More Evidence that Geniuses Collaborate

This evening I picked up The Geography of Genius out of the pile of books I’m currently reading and dove in again. As I mentioned in the tweet (above), this book is the first of Eric Weiner‘s brilliant writing that I’ve been exposed to, and I am hooked.

I’m only about 100 pages in, and I’ve traveled with Weiner to Athens, Hangzhou, and now Florence. He’s making the case that something about these locales—not just the places, but the conditions that existed at specific moments in history—sparked creativity and innovation in ways that are worth studying.

Reading his accounts, you get the sense that the individual geniuses who made these places famous required the opportunity to bump up against other geniuses in a “nitro, meet glycerin” way in order to produce the explosive bursts of talent (and the products of talent) we attribute to them individually.

This line of reasoning called to mind a point that Walter Isaacson loves to make. He drills the idea home in The Innovators, but it shows up in his other works as well. The one I just finished was his brilliant biography of Leonardo Da Vinci, and it surprised me to find that he made the same point in it as well. The point he makes is that the most effective innovators (geniuses, inventors, change agents, whatever you want to label them) collaborate.

We may remember the names of certain individuals, but usually only when they were surrounded (by choice or by happenstance) with others who helped fuel their creativity, add missing ingredients, or even finish their works of genius.

How to Stop Websites from Offering to Send Notifications

Perhaps someone out there woke up one day and thought to themselves:

You know what I want? I want nearly every website I visit today to throw a pop-up in my face offering to notify me about whatever they find exciting! That way, when I’m minding my own business trying to get stuff done, I’ll have brand new distractions to prevent me from being able to concentrate!

…but that isn’t something I’ve dreamed of, personally. And you may have detected a mild tone of sarcasm here (if not, I apologize that it wasn’t more obvious), but the bottom line is that I really don’t want to be bothered.

I don’t want to be bothered with the question about whether I’d like to get notifications, not to mention notifications themselves!

Good News: You Can Block These in Your Browser

And I mean you can block the questions as well as the actual notifications.

Thanks to Steve Gibson from Gibson Research Corporation, who mentioned this on a recent episode of the Security Now! podcast, here’s a handy set of instructions for you.

Time needed: 2 minutes.

How to Block Websites from Offering Notifications in Google Chrome

  1. Open Chrome’s 3-dot menu and click “Settings”

    Using any desktop version of Google Chrome*, locate the 3-dot menu (from Windows and Linux, this is typically at the top right), click it, and then choose “Settings” from the menu that drops down.

    *or Chromium, if you’re rocking the open source version like I am.Security Now!

  2. Click “Advanced” (at the bottom), then find “Content Settings” (or “Site Settings”) in the “Privacy and Security” section

    The setting we’re looking for is hidden under the “Advanced” section, which you can find by scrolling all the way to the bottom of the “Settings” page that opens up. Once you click “Advanced,” the page expands and you’ll see a new section called “Privacy and Security” which contains a number of rows of options.

    Look for the option labeled “Content Settings” (that’s what it was called in my version) or “Site Settings” (this is what Steve Gibson’s instructions said, so his version—and maybe yours too!—might be different).

  3. Click on the “Notifications” option, then move the “Ask before sending” slider to the left

    When you click “Notifications,” a new screen opens up, and if your version of Google Chrome still has the default setting, you’ll see a line near the top that reads, “Ask before sending (recommended).”

    When you move that slider to the left, it turns the notifications requests off, and you should see the text change to “Blocked”.

    Voila! No more requests from websites!

    (While you’re here, you should see a list of any specific sites you’ve either “blocked” or “allowed” notifications from, and you can review/edit your settings.)

How to Block Notification Requests in Firefox

If you use Mozilla Firefox, which is my “daily driver” browser these days, you can block these notifications requests there as well. Here’s how:

  1. Open a new tab in Firefox and type the following in the address bar:

    about:config
  2. You will most likely see a warning that says, “This might void your warranty!” If so, click “I accept the risk!” to continue.
  3. You’ll see a search box at the top of a long list of configuration items. Type in:

    webnotifications

    …and press “Enter”
  4. Locate the setting named, “dom.notifications.enabled” and toggle it to “false.” (I did this by double-clicking it.) It should turn “bold” in appearance, and the “status” column should change to “modified.”
  5. Close the tab. You’re done!

