News Sites Try to Load Malware from Eclampsialemontree.net

For the last four days, my anti-virus software has been blocking a possible virus when I visit some popular news sites. The URL flagged as a virus is a subdomain of eclampsialemontree.net that has a long string of random characters and looks highly suspicious. A report on VirusTotal indicates two anti-virus providers are blacklisting that domain as a malware site.

The latest site where I encountered this virus alert was a story on Stars and Stripes. I'm not embedding a link for obvious reasons, but it has the headline "Veteran, one of 4,200 mistakenly declared dead by VA, feels 'resurrected.'"

In the Google Chrome developer console, I can see that when the story is read, the URL is being loaded in an XmlHttpRequest by this JavaScript code on the news page:

<script src="http://s.ppjol.net/lightbox/pp4.js"></script>
<script>
if (!navigator.userAgent.match(/StripesApp/i)) {
  var pp = { client: { config: { 'zone':"-jmtl7NTsKXjcoZnYuS2qB", 'mode':"universal", 'debug':0, 'precheck': function(){ return 1; } } } };
}
</script>

This code is provided by Press Plus, a company that manages newspaper subscription paywalls. I think the purpose of the script is to superimpose a box above the story that urges a reader to subscribe to the site.

The script does not have any reference to eclampsialemontree.net, so I don't know why it is attempting to make a connection to one of its subdomains.

I've encountered this 24 times on different news sites. I'd like to figure out why it's happening. I post a lot of links to news stories on the Drudge Retort and I can't link to a site I believe might have been compromised by a virus.

First Post On This New Web Server

Six months ago I retired a web server I had been using for 11 years. I commemorated the occasion because I was paying for a server to host my sites that had become a museum piece.

Linux is so good at running Apache, MySQL and PHP that your hardware can become a decade out of date without performance becoming an issue.

My other two web servers were almost as old. The company I use for hosting, SoftLayer, recently offered me a deal to upgrade. A sales rep told me, "After reviewing your account we noticed that you are still are on our older legacy platform. Many of our customers have migrated off this platform, and you are one of the few who still remain on it."

I just completed that move. My sites are running on new servers over 20 times as fast and my monthly hosting costs have dropped from $652 to $326. That will save me almost $4,000 a year.

If you see this post, it worked! One bug down, many more likely to go.

Villains & Vigilantes Creators Win Settlement to Publish Game

Villains and Vigilantes, 1st edition, coverAfter the longest court battle in the history of tabletop roleplaying games -- four years, eight months and 16 days -- the creators of Villains & Vigilantes have secured the rights to publish the game they created as teens in the 1970s. On Tuesday night, Jeff Dee and Jack Herman of Monkey House Games uploaded a version of the game to DriveThruRPG that included some new text in the copyright indicia (emphasis mine):

The Monkey House Games logo is a trademark owned by Monkey House Games. All characters, character names, and the distinctive likenesses thereof are trademarks owned by Monkey House Games. Villains and Vigilantes is a trademark of Scott Bizar, used with permission.

This language is the first official sign that a settlement has been reached. I asked Dee for details, but all he was ready to say is that they are "pretty happy."

On July 27, 2011, Dee and Herman sued Bizar, the publisher of Fantasy Games Unlimited, for copyright infringement, asserting that his contractual right to publish their game had expired many years earlier and he kept this fact from them. The lawsuit began in Florida, moved to Arizona and ultimately reached the U.S. Court of Appeals Ninth Circuit. I covered the case in detail in two posts on this blog:

Dee and Herman signed a 1979 contract with Bizar that gave them the game's copyright. A contract three years later to publish a comic book stated that Fantasy Games Unlimited owned the trademark. After Bizar stopped being a full-time game publisher in 1987, Dee and Herman tried for years to reach a deal to publish the game under the trademark, to no avail. Then in 2010, a fan of the game who is also an attorney discovered that Bizar had dissolved Fantasy Games Unlimited Inc. in 1991.

