Encoding problems after export of WP database

I fought today 2 hours with this nasty little encoding bugger because one of my old blogs that I wanted to restore was stored in latin1 character set.  I tried many different export options and encoding settings but this one below does the trick. Notice that you need to define characted.set

mysqldump –opt –compress –default-character-set=latin1 -u{UserName} -p{PassWord} dbname > backup.sql

After you like to restore the database. Open the backup and find and replace all CHARSET=latin1; with CHARSET=utf8;

Then restore it. I set charsets to UTF8 on new db  just in case but I am not sure actually if it is necessary. Anyway these commands worked for me.

mysql> create database dbname;
mysql> SET NAMES utf8;
mysql> SET CHARACTER SET utf8;
mysql> use dbname;
mysql> source /pathtobackup/backup.sql

Difference between Virtual Machine and Docker

Docker containers wrap a piece of software in a complete filesystem that contains everything needed to run: code, runtime, system tools, system libraries – anything that can be installed on a server. This guarantees that the software will always run the same, regardless of its environment.

This illustration Source: https://www.docker.com/what-docker shows quite well how it is different from normal Virtual Machine (OK, Hypervisor can be installed on bare metal/infrastructure so but the illustration does give an idea).

virtual-machine-compare-docker

A full virtualized system gets its own set of resources allocated to it, and does minimal sharing. You get more isolation, but it is much heavier (requires more resources). With docker you get less isolation, but the containers are lightweight (require fewer resources). So you could easily run thousands of containers on a host, and it won’t even blink.

There are pros and cons for each type of virtualized system. If you want full isolation with guaranteed resources, a full VM is the way to go. If you just want to isolate processes from each other and want to run a ton of them on a reasonably sized host, then Docker is your friend.

Time for SSL-only internet

There is really no reason why you should not be running  only HTTPS (also known as HTTP over TLS, or Transport Layer Security), on your website. Even you are not running any authentication today there is a good change you will in the future. Furthermore, if you care about SEO Google is going to rank your site higher when you have taken care of security (See: HTTPS as a ranking signal). 

I have been lately configuring few sites to run in HTTPS and here are some tips.

  • Decide the kind of certificate you need: single, multi-domain, or wildcard certificate
  • You need dedicated IP, it’s easier that way
  • Buying certificate. If you are new on HTTPS and you are not sure which certificate to buy, then buy the cheapest one with single domain. If you are paying more than 10 USD for the certificate and you just need to get your website working on HTTPS then you are probably paying for extra.
  • Make sure you are use 2048-bit key certificates, I don’t think anyone is selling anything else anymore.
  • Use relative URLs for resources that reside on the same secure domain
  • Use protocol relative URLs for all other domains. This means you need to ensure that all third party services support SSL because otherwise you’ll give your users browser warnings alongside some security concerns. For example if you use javascript CDN make sure URL’s are pointing src=”http://cdn. => src=//cdn
  • Check out Google Site move article for more guidelines on how to change your website’s address
  • Don’t block your HTTPS site from crawling using robots.txt
  • Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag.
  • Configure redirect from HTTP to HTTPS
  • I recommend RapidSSL or PositiveSSL I have been using PositiveSSL from namecheap but there is even cheaper ones in https://www.cheapestssls.com/. Also there is free certificate at https://www.startssl.com/ but I have not try it personally. Though, free is probably never free. Maybe it is OK for test enviroments and sandboxes but I would use RapidSSL or PositiveSSL for production. 

Be secure out there… you can test your server security level and configuration with the Qualys Lab tool.

 

Getting started with Sitecore MVC

Earlier this summer I finished my first Sitecore project in MVC. I have worked on some Sitecore implementations before where there has been a mix of MVC and WebForms but this time I had a finally change to make presentation ground up so naturally I chose MVC. I have to admit I never felt in home on .NET webforms even I have been working with .NET since version 1.0. For me whole point of abstracting away some of the difficulties of a stateless protocol has always been giving more confusion than benefits. Probably because I was coming to .NET world from web development and I had never been developing in Windows. Anyway, what gave me quick start to MVC in Sitecore was these two videos.

Sitecore MVC – Getting Started (Part 1)

Sitecore MVC — View Renderings, @Html.Sitecore(), and Custom Models (Part 2)

How does OpenSSL vulnerability affects me?

If you are running Unix and HTTPS you should review your server. If you are website user on Mac or Windows you might need to change your passwords on some of the services. 

I found this good FAQ summarising the vulnerability from Reddit and thought to copy & paste here:

— clip —

What should I be doing as a user?

If you’re on Linux, update to the latest openssl libraries (ensure that the package was updated today and covers CVE-2014-0160). Ubuntu and Debian already have packages out to fix this.

If you’re on OSX, the latest openssl available there is 0.9.8, which is not vulnerable. You don’t need to update anything (unless you installed a vulnerable version manually, in which case you should update)

If you’re on Windows, it doesn’t come with openssl. If you installed it yourself (through cygwin, for example), you should check what version it is and try to update it if is a vulnerable version.

If you did have a vulnerable version of openssl installed, you should restart all of your computer applications after you update it to ensure they start using the new library.

What should I be doing as a sysadmin / website administrator / other?

Immediately update openssl libraries on any system having vulnerable versions which are hosting SSL/TLS services. Again, make sure the update covers CVE-2014-0160. If you’re using openssl 1.0.0 or older, you’re not vulnerable to this bug.