How to Test Your Browser to Confirm the New Settings

As Steve Gibson pointed out, Mozilla (makers of Firefox) were kind enough to build a page just so we can test our browsers to see if the notifications settings change was successful or not.

Well actually, the page was built to serve as part of Mozilla’s excellent developer documentation, but if you visit it from a browser that has the notifications enabled (which they are in most browsers by default), it will pop up a request every time!

The page is called Using the Notifications API. Click it now to see if your settings change worked!

Did You Find This Useful?

I hope so! Feel free to share it, of course. But maybe head on over to Twitter and give Steve Gibson a quick “thank you” for sharing!

And if you’re interested in security and privacy online, be sure to subscribe to Security Now! on your favorite podcast app. It’s worth the listen!

Beware United’s Basic Economy Fare

I’m not super-picky when it comes to air travel.

Many consultants demand Business Class or First Class seats as part of their contracts, and while I definitely see the rationale—time is valuable, reducing the frustrations associated with traveling allows one to be fresher and more at their best, etc.—it’s never felt right to me to push those kinds of requirements onto our clients who are already making substantial investments in our fees.

And so, I often look for ways to minimize travel expenses. But boy did I get nailed by that recently.

Surprise! You Can’t Sit With Your Wife…

Not long ago, I booked flights for my wife and me (she works closely with me these days) via Expedia to go spend some time with one of our clients. We looked at a bunch of different options that were all roughly in the same price range, and ultimately made our decisions mostly around departure and arrival times.

It was only after I booked the flights that I got an email from United “reminding me” of the restrictions on the “Basic Economy” fare:

Screenshot from United’s email with the subject line, “Important: Basic Economy restrictions on your United flight”

Oh. You wanted to choose your seat? We’re sorry. That privilege is reserved for people who paid more than $100 for the upsell to “Economy.”

Footnote #1 reads:

Seats are assigned prior to boarding, and customers traveling together, including families, may not be able to sit together. Advance seat assignments may be available for purchase during booking and up until check-in opens. Prices start at $5, based on route and availability. You will also not be eligible to purchase Economy Plus® seating or premium cabin upgrades, or receive Economy Plus subscription benefits. With standard Economy, customers traveling together can choose seats together if open seats are available.

Oh. Did you plan to actually sit next to your wife on the plane? We’re sorry. That privilege is reserved for people who paid more than $100 for the upsell to “Economy”

Oh. You wanted to bring a carry-on bag with you on the plane? We’re sorry. That’s only available for people who weren’t too cheap to pay for “Economy” tickets.

Mind you, I knew I couldn’t change the flight. I also noticed the nonrefundable nature of the tickets. These aspects of the airfare I chose were clear.

But these other restrictions were not clear at all during the checkout process at Expedia. And I pay attention to details like this, as a rule.

After tweeting about it, United was quick to let me know that I could potentially pay for the privilege of selecting seats:

United: Show Some Basic Courtesy and Make This Clear, Will You?

In my opinion, if you’re going to compete with other airlines on a marketplace like Expedia, you should go to great lengths to inform passengers when basic privileges like selecting a seat and taking a carry-on with you aren’t included in your fare. The other airlines whose flights I passed over because the times were slightly less convenient included those privileges at the price point that I paid.

There were 2 major indications (after the purchase, of course), that things were awry.

The first was that I got an email from Expedia announcing that my seat assignment process had encountered an error. Funny. I don’t recall selecting seats. Hmmmm…

Then, the email (screenshotted above) from United which purported to remind me of the restrictions came in. That is how you draw attention to the differences between fares—not by hiding it in all the mouse-point type that a user has to click through in order to complete the booking process. (And I’m being generous here. I’m making the assumption that this information was actually in the mouse-point type on the page. Obviously, I can’t go back and confirm.)