Under the contract, this reverted all rights to Dee and Herman, so they published the game as the newly formed Monkey House Games. Bizar disputed their right to do this, and thus began the titanic battle of the lawyers.

Dee and Herman prevailed in court when an Arizona judge ruled in 2013 that Bizar lost all of his rights to the game by selling zero copies of it from 1990 to 1994. The judge also ruled that Bizar never had rights to publish electronic editions or derivative works, two things he's been doing the past six years on the Fantasy Games Unlimited website.

Bizar filed an appeal and the case was taken up by the Ninth Circuit Court of Appeals, which affirmed in a July 7, 2015, ruling that Bizar had lost the rights to publish the game over 20 years ago:

[T]he contract expressly provided that the agreement would terminate by operation of law if FGU, Inc., ceased to do business for any reason. The agreement also prohibited the assignment of any rights under the contract without the written consent of the other parties. By the terms of the agreement, when FGU, Inc., was dissolved in 1991, all rights to the 1979 and 1982 Rulebooks reverted to Dee and Herman. Accordingly, all sales after the 1991 dissolution of FGU, Inc., of the 1979 or 1982 Rulebooks were infringing acts.

Despite this finding, the appeals court sent part of the case back to Arizona to decide whether Bizar still owned the trademark.

Dee, an artist well known for his illustrations on early Dungeons & Dragons books and supplements, has been producing new games and Kickstarter projects in recent years at a prodigious pace -- which I assumed was due to the costs of fighting this court battle. In September of last year, Dee asked fans for help with legal expenses on GoFundMe, receiving $26,755 from 523 people. He wrote this in the fund-raising appeal:

Our claim that the publishing rights reverted to us has been upheld in court, but our opponent still claims to own the trademark to our game's name and he's suing us for using it. If he wins on that count, he'll be able to seize our creation and financially ruin us. We've been fighting for our rights for several years, and frankly we need money in order to carry this battle to a final victory. We just want to get back to making our games!

As a fan going back 35 years, I'm glad the case is over and two of the first RPG designers finally can publish their best-known game. I was hoping that a court would pry the trademark out of Bizar, because it makes no sense that he'd have a claim on it, but the guy has a kung-fu grip.

If you'd like to reward Monkey House for fighting like crazy over 1,724 days in court to publish a game that isn't going to make anybody rich, Villains & Vigilantes is available as a printed book for $16.99 from Lulu and an ebook for $7.50 from DriveThruRpg.

Update: This story was edited to reflect that the trademark's ownership was in a 1982 contract, not the original 1979 contract.

Fix a 'Missing: Updated' Error in Google Search on WordPress

Google Search Console reported a bunch of structured data errors in a new WordPress blog I began recently. This was a surprise, because I didn't know I was offering structured data. The WordPress theme I've been using, Twenty Twelve, includes CSS styles in blog posts to support the hAtom microformat, which helps search engines recognize the components of a blog post such as the title, author and tags.

When Google crawled the blog, the Structured Data section of Search Console flagged 20 pages with the error "missing: updated," which indicated the data should have an element called updated that isn't there.

Screen shot of Structured Data report in Google Search Console

I did some digging and found that WordPress bloggers are solving this problem in some complicated ways, like adding a plugin just to filter the structured data out. But I found an easier solution.

The updated style indicates when a blog post was last updated. In every page that displays a blog entry, updated should be in the HTML where the post time is displayed. Here's an example prior to the fix:

<time class="entry-date" datetime="2016-04-02T19:39:49+00:00">April 2, 2016</time></a>

Any blog post can include hAtom structured data by adding class names to the tags that surround an element. The updated class should be added to the time tag, turning the HTML into this:

<time class="entry-date updated" datetime="2016-04-02T19:39:49+00:00">April 2, 2016</time></a>

In the folder for my blog's theme, I found the file I needed to edit to add this fix: functions.php. This file is a collection of PHP functions to enhance the theme and modify WordPress functionality.

