.  For a long time, Cocoalicious has been that “rich client,” offering a combination of native Mac OS X technologies with the web services offered by del.icio.us.  Unfortunately, it appears as though Cocoalicious is no longer under active development, and so I’ve gone seeking other solutions.

There are quite a few bookmark managers out there for the Mac, but not so many that offer integration with del.icio.us.  Likewise, there are a number of utilities that offer to make posting to del.icio.us easier (Pukka and Postr come to mind) but don’t necessarily offer the bookmark management functionality upon which I rely.  So far, I’ve only found two applications that have the right balance of functionality.

The first of these is WebnoteHappy.  It looks as if WebnoteHappy originally started out as “just” a bookmark manager; del.icio.us support seems to be an add-on rather than an integral part of the application itself.  Nevertheless, WebnoteHappy does have a couple of things going for it:

• It supports integration with NetNewsWire, my RSS reader, so that I can post URLs directly from NNW’s context menu.  (Currently, only Cocoalicious, Pukka, Postr, and WebnoteHappy appear to be supported.)
• It supports AppleScript.
• It supports Smart Folders to group bookmarks according to tags, description, or notes.

The best part of del.icio.us, to me, is the tags.  This is where WebnoteHappy seems to be the weakest.  I can’t browse my bookmarks by tags (although I could create a Smart Folder based on tags), there’s no tag autocompletion, and when posting to del.icio.us via WebnoteHappy from NNW I’m not given the option to assign any tags (indeed, I’m not even given the option to share the bookmark via del.icio.us).

The second application is a relatively new application; it’s called Socialist.  Socialist appears to be built from the ground up to be a “rich” del.icio.us client.  The relative immaturity of Socialist is showing up in some areas, though:

• No AppleScript support.
• No integration with NNW.  (Granted, the list of supported applications is fairly small, but this is a feature I use regularly.)

Fortunately, Socialist does support tags, and does provide a way to browse bookmarks via tags.  The current release doesn’t support browsing via multiple tags or tag autocompletion, but supposedly those features are in the next version of the software (which is due out soon).

Each application has its own unique strengths and weaknesses, and both are lacking some features that I would love to see:

• Growl support (to provide a Growl notification when a URL is successfully posted to del.icio.us)
• AppleScript support (so URL management tasks can be automated a bit more)
• Spotlight integration (ability to search URL and note text from the Spotlight menu)

Of course, I already mentioned browsing via tags (including the ability to select multiple tags and see only the bookmarks tagged with all the selected tags) and tag autocompletion.  If NNW integration isn’t possible, then the ability to at least pull the contents of the clipboard into the new bookmark sheets in each application would be good.  An entry on the Services menu would be handy as well.

Any other products out there I should be considering?  Anyone have any feedback on one of these two products?  I’d love to hear from real-world users on what they like or don’t like about either of these two applications.

I’ve written before about del.icio.us, and how I find it extremely helpful in marking useful information I’ve found on the Internet.  (Now we just need a way to keep those pages we’ve bookmarked because they were useful or helpful from suddenly disappearing and making our bookmarks invalid.)  In the last few weeks, though, I’ve noticed something odd: bookmarks are being added to my Inbox (the “links for you” section, where other del.icio.us users can save a bookmark for you that they think might interest you) that don’t appear to be related in any way to links that I normally bookmark.  Am I missing something, or is this the start of bookmark spam?

I’m pretty boring when it comes to links, actually.  Unlike some other users whose RSS feed of links I watch, my “linkstream” is pretty much focused around specific technology areas (virtualization, VMware, Active Directory, UNIX/Linux, Macintosh) and Christian topics.  That’s generally it.  So when other del.icio.us users start adding links to my Inbox for topics outside those general areas, it doesn’t really make a whole lot of sense to me.  I can certainly see the value of the del.icio.us Inbox; after all, everyone’s view of the World Wide Web is different, and someone else might be able to find information that I can’t find (or vice versa).  So I could see someone putting a link in my Inbox that had to do with Active Directory, UNIX/Linux integration, VMware, or a Christian topic (like an up and coming new Christian music artist or something).  Links that don’t really have anything to do with links that I normally track are just like e-mail messages hawking wares designed to augment portions of my anatomy…they are not useful, helpful, or otherwise valuable to me.  That makes them spam.