I did skim the information presented to me at the time and didn’t notice these restrictions. Had they been obvious, I would’ve noticed it and chosen different flights.

Anyway, that “reminder” email from United Airlines went on to ask for feedback since this is a “new fare,” and it was immediately clear to me that they were trying to head off problems before I arrived at the airport and learned that I had none of the few remaining basic privileges that a passenger should be able to expect.

So now I’ve spent $76 in fees just to select the seats we’ll be occupying for our flights so that we don’t end up being “automatically assigned” the least-desirable middle seats on the plane. But even after doing that, it doesn’t appear that we can bring a full-sized carry-on bag aboard the flight. Thanks a lot, United.

I’m not the only one who has noticed just how bad the “Basic Economy” fare from United is:

United Airlines Basic Economy fares are more restrictive and punitive than any of the other US carriers. From having to see an agent at the airport to check-in when not checking a bag to not getting a carry-on bag to the worst seats being automatically assigned to basic economy passengers at check-in — United’s Basic Economy is the worst.

— The Points Guy’s “How To Survive Basic Economy on United Airlines

After this experience, and given United’s response to my Tweet, they’re going to the bottom of my list. Right down there next to Spirit Airlines, where apparently they now belong.

Ubuntu SSH Client: Too Many Authentication Attempts

I’ve been using a “config” file located at ~/.ssh/config to list out the identities of the various SSH hosts that I connect to on a regular basis. It was successfully preventing me from having to keep track of the usernames for the various accounts I was connecting to on the servers, but when I got to a certain number of entries in the file, I started getting this error:

Received disconnect from *HOST*: 2: Too many authentication failures for *USERNAME*

I Googled around and tried various solutions, including using ssh-add and had limited success, but running an ssh -v hostentry command for a given connection (the -v puts the command in verbose mode) allowed me to see that my machine was still offering up multiple keys.

This seems counter-intuitive to me. The whole point of using the config file is to tell it which key to use, right? Why should I even need to add the identity to the SSH agent? And I wasn’t about to increase the number of retries on the servers. That seems like a recipe for disaster. I should only need one try because I have the right key sitting here!

I finally ran the right Google search and discovered this SuperUser (StackOverflow) question, which had the missing component I needed in one of its answers.

The critical element in the config file that forces the SSH client to use only the key specified is this line:

    IdentitiesOnly yes

Adding that to each of the entries in the config file (immediately below the “IdentifyFile” declaration) did the trick.

So now a typical entry in my config file looks something like this:

Host myshortcut
  HostName somedomain.com
  user someuser
  IdentityFile ~/.ssh/somekey_rsa
  IdentitiesOnly yes

I hope this helps someone!

Comcast Injecting Code into TLS-Encrypted Pages

A few days ago, I was sharing my screen from my laptop with a colleague, when up popped a notification informing me that Comcast (through its Xfinity brand) was no longer supporting my equipment and instructing me that it had to be replaced.

Now before you jump to any conclusions, let me clarify the exact conditions under which this notification appeared:

  • The notification appeared in a single browser tab
  • The browser was the latest version of Firefox, running on Ubuntu 18.04.1
  • The page was from a server under my control, which my colleague and I were working on at the time. It was completely free of any foreign JavaScript that would have allowed or facilitated a Comcast code injection
  • The connection was encrypted via TLS 1.2 with a secure cipher
  • The TLS certificate on the server side was a current one issued by Lets Encrypt
  • Firefox gave the connection a “green padlock” with no mixed content warnings, as in this screenshot (except that I didn’t examine the cert in my browser at the time like I did when capturing this graphic):
This screenshot was captured at a different time, but is representative of what I saw on the page that Comcast injected its code into recently. The difference is that in this screenshot, I was connected to the same site through a VPN.

Authentic Comcast Notification

I didn’t have the presence of mind to screenshot everything at the time the notification appeared. I wish I had. The fact is that I was deep into a lengthy session with my co-worker, and we were focused on the project at hand.

Also: I was flabbergasted.

