-John Havlik

[end of transmission, stay tuned]

Breadcrumbs are a property of the Schema.org WebPage CreativeWork type. The first thing you must do to use the Schema.org microdata is declare the body of the (x)HTML page to be of type WebPage. You’ll need to modify your current WordPress theme so that the opening body tag is:

<body itemscope itemtype="http://schema.org/WebPage">

Once we’ve declared our body to be of type WebPage, all we have to do is include itemprop=”breadcrumb” in the div wrapping around the breadcrumb trail. For example, we’d use:

<div itemprop="breadcrumb" class="breadcrumbs">
    <?php if(function_exists('bcn_display'))
    {
        bcn_display();
    }?>
</div>

That’s it! Note that this does not work with the included widget in 4.0.1, and is something that will be changed for the next release.

-John Havlik

[end of transmission, stay tuned]

You can grab the latest version of Breadcrumb NavXT from the Breadcrumb NavXT page.

-John Havlik

[end of transmission, stay tuned]

But, this post isn’t about the robinruet, who is an interesting character, and possibly a hacked account (it started spamming a Google +1 click jacking plugin). This is about WP Sand Box and why you should not use it.

WP Sand Box is quite small, only 311 lines in length, and contains only 2 options. However, the plugin still has a few glaring security flaws, and fails to obey some best practices for WordPress plugin development. Let’s start with the broken best practices.

The plugin does not have a consistent function name prefix to act as a method of namespacing. There is the possibility that this plugin could conflict with other plugins should another plugin provide similarly named functions. Functions such as rrmdir and full_copy are the two with the highest probability of having a function name collision.

The plugin also deletes options on deactivation. This is really a neither here nor there thing, but the uninstall facilities should be used instead.

After a little digging, I found this plugin is sort of a fork of HQ Sand Box, with really only one change. This change is a somewhat nefarious one. Line 153, contains:
echo base64_decode("CQk8L3A+DQoJPC9mb3JtPg0KCTxmb3JtIGFjdGlvbj0iYWRtaW4ucGhwP3BhZ2U9U2FuZCBCb3giIG1ldGhvZD0icG9zdCIgPg0KCQk8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJiYWNrdXB0aGVtZSIgPg0KCQk8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iQmFjayBVcCBZb3VyIExpdmUgVGhlbWUiIC8+DQoJPC9mb3JtPg0KCTwhLS1UaGVtZSBTd2l0Y2hpbmcgb3B0aW9uIGVuZCBoZXJlLS0+DQo8L2Rpdj4NCjxkaXY+DQoJDQoJPGlmcmFtZSBzcmM9Imh0dHA6Ly93d3cuaW52ZW5lc3lzLmNvbS9hZC5odG1sIiB3aWR0aD0iNDUwcHgiIGhlaWdodD0iMjUwcHgiPg0KCQkNCgkJDQoJCQ0KCQkNCgk8L2lmcmFtZT4NCgkNCjwvZGl2Pg==");


Our good old friend base64_decode, using it in this way to obfuscate code is a bannable offense (in fact the plugin was removed today). What was actually being echoed? Decoding the base64 encoded data yields:
</p>
</form>
<form action="admin.php?page=Sand Box" method="post" >
<input type="hidden" name="backuptheme" >
<input type="submit" value="Back Up Your Live Theme" />
</form>
<!--Theme Switching option end here-->
</div>
<div>
<iframe src="http://www.invenesys.com/ad.html" width="450px" height="250px">
</iframe>
</div>
Well, what do we have here? An iframe, serving up an advertisement not seen in the original HQ Sand Box plugin. This may be benign at the moment, but the author could easily change it to be something more malicious (e.g. serve up some auto installing malware on ad.html).

Now, the real reason you should not use WP Sand Box or HQ Sand Box is a security issue in it. These are lines 24 through 33 in WP Sand Box and lines 26 through 36 in HQ Sand Box.

if (isset($_POST['delete_theme'])) {
$dtheme = $_POST['delete_theme'];
$dtheme = str_replace("_", "", $dtheme);
// echo "<script type="text/javascript">// <![CDATA[
alert('" .$dtheme."')
// ]]></script>";
$rty = get_theme_root() . "/";
$dir = $rty . $dtheme;
rrmdir($dir);
// echo "<script type="text/javascript">// <![CDATA[
alert('" .$dir."')
// ]]></script>";
}

So, this code is meant to be used to delete a theme that is no longer needed as part of the plugin. However, this code is not protected in any manner. It does not check if the user is logged in, or has sufficient privileges. There really should be a nonce check here to ensure that the user actually made the request to delete the theme as well. A malicious individual could delete every theme in a WordPress install with this plugin installed and enabled. This would take down a site until the theme could be restored.

