If there’s one thing that gets old really fast, it’s upgrading Wordpress everytime a new release comes out. Finally fed up enough to look for a solution, I found this script that promised to automate the job. Unfortunately, it has a number of flaws including not copying the “uploads” directory and being overly complicated.

Next, I found this script. Not only is it simpler, but it also downloads the source for you. Perfect! It seems to work–below is my modified version, however, that is a little less “finicky” about where it is run from, and properly cleans up after itself. Of course, you need to change the second and third lines of the script to suit your needs.

I hope this saves somebody some aggravation…

#!/bin/bash

BLOGDIR=”/home/jmaki/webopticon.com”
SITEURL=”http://www.webopticon.com”

echo Updating Wordpress in $BLOGDIR
cd $BLOGDIR
cd ..

echo 1. downloading latest build
wget -q http://wordpress.org/latest.tar.gz

echo 2. unpacking latest build
tar zxf latest.tar.gz
cd wordpress/

echo 3. replacing old files with fresh ones
tar cf - . | (cd $BLOGDIR; tar xf -)

echo 4. updating your blog
wget -q -O - ${SITEURL}/wp-admin/upgrade.php?step=1 > /dev/null

echo 5. removing unneeded files and directories
cd ..
rm -f latest.tar.gz
rm -rf wordpress

echo 6. all done !

This past weekend, I created a map of one of the sensor rides I made this past summer. The tool I used was OpenLayers, a full WMS mapping client written in JavaScript(!). Let me repeat that: the whole thing is written in JavaScript–there are no server dependencies, besides the WMS servers. It’s really amazing, actually.

I started creating my map by modifying an example I found on the OpenLayers site. It had a reference to TIGER data already in it, so I could see the streets of Pittsburgh. TIGER data is the stuff from the Census Bureau. It’s free, since it’s US Government created, but it’s also horribly out of date–Three Rivers Stadium is still in there; it was demolished in February of 2001. Many streets were also labeled incorrectly.

I continued by adding a layer from Pennsylvania’s PAMAP program; satellite imagery that is much more current. I found this data through PASDA, an excellent resource for Pennsylvania spatial data, by the way. Kudos to Pennsylvania for releasing this imagery (I guess they have to?)–it’s “Google Maps quality” (i.e. the high-resolution stuff you used to pay big money for), but free of watermarks and free to access via WMS. They even have the entire state covered.

One caveat I ran into while adding the data to my OpenLayers map was finding the “layer name”. I didn’t specify this correctly at first, and instead of satellite tiles, I got a stretched image that said “bad layer name” or some such thing. The solution was to get the WMS metadata and look at it to find the layer name. In my case, the WMS service was at this URL, so I needed to request this URL (note the extra parameters at the end), and look at the resulting XML for the “Layer” elements. In each of those there is a name attribute–that is the name you need to use when initializing WMS object. Considering all this, my call to the constructor ended up being (all one line):

var wms_pamap = new OpenLayers.Layer.WMS( “PAMAP High-Res Imagery”, “http://maps.pasda.psu.edu/wmsconnector/com.esri.wms.Esrimap?Servicename=PAMAP_AerialPhotography”, {layers: ‘2545811822′ }, {numZoomLevels: 16});

Getting the satellite data on there, I had a pretty full-featured map. Next was to add the path of my ride. I had this in KML already, since I had previously visualized this data in Google Earth. I added the layer with OpenLayers’ KML support, but I found a problem–a bug in OpenLayers prevented KML data from displaying correctly when the files were large. The issue had been partially addressed by somebody else–I finished the job, and submitted a patch (still needs unit tests).

I finished up the map by writing a simple JavaScript function to take data from a static data structure I hand-populated, and create markers from them on the map. Each marker annotated a point where I saw a spike in the recorded gas or noise levels along my ride.

The final map’s files are available here for you to download and see. In the end, I think the map came out nicely–given more time and more familiarity with the framework, I hope to make the line representing my ride vary in color or size to indicate the level of gas or noise present there. But it’s a prototype.

The promise of OpenLayers seems really great–a portable, open source, client-side, web-based spatial data viewer. Given the increasing popularity of spatial data and mapping in general, I think this will be very useful for those wishing to provide or collect data to/from the public. You could use Google Maps to do this, yes, but who knows when Google might start putting strategic ads on your maps? Besides, it’s Google. Don’t they control enough information already?

The only caveats with OpenLayers I ran into were the complexity of OpenLayers and its API (it’s *really* full-featured), and the variability in the quality of WMS servers. OpenLayers delivers on its end of the bargain–it visualizes data available through a WMS. Unfortunately, however, WMS servers have no such uniform code of good behavior. The PAMAP data, for instance, kept going in and out on a Friday night. Perhaps I was accessing it during the server’s maintenance window? I also tried to add a layer of projected ozone concentrations from the NOAA, but that WMS didn’t respond at all. This sort of issue brings up an important caveat in the age of distributed computing: differences in the availability of resources, bandwidth and care taken when managing the machines that serve you implies risk if you begin to rely upon them for your operations. At least Google has an incentive (a financial one) to keep their machines running; the state of Pennsylvania? Well, I don’t know… they do try, I guess.