Is this just me creating a problem where one doesn’t exist, or are others also seeing the same trends?  And what steps are ones taking, if any, to protect against this?  (Admittedly, it is an extremely low-volume and lower-impact problem right now.  I seem to recall saying the same about e-mail spam years ago.)

Due to a massive spam flood amounting to practically a Denial of Service (DoS) attack, all commenting functionality on the site was temporarily disabled for a couple of days.  As of Saturday, 12/16/06, commenting/trackback functionality has been restored.

I’ve had literally thousands upon thousands of comment spam requests in the last couple of days, knocking the site offline several times and forcing Akismet to work three times as hard trying to keep the spam out.  This is now the third or fourth time the site has come under extreme pressure from comment spam bots in the last two weeks, and each time it seems to get a bit worse.

Until I can figure out a way to help keep this comment spam flood from repeatedly taking the site offline, I had to disable all comment functionality on the site.  I apologize to my legitimate readers who wanted to leave valid comments.  Hopefully the changes that I’ve made will help prevent this problem from recurring in the future.

As noted in this comment on the Sci-Fi Hi-Fi weblog article about the recent problems with Cocoalicious, it turns out that it may be necessary to change the del.icio.us API URI not only in the Preferences, but also in Keychain Access.

Huh?  In Keychain Access?  Yep, you heard that right.  Changing the URI in Keychain Access from “http://” to “https://” and then relaunching Cocoalicious seems to fix the issue.  Note that you’ll have to re-enter your del.icio.us account password after making the change in Keychain Access, and note that you’ll also end up with two entries in your login keychain for the del.icio.us API.  One entry will have the “http://” prefix, and the second will have the “https://” prefix.  I tried going back and deleting the non-SSL entry, but it just ends up getting recreated anyway so you might as well not worry about it.

I can’t guarantee this will fix everyone, but it seems to have helped a number of us (for whatever reason).

A quick Google search turned up this posting by Buzz Anderson, the developer of Cocoalicious, on his Sci-Fi Hi-Fi weblog.  The posting was short and sweet, indicating all that was required was a simple change in the Preferences—exactly what I had found myself.  As you review the comments, however, you see that a number of users are reporting that even with the URL change in the preferences, Cocoalicious is still not working.  And for some, like me, the change worked initially but stopped working later.

The common error that everyone is seeing appears to be this:

2006-09-21 16:14:44.961 Cocoalicious[308] PARSE
ERROR: NSError “Error NSXMLParserErrorDomain 5”
Domain=NSXMLParserErrorDomain Code=5
2006-09-21 16:18:58.210 Cocoalicious[311] NSError “Error
NSURLErrorDomain -1012” Domain=NSURLErrorDomain Code=-1012
UserInfo={
    NSErrorFailingURLKey = https://api.del.icio.us/v1/posts/update?;
    NSErrorFailingURLStringKey = “https://api.del.icio.us/v1/posts/update?”;
}

Anyone have any idea what might be going on?  I have determined, from reviewing the Console logs, that you should not place a trailing slash after the URL in the Cocoalicious preferences; this causes the application to create a URL like this:

https://api.del.icio.us/v1//posts/update?

Obviously, that won’t work.  However, even with the trailing slash not present, my installation of Cocoalicious immediately goes offline as soon as I launch it.  Trashing the preferences file didn’t seem to help, either.

Any insight would be greatly appreciated.  I’ve come to rely upon del.icio.us and using a browser to view my bookmarks is just too cumbersome.

UPDATE:  Macintosh users also running delimport (a Spotlight importer for del.icio.us bookmarks) should update their version of delimport to version 0.2, available from the delimport website.  I just updated delimport myself and new del.icio.us bookmarks are now showing up (they weren’t before).