Comcast is notorious for injecting code into subscribers’ browsers, most notably to track browsing behavior, display its own ads, and warn users about data caps. But that sort of activity is precisely why the EFF and others have been promoting HTTPS everywhere. TLS encryption should prevent what is essentially a “man in the middle attack” by ISPs like Comcast against its own customers.

None of this was news to me.

And while I didn’t screenshot the “end of life notification” regarding the Comcast-issued on-premise equipment, I did click through from the notification.

In a new tab, I was shown the exact model numbers of the equipment for which Comcast was ending support (i.e. only the model numbers in use at my location, and in the correct quantity), and was taken through a simple “wizard” which offered to send me the replacement equipment in a self-install kit. Although I clicked through to see exactly what it would do, I did not submit the form, instead choosing to click a link which opened this support article about “end of life” equipment in a new browser tab.

Had I not been under time pressure related to the project we were working on (and had I not also been bearing the cost of the person’s time who was on the other end of the active screen-sharing session), I might have taken the time to investigate further. Regrettably, I did not do this. It surely would have netted me the specific lines of code injected into my browser on top of the screenshots which I should have captured, but didn’t.

The bottom line, however, is that the message was authentic. The equipment in question was correctly beyond its end of life, and the notification was being served from Comcast.

Also: my machine is clean. I run very few browser extensions. None of them are known to have any vulnerabilities. And my machine is—by every indication, including clean scans—free of malware.

Exit Xfinity

Rather than requesting a self-install kit with replacement equipment, I packed up the end-of-life gear and took it to a local Xfinity store, cancelling my service.

I’ve had television service with Comcast/Xfinity for the better part of the last decade, and internet service for many years longer.

But I would have cancelled the account much sooner were it not for the utter lack of competition in my area. Broadband service can essentially only be had from 2 vendors at the location in question. They both gouge customers with excessively high fees, exploiting the unfair economics of the situation.

But this incident was the last straw.

Comcast had violated me one too many times. Hopefully they won’t turn out to have been the lesser of two evils. Time will tell. In the meantime, something must be done to level the playing field so that ISPs who don’t egregiously abuse the privacy of their subscribers can compete effectively.

Inline Code in DokuWiki

Call me picky, but I didn’t want to be forced to use a code block every time I wanted to include a little bit of code. Sometimes, it’s just handier for the code to be inline so it doesn’t disrupt your text, but still clearly looks like code.

So today, I’d had one too many occasions to try to make it work (unsuccessfully), and I dug around and found this answer on StackOverflow. It took me a moment, to realize that it was from Andreas Gohr, the creator of DokuWiki.

In short, just enclose your text in ''%% and %%'' like this:

Here's a sentence I'm typing and ''%%this is code%%'' I want to include inline.

This works beautifully!

Ironically, it’s not shown in the official syntax documentation, except that if you view the source for that documentation, you realize this technique is actually used to put inline code throughout the syntax documentation.  😉

(Now why didn’t I notice that and think to look at the source code? Sheesh.)

How to Recover a Lost Draft in DokuWiki

TL;DR grep your filesystem for a unique fragment of text that’s likely to only appear in the content you lost when your draft disappeared. Step-by-step instructions here.

Not long ago, we started using DokuWiki as an internal solution for documenting technical details, systems, and best practices in our digital marketing agency. Let me just say that I love the software. It’s easy to install and configure, training users on it is relatively painless, and its simplicity makes it an amazing solution for purposes like ours.

But… like any new system, getting accustomed to its quirks can take some time—especially quirks you don’t run into very often.

Today, I was working on a lengthy new page in DokuWiki and I got busy researching something in another browser tab (or 10). Naturally, I hadn’t hit the “Preview” button, nor had I saved a version.

You can probably guess where this is headed.

I returned to the browser tab where I had DokuWiki open and found the dreaded “editing lock expired” message.

Normally, this wouldn’t be a big deal. We aren’t typically handling lots of concurrent users, so often only one of us is doing any editing at one time, much less the same page. And I’ve found that just by clicking one of the options, I can usually get right back to the editor.

But this was a brand new page that hadn’t been saved yet.

