UseR! 2017 Recap
I recently returned from a week at the UseR! 2017 conference in Brussels, which was a great opportunity to catch up on the latest trends in the R world. This conference was noticeably different from the 2015 Aalborg conference in the demographics of the audience; in prior conferences, the attendees were overwhelmingly either PhD faculty or PhD candidates but at this conference many if not the majority were consultants and practitioners from industry. There is a lot to cover, so I’ll split things into a few categories:
- Natural Language Processing
- A Tidal Wave of Mapping
- Shiny Stuff
- Docker Was Common
- Mixed Integer Programming
- Parallel Processing
- Making Web Sites Accessible to the Blind
- Written by Bruce Moore
- Hits: 821
Protecting Externally Generated HTML Reports in Joomla
A number of reporting applications will generate extensive interactive HTML web sites that are very useful, but can be hard to secure behind a login, especially when you must incorporate HTML from a number of different report generators. Fortunately, there is a relatively simple way to do this in Joomla using the “wrapper” menu item type. The example that follows shows how to do this in situations where you want to secure the HTML report from scanning and indexing by search engines, but do not require absolute security. This might apply to content that is not confidential or proprietary, but which would generate unwanted email inquiries were it to be indexed. This approach will meet many low security needs but does not provide total security; see the discussion during the section on modifying
.htaccess for more information on security issues with this approach.
Step 1: Upload the HTML Web Report
The first step is to upload the HTML report into its own directory; you do not want to mix your report files in with anything else. It should be a directory that is only accessible to people who are trusted and authorized, so it probably should not be a subdirectory in the
images or other media directory. The directory name should not be identical to the names used for any categories, tags or articles, as this will make URL collisions a problem and create issues for SEO. If you will have a lot of reports, you will probably want to create some kind of directory hierarchy.
For security reasons that will be described later, your directory name should contain a random string that is eight or more characters.
Step 2: Fix Permissions on HTML Web Report Using Akeeba Admin Tools
The next step is to make sure that the directory and file permissions are secure–755 for directories and 644 for files. Many of the report generator tools do not pay attention to this.
In Akeeba Admin Tools, go to the Custom Permissions option shown in Figure 1 and make sure that your directories are listed with the proper permissions, and select
Apply; using shell access or some other means, verify that the permissions were set properly using
ls -l or some other command.
Step 3: Create Menu Option for HTML Wrapper
Next, create a new menu options using the Wrapper option as shown in Figure 2. Put your HTML report’s URL in the option field as shown in Figure 3. If you want to restrict access, change the Access from “Public” to a particular group as shown in Figure 3.
If you used a secure group for access, only logged in users will be able to locate the information, and search engines will not find the pages for indexing. However, if someone knows the URL, they could still get to it directly without any difficulty; we still need to secure access by changing the
Step 4: Add Custom Rules to .htaccess Using Akeeba Admin Tools
To secure the HTML report from direct access, you must add lines to the
.htaccess file that is used to control Apache. There are perhaps a million ways to do this but the easiest relies on the way that Joomla implements the wrappers. For the wrapper menu option, Joomla uses the
iframe HTML tag; this has the side effect that all accesses to these HTML pages through your site will have your site as the referrer. We will write
.htaccess rules that prevent access to the files if the referrer is not your site. This still leaves open the hole that someone could spoof the referrer and guess the correct URL and get access to the files, thus the recommendation that you use unique random strings in the directory names.
The URL will be visible to logged in authorized users via “View Source”. If one of those logged-in, authorized users decides that the HTML report should be publicly visible, that uses can post the URL at which point it will be possible for a malicious user to spoof the referrer and gain access. Well-behaved search engines still would not index the page, unless the logged-in, authorized user posted the link in a publicly accessible and indexable area of your site.
For many applications this is an acceptably small attack window, but it should be recognized that it is an open window, however small.
Figure 4 contains the code that you should use in your
.htaccess file. Make sure to replace the domain and directory in the example with your own domain and directory.
Step 5: Modify Module Display for Report Menus
The final step in the process of adding an HTML report to your Joomla website is optional and depends on the report and template that you are using. Many reports will benefit from having a wide column layout. If you have navigation, recent articles, popular articles or other Joomla modules to the left and right of your HTML report, you might get some awkward or unusable line wraps. To give your report a wider column, you may want to omit these Joomla modules from the menu options that drive these HTML reports as shown in Figure 5.
- Written by Bruce Moore
- Hits: 509
Using R to Analyze Google Analytics Data
Website operators and digital marketing analysts frequently use Google Analytics and Piwik to monitor and analyze site traffic, but neither of these tools allow the user to add data from external sources. This course will show you how to combine Google Analytics with data from external sources including content management systems, Google Trends, Google Search Console and other sources to better understand what makes for successful pages and successful user experiences.
