Ca(p)tching Cats and Dogs

I read on Jeff Atwood's blog about most strong Captcha having been defeated. Also, on top of visitors getting annoyed by it, the Captcha plugin I am using has gone unmantained lately. And, one way or another, I am getting comment spam again. Which is something I really hate as you know what I would love to do to spammers

I am seriously considering giving Asirra a try. It is an interesting project from Microsoft Research for an HIP (Human Interaction Proof) that uses info from petfinder.com to let users set apart pictures of dogs from those of cats. There is also a WordPress plugin, in the best and newest "we want to interoperate" fashion that we are finally getting at Microsoft (this has always been the way to go, IMHO, and BTW).

Anyway, what do you think ?

Using Live ID to authenticate to WordPress

Yesterday I've been hacking a bit with the Windows Live ID SDK and I wrote a very small and simple plugin for WordPress that enables you to login in to WordPress with your passport Live ID.
I had read in various places that such a plugin would be welcome… I looked around and found none yet (if anyone has instead already written something like this and I missed it I will happily waste the simple stuff I did for something more advanced/well written… just let me know :-)).
I took a look at a similar experiment, and eventually even found that there is some conceptually similar plugin written to work with OpenID. The wordpress openid plugin is much more complex and much more advanced than what I did, tough. It will let you log in with just ANY OpenID user, it will automatically create a user for you on that wordpress installation and associate it with your ID, even just for the purpose of commenting, etc.

But in my blog I don't require or need people to actually log in to do anything. I actually like anonymous/free comment. A CAPTCHA takes care of spammers and I am fine with it so far. Probably for a big site with a lot of users it might make sense, but for my blog so far it doesn't. But there's one thing for which this is instead useful: I have always been worried, when logging in through HTTP (thus, without SSL) to my blog from networks I don't manage or completely trust, that my password could be sniffed over the wire and stolen. Live ID solves my problem by letting Microsoft validate my identity: I have associated my Live ID to the blog's main user account(=myself), the one writing this post. So the plugin in its current form is used as a replacement of the login form (the standard wp-login.php wordpress form CAN still be used if you like, of course, you just don't HAVE to. Also the use of xmlrpc will still require local user/pwd combination.). Anyway, this new form will authenticate you thorugh Live ID and then check if your Live ID is associated to any local user. If it is, it will log you on to wordpress with that account. Otherwise it will inform you that you are successfully logged on to passport Live, but unfortunately there is no corresponding local account for you, and that it would need to be set up. Setting it up is as difficult as adding a line to the database… probably adding a form or a property page would be nice, but in my case I just did it with a query:

INSERT INTO `wordpress`.`wp-usermeta` (
`umeta_id` ,
`user_id` ,
`meta_key` ,
`meta_value`
)
VALUES (
NULL , '1', 'LiveID', 'f11fa1d3e82c68776f94a3a5c459b70b'
);

which adds an extra "property" for the first user (admin) called 'LiveID' which contains your Live ID (the one above is not my real one, in case you were wondering). When you are authenticated by LiveID and you get back this value, the plugin checks in this table which WordPress userid in the database has been associated with this Live ID and – if it finds one – it authenticates you as that user. Of course you should not have duplicates.

My code is mostly based on the SDK PHP Sample, with some modification to integrate it in WordPress as a plugin. Of course I removed the file that is used as "user database" and used wordpress DB instead.

There's a ton of things that could be improved. I just did not put any more effort and time in it. As you might know if you read this blog, I am not a full time developer. Actually I shouldn't write code at all for work and I am mainly considered an "infrastructure" guy. Anyway, I would like to code more and even if I am not supposed to, I always try to find stimulating situations that require a bit of integration, thinking out of the box, some scripting, etc…

[updated: november 3rd 2007] You can download the sample plugin "AS-IS" here: liveauth.zip . This has only been tested and only works with WordPress 2.3.x serie (but should also work with earlier versions – not tested)

[updated: march 30th 2008] WordPress 2.5 has changed the way the authentication cookie is generated, therefore here is an updated version of the plugin that works with the new secure cookies: liveauth02.zip
I should really invest some more time in this and clear up the code. I should also make an interface to make the configuration easier, and maybe make a version that works on both 2.3 and 2.5 branches. I am not sure when I will have time for that, though…

[updated: april 20th 2008] I have released version 0.3c of the plugin which now finally includes a simple configuration page, and should work on both WordPress 2.3 (and older) and on the 2.5 brach. Please visit the new Windows Live ID Authentication WordPress Plugin Page.