And, being in a hurry, I just started clicking buttons and not paying attention to what I was doing. The next thing I knew, I was looking at an empty editing window..

And this was after spending more than an hour working on the content for the page. It was gone. All of it.

The one thing I had going for me is that I had noticed a “draft autosave” message in the browser at one point. So, I went looking to see if I could find the draft.

Where DokuWiki Stores Drafts

If there had been a saved draft, DokuWiki would have shown it to me when I visited the “edit” screen for that page again. But I didn’t get a message about an existing draft. Also, the “Old Revisions” tab for the page was empty. This made me suspect that my draft had been lost.

So… I connected to the server (via SSH) where the instance of DokuWiki was running and started looking around.

After some Googling, I found that by default, DokuWiki drafts are automatically saved in the /data/cache folder, sorted into numbered subfolders.

Issuing the ls -lt command, I could see which subfolders were the most recent ones, and I looked through them. There were no files with a .draft extension, which explained why DokuWiki hadn’t shown me a draft for my page when I re-opened the editor.

But since I knew I had seen the “draft autosave” message previously, I knew there had been a .draft file at one point. Given that the file no longer existed, surely it had been deleted!

Well that’s great… we can undelete files, right?

Not so fast. This particular server is a VPS instance at Digital Ocean that we use for intranet purposes. Being that it’s a VPS, the typical data recovery tools for Linux like TestDisk and foremost aren’t much help. Virtualized disks means virtualized storage… or something. I’m out of my depths here.

Let’s just say that I tried both of them and didn’t get the result I was hoping for.

Recovering Text Files in Linux

Since DokuWiki stores content in text files on the server, it occurred to me that I should look specifically for a means of recovering .txt files (not even one of the available options in foremost, which has command line options for various file types).

A found a tidbit on recovering deleted plain text files in Linux that gave me some hope. And after just a couple of minutes, I found the entire contents of the last “draft” of my DokuWiki page. Here’s exactly how I did it.

Steps to Recover a Deleted DokuWiki Draft in Linux

  1. Browse the filesystem on the server where your DokuWiki installation is located. In my case, I used ssh to connect to our intranet server in a terminal window.
  2. Determine where the partition containing your filesystem is “mounted” in Linux. From my terminal window, I ran the mount command (on the server, of course) to display a list of mounted filesystems (details on the mount command here). Just running the command by itself with no command line options will display the full list. It’s a lengthy, hairy mess.

    On a normal Linux workstation (non-virtualized), you’d typically be looking for something like /dev/sda1 or /dev/sdb2. On the Digital Ocean VPS, I spotted a line that began with /dev/vda1 on / type ext4. I decided to give that a try.
  3. Next, you’ll need to recall a bit of text from the page you were writing when your draft got lost. The more unique, the better. Also, the longer, the better.

    The command we’re going to run is going to look for bits of text and then kick out the results from its search into a file you can look through. If you use a short or common string of text in the search, then you’ll get a huge file full of useless results (kinda like running a Google search for a common word like “the” would produce).

    In my case, I’d been working on some technical documentation that had a very specific file path in it. So I used that as my search string.
  4. Run the command below, substituting your unique phrase for ‘Unique string in text file’ (be sure to wrap your text in single quotes, though) and your filesystem location for /dev/vda1
    grep -a -C 200 -F 'Unique string in text file' /dev/vda1 > OutputFile
  5. Wait a few minutes. In my case, the grep command exhausted the available memory before too long and exited.
  6. Look through the file that got created. You could use a command like cat OutputFile or, as long as the file isn’t too huge, you could even open the file in an editor like nano by using nano OutputFile. The advantage to the latter method is that you can then use CTRL+W to search through the file.

    On my first attempt, I used a shorter, more common phrase and got an enormous file that was utterly useless. When I gave it some thought and remembered a longer, more unique phrase, the resulting file from the second attempt was much smaller and easier to work with. I found several revisions of my draft, and that gave me options to work with. I decided which was the most complete (recent) and went with it.
  7. Copy the text. You can then paste it somewhere to hold onto it, or just put it right back in DokuWiki. Just be sure you hit “Preview” or “Save” your page this time around.