The class will cover the following:
- Installing and getting started with R
- Google Analytics, Google Trends and Google Search Console Terms and Conditions with respect to data use
- Retrieving and loading Google Analytics data with R
- Retrieving and loading Wordpress and Joomla content data with R
- Retrieving Google Trends and Google Search Console data with R
- Combining web analytics data
- Using R to prepare both static and interactive graphics of web analytics data
- Using R to prepare correlations and predictive models of web analytics behavior
- Setting up batch jobs to maintain historical data
The course assumes previous use of a programming language such as Visual Basic, Excel Macro language, C/C++, Java, Perl, Python, SAS or PHP, though the course does not assume that the student is an active programmer. Knowledge of statistical concepts (mean, median, standard deviation) is helpful but not required.
- Written by Bruce Moore
- Hits: 589
Security Threats in 2017
As the 2016 election cycle shows, computer security cannot be taken lightly. The Russian hack of the Democratic National Committee was exacerbated by the fact that it was initially handled only by an entry-level employee who made some poor decisions. The Russian social engineering hack of John Podesta’s email may have been made easier by a possible failure to turn on two-factor authentication on his Google account. It will only get worse.
Malwarebytes released a forecast of problems in the coming year that should be required reading for all computer users; computer security people already know this stuff; I’m talking about my wife, my siblings and my extended family members whose home network problems I fix when I visit. Read the article and then start doing the following if you have not already done so:
- Turn on two-factor authentication for Google.
- Turn on two-factor authentication for Facebook.
- Turn on two-factor authentication for Yahoo/Flickr.
- Turn on two-factor authentication for everything else
- Encrypt your iPhone or Android phone to protect it if is lost or stolen.
- Enable a remote reformat capability for your cell phone.
- Tell all businesses that you deal with to convert to HTTPS if they have not. Give them a reason to get secure–your continued business
- Do not re-use passwords, which will require getting a password manager. Use a hard password on your password manager. Password managers are a likely new target for attacks, so I have chosen one (Keepass) that is somewhat less convenient, but which would first require the attacker to gain access to my computer.
- Stop using Internet Explorer (and any service that requires it) and switch to Firefox, Chrome or Vivaldi as a browser. Firefox is best from a privacy standpoint, but Chrome and Vivaldi are faster and OK for privacy if you turn off some default settings. I am starting to use Vivaldi a lot and like it. Opera was purchased by a Chinese firm, and is no longer a browser that I use regularly, as I just do not trust Chinese companies for anything after the Startcom certificate mess.
- Decommission all Windows XP computers, if you have not already. Remove the hard drive and destroy it or wipe it before disposing of it.
- Change the default passwords on your router, Roku, Apple TV, smart TV, DVD player, baby cams, kitty cams, garage door opener (yes, some have WiFi) and other devices. Use something unique to each device and hard. For these it is OK to tape the password on the device; if someone breaks into your house and gets the password to your kitty cam, you have bigger problems. Hacked baby cams and other devices were used on a recent denial of service attack.
- Update the firmware on all of the above devices. Pay attention to the manufacturer’s firmware update practices when purchasing new devices, and do not buy from firms that never release security updates. You can continue to use some manufacturer-abandoned routers with DD-WRT.
- Consider encrypting USB flash drives. Veracrypt works on all platforms if you have to go from Windows to OS X, to Linux.
- Encrypt your laptop hard drive.
- Make sure that your phone has security patches. This is easy on iPhones, but not on Android devices (except those purchased directly from Google like the Nexus series). If your device cannot be made current on security patches, get a new one.
- Switch to Signal, What’s App, or perhaps the somewhat less secure Hangouts for all of your messaging. I really like Signal.
- Do disk-level backups to a USB drive and keep one off-site in a safe-deposit box. This is to protect family photos. I use Clonezilla. When I was a systems programmer and database administrator, we used to say “tape is cheap.” Today, USB disks are cheap. You only need a backup when you need a backup, and when you need one, you would pay a lot to have one.
- Use a cloud backup service like Backblaze or Carbonite. The cloud is cheap today. Macafee, Symantec and others offer cloud backup as well.
- Keep your antivirus updated. Windows 10 has a decent built-in anti-virus and firewall, but if you are on another platform, you should have something and there are solutions for Windows 10 that are arguably better than the free one.
- Give your extended family members a disk drive with family photos for Christmas or the gift-giving opportunity of your choice. This is part of my disaster revovery plan as well as family history communication.
- Stop taking fun quizzes on Facebook. Most, if not all, are just a way to collect your personal information for impersonation, identity theft or more benignly to fill you Facebook feed and mailbox with annoying targeted marketing.
- Written by Bruce Moore
- Hits: 1293