Disclaimer:
The information in this weblog is provided "AS IS" with no warranties, and confers no rights. This weblog does not represent the thoughts, intentions, plans or strategies of my employer. It is solely my own personal opinion. All code samples are provided "AS IS" without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
THIS WORK IS NOT ENDORSED AND NOT EVEN CHECKED, AUTHORIZED, SCRUTINIZED NOR APPROVED BY MY EMPLOYER, AND IT ONLY REPRESENT SOMETHING WHICH I'VE DONE IN MY FREE TIME. NO GUARANTEE WHATSOEVER IS GIVEN ON THIS. THE AUTHOR SHALL NOT BE MADE RESPONSIBLE FOR ANY DAMAGE YOU MIGHT INCUR WHEN USING THIS PROGRAM.

New Photo Category Visualization

New Photo Category Page

Copying the advice by Small Potato, I made a different page for the 'Photos' category/tag on this blog. It has been a bit trickier than I first thought, because he keeps his picture uploaded into wordpress itself, while I had to write a small plugin using a regular expression to extract the "IMG SRC" portion of the post content. This way I also experimented with WordPress templates, plugins and structure a bit more than I had done before… and I am even more convinced than before that it can easily be used as a CMS rather than *just* a bloging software.

My lost Facebook Appz! doh!

I am just figuring out that on this post of the 26th of July I mentioned I was trying to write a simple facebook application. I am not realizing I never wrote anything about it anymore. I did not spend a lot of time figuring out all the possibilities, and indeed I have not looked into it anymore since then, but that very night I did write something. Not just one application, but TWO (copycat) very simple applications: my43places and my43things, that pull into your profile the data about the things you want to do you entered in 43things.com and the places you want to visit you entered in 43places.com, respectively.

They are very simple: you enter your user name and they connect to their REST web service, extract the information about your places and/or goals, and show them as a list in a box in your profile.

I don't know why I did not blog about them before… maybe I thought they were too simple ? Well, they are, but, seriously: who cares? 🙂

Windows Live ID Web Authentication 1.0 SDK !

Check this out:

Windows Live ID Team has published on the web the SDK that lets you liveID (or "passport")-enable your applications!

http://msdn2.microsoft.com/en-us/library/bb676633.aspx

There are even code samples in six different languages: C#, Java, PHP, Python, Ruby e Perl! You can download them from http://go.microsoft.com/fwlink/?LinkId=91761

Wow! Having time, it would be cool to write a WordPress plugin using Passport authentication to authenticate/identify users that want to comment… mumble mumble….. 🙂

Interoperability. Wow.

More info at the Live ID starting Page: http://dev.live.com/blogs/liveid/archive/2006/05/18/8.aspx

Facebook API and WinForm experiment

While testing with the Facebook API, I started creating a WinForm using the Facebook Toolkit.

What I had in mind was a simple program that would run on my PC, maybe minimized in the system tray, that would let me update my status in a click, thorugh the day, without having to log on to the website. Most of the day I am busy working, and I don't really have time to go surf and check Facebook… but I like the possibility for people to hear how I am doing. Changing the status would keep them up to date, and would keep my profile current.

As I figured out afterwards, their API does not yet let you change your status yet.

There are other people asking for this possibility… but then I went further searching on the Internet, and I found this blog: http://www.nexdot.net/blog/2007/04/20/updating-facebook-status-using-php/

I just hacked together a small WinForm written in C# that reimplements this idea.

Facebook StateTray

I indeed would like to thank Christian for the idea, and my friend and colleague Pierluigi for his precious help with the regular expressions 🙂

At the moment it has terrible things such as hardcoded passwords in it, but as soon as I will have time to polish the code a bit, I will post it.

One more thing I would like to do with it is turning it from a standalone application into a Live Messenger Add-In, so that it synchronizes my messenger status with the one of Facebook. When I will have time for that.

b2 hacks

This blog is based on b2 (cafelog.com).
Since b2 is basically not mantained anymore, I really should be planning a move to its spinoff: wordpress (wordpress.org).

But I can't be asked for now, so I've only hacked a couple of fixes to the code to save myself from comment spam mainly, and fix some other security vulnerabilities here and there.

Sure, there might be more, but which software does not have those ?
After all, this is a rather old thing…

Annoying spammer and lame defacers – part three

I am sorry but, since they did it again, I have removed the possibility to post HTML tags into a comment – this way, if the reason of their idiotic comments was that of increasing their ranking in Google, this won't at least be accomplished.

I prefer to leave anonymus posting capabilities to my visitors, but I don't like helping spammers doing their crap.