The good news is both WP Sand Box and HQ Sand Box have been removed from the WordPress.org plugins repository. However, their SVN repositories exist. If you are using either of these plugins, I would suggest disabling it, or only using it on non-publicly accessible WordPress installs (local installs or a local testbed).

-John Havlik

[end of transmission, stay tuned]

CableCARD Sucks

CableCARD was created by Cable Labs after their hand was forced by the FCC to develop a system that allows consumers to use their own equipment to receive encrypted digital channels. The push for encrypted digital channels was made by the same folks that are brining you SOPA and Protect IP act. Through their ignorance, they have created a system that is more difficult for legitimate users to use than just pirate.

CableCARDs are a one way device, signals can be sent to them, but they can not talk back to the cable company. This makes diagnosing issues very painful as the technicians at the cable company can not get direct feedback on if they are sending the correct signal sequence to initialize and pair the CableCARD.

Your Cable Company Will Not Support You

Since CableCARD devices are only one way, and a royal pain for both parties involved, your cable company does not like supporting them. My cable company only officially supports CableCARDs used in TV sets. Personal DVRs such as TiVos, and tuner cards such are the Ceton InfiniTV are not supported. If you talk to a technician or technical support person that knows what the Ceton InfiniTV is you’ll be lucky.

Better cable companies will have all the CableCARD information already entered in their system before associating it with your account and handing you a card. However, you will still have to call them to have a CCV signal sent to your tuner/CableCARD. There are 3 signals that need to be sent, and there is a specific timing sequence that must be obeyed. Depending on the support representative you talk to, they may have no problem sending out a CCV, or they may want to send a technician out, who will just end up calling in and requesting a CCV be sent (a waste of everyone’s time). My cable company is known to not send the CCV correctly (Ceton has run into this before).

Ceton’s Support Rocks

After going through two support representatives that tried to send a CCV which the card never acknowledge, the technician that was sent out said it would be best to go through Ceton to get things working. After filling out the support ticket form, I received a phone call Saturday evening from a Ceton support representative, explained the situation, was told that the CCV not being acknowledged problem is usually due to the cable company not sending the sequence with the required 1 minute delay. Ceton support reached out to their contact at my cable company, on Thursday the CCV signal was received and on Friday I was able to watch all of the channels we pay for.

The InfiniTV Needs Airflow

The InfiniTV doesn’t like temperatures above 60°C. While it will still operate, you are risking reduced reliability and lowered device life. Ceton’s diagnostics tool will complain if the temperature is too high. Sitting in a low profile case, heat from the four tuners will build up quickly. While it would have been a better design choice to include a heat sink on the device as part of the RF shield, direct airflow will keep the temperatures at around 45°C. Positioning a fan to take care of this may not be practical for all HTPC cases.

-John Havlik

[end of transmission, stay tuned]

• %title% The title for the breadcrumb, typically the page title/name, tags are stripped and it is run through esc_attr().
• %htitle% The title for the breadcrumb, typically the page title/name, tags are left intact.
• %link% The URL to the resource (page) that the breadcrumb represents.
• %type% The breadcrumb type. This is output as a comma delimited list, useful for setting as a group of classes for styling.

Some of your old settings will be migrated, others that do not have a direct equivalent in 4.0 will not be migrated and the default value will be selected until you change it. Double check your settings after migration. Internally, every setting has changed. If you directly access the bcn_breadcrumb_trail class please take note, your old calling code will probably not work.

On the new features front, the URL generated for current items is now a true URL, resolving issues several users have reported in the past. Fall back functions for the PHP multibyte string functions are included for users without multibyte support (falls back to the equivalent non-multibyte string functions). Finally, for Custom Post Types, the CPT archive breadcrumb can be turned off if not wanted.

The help tab has been revamped to take advantage of WordPress 3.3′s new help tab functions. Additional information has been provided within the help tab. Finally, the form previously in the Import/Export/Reset tab has been moved under the help tab.

Bug fix wise, several regressions between 3.8.0 and 3.9.0 were fixed, along with some long standing bugs. Two such bugs are related to CPTs. The first is breadcrumb trails for CPTs respect the root page setting once again. The second is CPTs without WordPress CPT archives enabled will no longer cause a double root page breadcrumb to be generated. Minor tweaks to the styling of the settings page were made that allow all modern browsers to have a common experience. Finally, another cause of the “Settings not saved” error message has been fixed.