One quick note: I’m not sure if it was necessary or not, but I actually ran the commands above as “root” by running sudo -i first. I haven’t tested it, but this may actually be a requirement. You might also just be able to preface the commands with a sudo (e.g. sudo grep -a -C 200 -F 'Unique string in text file' /dev/vda1 > OutputFile ). For either of these to work, you’ll obviously need to have an account that has the ability to run sudo.

I hope you find this useful! If so, I’d love to hear about it. Also: if you have questions or problems, you’re welcome to leave those in the comments as well. If I can help, I will gladly do so!

Testing Out Collaborative Editing in Google Docs for WordPress

OK it’s not every day that I get super excited about new WordPress features. But today, Matt announced something that made me jump out of my chair and yell for joy.

What is it?

Google Docs integration for WordPress

The idea is that you create your content in Google Docs, using all of the lovely collaborative features like multiple (even simultaneous!) authors, commenting, great editing tools, cloud-based storage, and so forth.

Then… once it’s ready to go, push a button and voila! — the content shows up in your WordPress site.

The magic happens thanks to Jetpack, which we users of the WordPress software use to connect up our self-hosted sites to Automattic’s WordPress.com infrastructure.

So… you need to have the Jetpack plugin enabled and your site connected.

Then you need to use the WordPress.com for Google Docs add-in (that link goes to the Google Web Store page for the add-in, but you can also get it by going to “Add-ons” inside a Google Doc).

As much as I love the WordPress editor, this is a game changer. I live in Google Docs, especially since I acquired my first Chromebook about a year ago.

There’s one more hiccup. The authentication passes through multiple layers (after all, you wouldn’t want just anyone editing a Google Doc to be able to push content to your website, would you?):

  1. Your Google Account (make sure you’re signed in to the one you want)
  2. Your WordPress.com account — meaning the account that you used to connect your self-hosted WordPress site up to the Jetpack/WordPress.com infrastructure. (Here again: make you’re signed in to the right one!)
  3. Your local WordPress account (meaning the account that you sign in to your actual WordPress site with)

It was at that last authentication step that I hit a snag:

I had never activated the Jetpack JSON API on this site. So… I had to go through the Authorization process one more time after fixing that.

But hey! Needing to screenshot an error message gave me a chance to see how images work in this whole process. I’ll let you know once this content gets pushed to my WordPress site!

Update

After hitting the “Save Draft” button, my content got magically pushed to this site. (If you hadn’t figured it out, I wrote the first draft of this in Google Docs!)

The image came along with it!

But…. my cropping didn’t. The image above is the full screenshot. In Google Docs, I had cropped it to get rid of the 37 Chrome tabs and so forth (hyperbole, I know, but that’s only one of my 3 current Chrome windows!).

All in all, this is a fantastic experience. There’s even a button in Google Docs to “Preview” the post on the live site, and of course a way to update the draft from Google Docs.

I’m guessing you’ll have to manage your own workflow for which version is the latest. I assume if I make changes on my site, but then hit the “Update Draft” button in Google Docs, that version will overwrite whatever is on the site. But this is to be expected. (And I haven’t tested it yet, so… who knows?)

Way to go, team WordPress!!

Join me at WordCamp Miami 2017

Now that it’s been officially announced, I’m excited to invite you to join me for a discussion about “Getting Real Business Results from Your Content Marketing Efforts” at WordCamp Miami!

The event runs March 24-26 (Friday through Sunday) at Florida International University in Miami. The Miami gathering is one of the longest-running and most well-respected events in the WordCamp series, and it’s an honor to be invited to participate.

Last year, the weekend was outstanding, and my lovely wife, Jill, and I are truly looking forward to another spectacular time in South Florida!

Hawkins Road Festival 2017

My family & I are definitely looking forward to the first-ever Hawkins Road Festival on Saturday, February 18th!

This looks like a truly unique community celebration for Sarasota, featuring music, art, spirituality, and social awareness. Oh… and food trucks. And stuff for kids.

Should be fun!