UPDATE 2:  FYI, I tried a couple of other posting clients, like Postr and SiteTagger, and also received the same NSURLErrorDomain code as with Cocoalicious.  However, Pukka seems to work just fine.

Taken from this Dark Reading article, here are a few ways to protect yourself from the VML vulnerability:

• Unregister the VML DLL (VGX.DLL, found in Program Files\Common Files\Microsoft Shared) using regsvr32.exe.
• Apply a restrictive access control list (ACL) to the VGX.DLL file.  This weblog entry shows how to help automate this using Group Policy for larger organizations (very handy!).
• Disable “Binary and Script Behaviors” in Internet Explorer 6.  Unfortunately, this measure may only be temporary, as the exploit is moving beyond its original JavaScript-based incarnation (see below).
• Switch to an alternate browser or use a virtual browser appliance.

In case you’re wondering why it might be important to protect yourself against this vulnerability, take a look at this article describing the scope of the attacks.  As many as 10,000 web sites could end up hosting exploit code to take advantage of this vulnerability, and researchers are predicting that an e-mail variation may soon follow.

You can obtain additional information about this vulnerability and the corresponding exploit(s) at the following links:

Microsoft Internet Explorer Vector Markup Language Buffer Overflow Vulnerability
http://www.symantec.com/enterprise/security_response/vulnerability.jsp?bid=20096

Trojan.Vimalov: A zero-day exploit in VML, in Internet Explorer
http://www.symantec.com/enterprise/security_response/weblog/2006/09/ trojanvimalov_a_zeroday_exploi.html

Exploit-VMLFill
http://vil.nai.com/vil/content/v_140629.htm

Microsoft Internet Explorer Vector Markup Language 0-Day
http://vil.nai.com/vil/Content/v_vul26881.htm

Enterprises that don’t want to deploy Group Policy but still want to protect themselves against the vulnerability can use WMIC to remotely run the regsvr32.exe command against remote computers.  Of course, this disables VML functionality, but how many enterprises out there actually use VML?  Here’s the general command:

wmic /node:<PC name> process call create
'regsvr32.exe /u “%CommonProgramFiles%\Microsoft Shared\VGX\VGX.DLL”'

As I’ve mentioned before, you could substitute a text file for the PC name above and WMIC will iterate through the list, performing the same task on each PC in the list.  To re-enable VML functionality, you could use the same process but remove the “/u” switch from the regsvr32.exe command.

UPDATE:  More resources have come to light regarding this VML vulnerability:

Zero-Day Response Team Launches with Emergency IE Patch
Internet Explorer Bug Can Be Exploited Via Email
More Defensive Tactics Against IE’s Newest Vuln

Fortunately, the fix for Cocoalicious is really straightforward; simply go into the preferences, change the API URI to “https://api.del.icio.us/v1/”, click OK, then exit and restart the application.  All should be well after that.  (At least, it worked for me.)

However, this also means that if you have any scripts or WordPress plug-ins, you may have to modify those as well.  I have a plug-in that lists recent del.icio.us posts in the sidebar, and I’ll need to see if that plug-in (or the plug-in’s configuration) needs to be updated.

(Funny how a “little” thing like a URI can have a ripple effect like this.)

The key to the magic here is the mod_auth_kerb module, which adds Kerberos authentication to Apache.  This module not only allows Apache to use Kerberos on the “back-end,” so to speak, but also supports the SPNEGO and GSS-API stuff on the “front-end” that allow it to transparently authenticate users connecting with supported browsers, without ever prompting for a password.

Preparing Active Directory (Each Apache Server)

These steps need to be repeated for each Apache server that will authenticating via Kerberos to Active Directory.

1. First, create a user account (not a computer account) for each Apache server.  I highly suggest using a naming convention that supports a) the service principal(s) involved; and b) the name of the server.  Since Apache will use the HTTP service principal, a name like “HTTP-lnxservername” would be good.  The password doesn’t matter, but do be sure to check the “Password never expires” check box, and after the account is created specify a good description so that you’ll remember what this account is for in 6 months.
2. For each account that was created, run the ktpass.exe command to generate a unique keytab for each account.  The command will look something like this (substitute the appropriate values where necessary):

   ktpass -princ HTTP/fqdn@REALM -mapuser DOMAIN\account
   -crypto DES-CBC-MD5 +DesOnly -pass password -ptype KRB5_NT_PRINCIPAL
   -out filename

   Be sure to specify a unique output filename (so that you don’t overwrite files; each server/account will needs its own unique file).  I suggest using the server’s name as the filename, i.e., something like “lnxservername.keytab”.