It is probably reasonable to consider any private keys from vulnerable services to be compromised, and as such you should replace those keys/certs and revoke the old certs. Failure to revoke the old cert could mean that any private keys acquired using the vulnerability could then be used to impersonate your site on the internet with full PKI trustworthiness – a very bad outcome.

Can I test to see if an external website is vulnerable to this?

Unfortunately the only way to determine if a website you don’t manage is vulnerable to this is to try and exploit it. I’d recommend against trying this unless you are fully aware of the potential legal repercussions of doing so.

What does this mean for accessing my bank / facebook / other random website?

If the website you are connecting to hosts SSL (HTTPS) and has this vulnerability, an attacker connecting to that website can view a small window (64k) of memory from the application which is terminating SSL. This window may contain a lot of things, including SSL certificates, SSL session data, or usernames/passwords, depending on the design of the terminating app.

As such, the most prudent thing to do would be to avoid connecting to those services until you can be reasonably assured that they are not affected by this vulnerability. Unfortunately this is a bit of a quagmire as determining if they’re affected is difficult to do. There is no good solution to this, other than to wait for those various websites to confirm they have fixed the issue, or to verify they aren’t vulnerable through third-parties or by testing yourself (see above regarding legal repercussions of testing yourself).

If you find that a site which you have used was vulnerable to this issue, you should change your username/password as soon as it has been confirmed fixed, for prudence sake.

Luckily most bank software is very slow to update (meaning they’re often on openssl 0.9.8, which isn’t affected), or makes use of proprietary SSL libraries, and as such it is unlikely that they are affected by this vulnerability. I’ve seen tests against a bunch of banks and saw no notable ones which are affected by this vulnerability. Unfortunately there will be some financial institutions affected by this.

— clip —

Is this a design flaw in SSL/TLS protocol specification?

No. This is implementation problem, i.e. programming mistake in popular OpenSSL library that provides cryptographic services such as SSL/TLS to the applications and services.

In following Elastica’s CTO Dr. Zulfikar Ramzan walks through the mechanics of the Heartbeat (Heartbleed) flaw (at a high level), how an attacker can exploit it, and its underlying ramifications.

OpenSSL Heartbeat (Heartbleed) Vulnerability (CVE-2014-0160) and its High-Level Mechanics from Elastica Inc on Vimeo.

See also http://heartbleed.com/

Essential Run and PowerShell Commands for Web Developer on Windows

Just like Windows 8, Windows 2012 Server does not have start menu anymore. Therefore I have had to learn to memorize few commands to get around on the server. Here comes a list of Run and PowerShell Commands that I am using the most.

 

Run /  Command Line Commands

Command
Result
appwiz.cpl Add/Remove Programs
control Control Panel
cmd or cmd.exe Command Prompt
Downloads Opens download folder
diskmgmt.msc Disk Management
diskpart Disk Parmelonion Manager
desk.cpl Display Properties
dpiscaling DPI Scaling
control folders Folders Properties
gpedit.msc Group Policy Editor
iexplore Internet Explorer
firefox Firefox
control keyboard Keyboard Properties
control netconnections
ncpa.cpl
Network Connections
notepad Notepad? ;)
osk On Screen Keyboard
perfmon Performance Monitor
regedit.exe Registry Editor
msinfo32 System Information
msconfig System Configuration Utility
taskmgr Task Manager
firewall.cpl Windows Firewall
control userpasswords2 Open password manager
InetMgr.exe Internet Information Services (IIS) Manager 7
InetMgr6.exe Internet Information Services (IIS) Manager 6
mstsc.exe Remote Desktop Connection
netstat Network Statistics
net statistics Check computer up time
net stop Stops a running service. i.e. net stop iisadmin /y
net use Connects a computer to or disconnects a computer from a shared resource, displays information about computer connections, or mounts a local share with different privileges
runas Run specific tools and programs with different permissions than the user’s current logon provides
ping Determine whether a remote computer is accessible over the network
tracert Trace route
taskkill terminate tasks by process id (PID) or image name
start Starts a separate window to run a specified program or command.
start . opens the current directory in the Windows Explorer.
shutdown.exe Shutdown or Reboot a local/remote machine
ipconfig try ipconfig /flushdns

 

Full reference can be found here also worth of checking out is Useful Command-line Commands on Windows at Serverfault.com

 Powershell

 

Command Result
Get-Help Example: Get-Help -Name Get-Process
Set-ExecutionPolicy You can use the Set-ExecutionPolicy command to control the level of security surrounding PowerShell scripts.
Set-ExecutionPolicy Unrestricted
Get-ExecutionPolicy C:\PS>set-executionpolicy RemoteSigned; get-executionPolicy
Get-Service
ConvertTo-HTML
Stop-Service and Start-Service Start/Stop service on local computer: 

PS C:\> Stop-Service -Name Spooler
PS C:\> Start-Service -Name Spooler

Start/Stop service on remote computer:

PS C:\> $ServiceObj = Get-Service -ComputerName MyPC1 -Name spooler
PS C:\> Stop-Service -InputObj $ServiceObj
PS C:\> Start-Service -InputObj $ServiceObj

ConvertTo-HTML
Export-CSV
Select-Object
Get-Process and Stop-Process