I think the letter copied below explains the situation better than I can repeat it here, but during a recent interaction with UPMC Health Systems, I was surprised to find a lack of good security practice. How many more security breaches or information leaks need to happen before somebody starts auditing these systems for security issues?

Edward McCallister
UPMC Health Systems
200 Lothrop Street
Forbes Tower, Suite 10072
Pittsburgh, PA 15213

Dear Mr. McCallister,

I’m writing you as an information security professional because, during a recent interaction with your organization, I encountered behavior that could possibly lead to a breach of confidentiality.

Recently, I had trouble logging into the “MyHealth” portal to complete the necessary steps to receive my “Health Reward” offered through the University of Pittsburgh (where I work) and UPMC. I called the help desk, and was told that my account was locked. The operator (who was very nice, by the way) then confirmed my password with me. By confirming my password, I mean she read what I had originally entered as a password back to me over the telephone.

What is troubling is that she (or anybody) has access to my plain text password. This is not standard industry procedure. In this circumstance, operators can typically reset passwords to something known; the end-user is then usually forced to change passwords upon login. My point is that telephone operators (and anybody else) cannot see what the password is currently set to. This type of handling of passwords is even reflected in many operating systems’ password entry fields; the fields show asterisks instead of the actual characters as you type into them.

What makes this particular problem worth your attention? Passwords are usually authentication tokens tied to individual people; only I know my password. Administrators, for instance, may have access to my data under their own “administrator” credentials (accesses that are probably logged with their username for auditing purposes), but with the system as you currently have it set up, anybody can pose as what the system thinks is (and therefore logs as) “me”. It would be impossible for anybody to prove who “me” really was; it could be anyone that knows (or can find out) my password—me, any telephone operator or a system administrator.

What makes this even more dangerous? If a malicious individual were to gain access to your database, he or she could potentially have a list of plain text passwords. This would make it trivial for them to login using any of the compromised credentials, without the difficulty of having to “crack” a hashed password.

I take the confidentiality of my health information seriously and, as a steward of health information, I’m sure UPMC does, too. Part of enterprise security processes (and auditing), as I know from my education, is knowing who accesses what information when (and perhaps from where). Your system has security lapses of a type that prevent a reliable “mapping” of accesses back to the who I describe (assuming your system is secure otherwise).

I hope that you find time to discuss this issue with your information security team, and at least let me know that you received this letter and are working on resolving the issue.

Sincerely yours,

Jeffrey Maki

I’ve been really busy at work lately, feverishly working on a year-long project that is being shoe-horned into the last few weeks of my employment. We’re working with a design firm to design the interactions and visuals of the site, and I’m building it. Ugh.

One of the things the designers frequently bring up is “open source”. “There’s an open source package that does that, so it should be easy…” is often the predicate to their argument. Open source also came up during my interview with eyebeam yesterday. The director described the lab and process there as “open source”–they like to distribute information openly and freely. Sounds good!

While I agree with many of the philosophies of open source (but not the elitism), I am now starting to shudder when I hear the term. First, the designers just don’t understand how software works. They specify many rich (i.e. AJAX, confirm dialogs, visually rich UI, etc.) interactions–open source packages are usually ugly. Usually. One can *easily* spend as much time required to rewrite a piece of functionality, integrating and modifying an open source package to do the same task up to specification. Open source does not mean something’s been “done”. Open source packages are more like software libraries than finished projects–they provide handy routines/modules, but aren’t usually finished in and of themselves. Unless you are okay with the usually conservative, sometimes useless default UIs and settings they “ship” with.

Hearing the words “open source” from eyebeam made my eyes roll because it’s now also become a synonym for freely, publicly disseminated anything. And I’m not really arguing with that part of it, nor the philosophy behind it. But eyebeam doesn’t open source everything they make, as promised. Take their WaveBubble project (essentially a cellular phone jammer) for instance (here or here). I know it’s illegal, but I want to build one. Lady Ada (the author) says the project will “never be available as a kit due to FCC regulations”. Okay. But I still want to build one. Schematic, please? How about a parts list? I’m pretty technically savvy (not with electronics, granted), but I can’t get the information.

Like most “open source” projects, maybe I’m not in the “committer’s club”, but I ask, “does anybody have the ‘open source’?”

Just an FYI: in light of the recent Monster.com leak of customer information, I wanted to delete my user profile. You can’t do this yourself from the website, but if you E-mail siteabuse@monster.com, they will delete it for you. I found this on another blog, but lost the link. Anyway, just wanted to confirm that it does work!