Translation wise, due to the major changes in settings structure, many strings have changed translation wise. Only the Spanish translation has been updated. The Norwegian translation is forthcoming. None of the other translators have responded to the update notice. Going forward, a GlotPress install has been setup for Breadcrumb NavXT and will be used for all future releases. You can check out the Breadcrumb NavXT translation project to see the status of the translation for your language. Sign ups for translating through this GlotPress install will be open soon.

You can grab the latest version of Breadcrumb NavXT from the Breadcrumb NavXT page. If you experience any issues with this version of Breadcrumb NavXT, please leave a comment on this post detailing the issue.

-John Havlik

[end of transmission, stay tuned]

Intel wireless cards require external firmware to be programed into their RAM on startup. This firmware is distributed by Intel, separate from the kernel driver. In the case of Gentoo/Funtoo, there is the iwl6000-ucode package for my card. For the current version, it places the file iwlwifi-6000-4.ucode under /lib/firmware, exactly where it should be. After compiling my kernel with the iwlagn driver included, I rebooted, and was greeted with wpa_supplicant not finding a wireless card. Checking dmesg I found the following message:

iwlagn 0000:0c:00.0: request for firmware file ‘iwlwifi-6000-4.ucode’ failed.
iwlagn 0000:0c:00.0: no suitable firmware found!
iwlagn 0000:0c:00.0: PCI INT A disabled

Normally, this is the message you will get when the firmware hasn’t been installed to the correct directory (/lib/firmware). However, in my case the firmware was sitting under /lib/firmware, iwlagn just could not find it. The issue is when iwlagn is built into the kernel it will try to load the firmware before the firmware is actually available. There ends up being two solutions to this problem.

If you do not want to have any kernel modules, you can bundle the firmware into the kernel image, or into your initramfs (if you use an initramfs). I like to keep the number of modules to a minimum (keep them for devices I may not always have connected), and I only compile the minimum number of drivers into the kernel for my hardware to work. I don’t run an initramfs as it is slow (can double the time it takes to boot, and with the SSD I’m seeing sub 7 second boot times). So this method doesn’t really mesh well with what I’m trying to do.

The much simpler way to fix this is to just compile iwlagn as a module. Then add it to the list of autoloaded modules in your /etc/conf.d/modules file. Reboot and you should see iwlagn loads up correctly, finds the firmware microcode and initializes the wireless card.

-John Havlik

[end of transmission, stay tuned]

Regardless, several objectives were achieved. Custom post type support has been improved. Several issues regarding custom post type archives and root pages for custom post types have been fixed. The way current items are handled has changed as well. Proper links for current items, if set to be linked, are now generated. The settings page has received a minor update, taking advantage of new features found in WordPress 3.3. Finally, the biggest change in 4.0 is the change in the settings structure. Prefixes, suffixes, and anchor templates were replaced with a linked and unlinked breadcrumb template.

Note, Breadcrumb NavXT 4.0 has been developed against WordPress 3.3. This beta and the final release will require WordPress 3.3. Please keep this in mind while testing.

Grab Breadcrumb NavXT 4.0.0-Beta1 and report any bugs in the comments section of this post.

-John Havlik

[end of transmission, stay tuned]

Since that time, the plugin received a ton of bad publicity, the author lashed out against Joost de Valk, and now, a year later, it appears the saga ends. The domain name blogpressseo.com expired back in October, and no one has renewed it yet. My only hope is the people behind BlogPress SEO didn’t move on to using a different name for the same plugin.

-John Havlik

[end of transmission, stay tuned]

Will there be a WordCamp MSP 2011?

The short answer is no. The organizers from last year have yet to announce anything for this year, and it is too late to fit an event in this year. Someone asked this on the MSP WordPress User Group back in August, and my answer was the same at that time.

However, back in August it was still possible to pull off the event before the end of the year, we’re firmly in “it’s too late” territory now. Organizing this scale of an event takes a ton of time—the last one had someone working on it more or less full time for two months, with the aid of several interns.

Going local for winter 2011/2012

My reply did get the community talking. There will be an event this winter, most likely in the late January/early February time-frame. One of the several things being tossed around is trying to keep this event local, in line with the original intent of WordCamp. Recently, and culminating with WordCamp San Fransisco 2011, there has been a trend for WordCamps to grow much larger than originally intended.

The idea is to buck that trend. And, the event may not even be called WordCamp. Currently, there is desire within the user group to have a BarCamp-style unconference dedicated to WordPress and related topics. This stems from the desire to distance the event from the WordCamp MSP 2010 event.

More information on the winter event will be made available once more of the details have been ironed out. Check back here or the MSP WordPress User Group website for updates.

-John Havlik

[end of transmission, stay tuned]