It would be ideal if we could leverage the existing computer account that may exist for that Linux server for host authentication (I’m assuming you followed my instructions for integrating host authentication into Active Directory, yes?), but for some reason it doesn’t work.  We can use the SetSPN utility to add the appropriate SPN to the computer account, but authentication still doesn’t work.  If any Kerberos/Active Directory gurus out there have some insight on this, please let me know.  (By the way, this may be one reason for using user accounts for all the various SPNs—HOST/fqdn@REALM, HTTP/fqdn@REALM, etc.—as some of the online guides for integrating Linux and Active Directory have suggested.)

Now we’re ready to move on to configuring the Apache servers.

Configuring Apache (Each Server)

Repeat these steps for each Apache server.  In case I haven’t already mentioned this, I’m assuming you’re running Apache 2.0 on Linux, and not on some flavor of Windows.

1. Download and install the mod_auth_kerb Apache module.
2. Add the following directives to the Apache configuration, either in httpd.conf or in the conf.d directory in its own file (my installation of mod_auth_kerb created an auth_kerb.conf in conf.d):

   LoadModule auth_kerb_module modules/mod_auth_kerb.so
   
   <Location /secured>
     AuthType Kerberos
     AuthName “Kerberos Login”
     KrbMethodNegotiate On
     KrbMethodK5Passwd On
     KrbAuthRealms EXAMPLE.COM
     Krb5KeyTab /etc/httpd/conf/httpd.keytab
     require valid-user
   </Location>

   Substitute the correct values for the KrbAuthRealms directive (your Kerberos realm name will be your Active Directory domain name in UPPERCASE) and the location and name of the keytab.  (We’ll copy the keytab over shortly.)

3. Securely copy over the keytab for this server from the Windows server where it was generated using ktpass.exe earlier.  SFTP or SCP are good candidates.  Once the file has been copied over, rename it and place it in the right location, as specified in the configuration entered above.
4. Change the owner of the keytab to the Apache user (typically “apache” or “web”), and set the permissions to 400 (readable only by the Apache user).
5. Restart the Apache HTTP daemon for the configuration changes to be read and applied.

Assuming that your Apache server is accessible as web.example.com, you should now be able to fire up a recent version of Internet Explorer (one that supports Integrated Windows Authentication) and navigate to the “http://web.example.com/secured” URL and gain access, without getting prompted for authentication.  A quick review of the access logs (typically /var/log/httpd/access_log) shows that you are being authenticated as the user that is currently logged on to Windows.  (If the browser you are using doesn’t support the transparent authentication, you’ll get prompted for a username and password, in which case you can enter your Active Directory username and password and gain access to the site.)

If this doesn’t work, go back and double-check your ktpass.exe command (noting that the case of the Kerberos principal specified by the “-princ” option is important, as it is case-sensitive).  Also check the permissions on the keytab after it has been copied over to the Linux server; it must be readable by the Apache user (and should not be readable by any other users or groups).  Finally, try unchecking the “Enable Integrated Windows Authentication” option in Internet Explorer, restarting IE, re-checking that box, and then restarting IE again.  (Don’t ask why, but it does seem to help in some instances.)

Finally, note that a few other browsers also support the transparent authentication.  I personally tested Safari and Shiira on Mac OS X, and both worked fine (after I had obtained a Kerberos ticket, either using the Kerberos application or kinit from a shell prompt).  Camino didn’t work, which is a bummer.  I haven’t tested Firefox yet, but I’m told that Firefox also works, although an extension may be required.

Extensive credit goes to Achim Grolms for his walk-through of using mod_auth_kerb with a Windows KDC.