In a function called twentytwelve_entry_meta(), I found the line where the blog post's time is displayed. I edited the line to add the reference to updated. Here's the line after the change:

$date = sprintf( '<a href="%1$s" title="%2$s" rel="bookmark"><time class="entry-date updated" datetime="%3$s">%4$s</time></a>', esc_url( get_permalink() ),
esc_attr( get_the_time() ),
esc_attr( get_the_date( 'c' ) ),
esc_html( get_the_date() )
);

I'm still learning about WordPress and not ready to make major changes to a theme's PHP code, but this fix is a minor adjustment to the HTML output, so I thought it would be safe to attempt. The fix was successful: When I test my blog's pages in Google's Structured Data Testing Tool they pass.

The fix I've described works in the Twenty Twelve theme -- and probably some of the other basic themes for WordPress. Because each theme has different HTML, you may find the code that displays the time someplace else.

Fix a 'No HTTP Transports' Error in WordPress

WordPressI recently installed WordPress on this server for a new blog. I've been using homebrew software for years, but I want to see whether I like WordPress enough to switch this blog and others to the platform. I need all of my sites to be usable on mobile devices, a goal that is a long way from being true today. The new blog is far better out of the box on mobile than anything I've created on my own.

In the two weeks I've been running WordPress 4.4.2, I encountered several problems where it could not connect to resources on other Internet sites. I could not install themes or plugins in the web interface because of this error message:

There are no HTTP transports available which can complete the requested request.

I also could not use the Customize page or make the WP to Twitter plugin send messages to Twitter. I could avoid the problem with themes and plugins by installing them on my own, but the Twitter problem had no workaround.

I have PHP configured with Curl, so I didn't expect a problem making HTTP requests to other sites. But WordPress now requires SSL support in Curl. My version of the software lacked SSL. I compile my web server software from source on Linux instead of relying on package managers, so I needed to recompile Curl with SSL support. I thought that would be easy.

After much weeping and gnashing of teeth, here's what I had to do:

  1. Compile and install OpenSSL.
  2. In directories from which I installed past versions of Curl, run the command make uninstall in each one to remove it from the server.
  3. Recompile Curl with the configuration option --with-ssl, which found OpenSSL.
  4. Recompile PHP with the configuration option --with-curl, which found the new SSL-enabled Curl.
  5. Reboot Apache.

The last thing I figured out was Step 2. Before that, when I compiled PHP it found a version of Curl on my server that did not support SSL and used it by mistake. This made WordPress angry.

WordPress is now mostly happy and can post to Twitter successfully. Customize works, as do themes and plugin downloads.

There are easier solutions if you use a package manager and the right versions of these programs are available. But I've been compiling source code by necessity across my LAMP stack for years. There were features I needed that weren't offered in packages.

I anticipate more posts like this one as I kick the tires on WordPress.

Jake Tapper Asks Trump 7 Straight Horse Race Questions

I began watching the Sunday talk shows again last weekend because of Antonin Scalia's death, which propelled the U.S. into an exceptional time in our history. We'll be living with the consequences of how the next Supreme Court appointment is made for a long time.

Watching one of the shows today reminded me of how terrible political reporting on television can be.

On CNN's State of the Union, host Jake Tapper asked Donald Trump 10 questions:

  1. Mr. Trump, congratulations on your victory. What do you think this means for the race going forward? Are you unstoppable?
  2. Your campaign manager, Corey Lewandowski, said that you have not gotten the credit you deserve from the party for leading the race. Why do you think that is? Do you think some Republicans still don't take you seriously?
  3. Last week, Senator Rubio said he didn't think a brokered convention would necessarily be a bad thing. Are you concerned at all that party leaders might try to block your nomination at the convention?
  4. Senator Cruz says that you attack him every day because you know he's the only one who can beat you. Is that right?
  5. Governor Jeb Bush dropped out last night. He was once the front-runner, once expected to win the nomination. Many would point to you as the primary reason his campaign sputtered. Do you think, by labeling him low-energy and targeting him so quickly, do you think that's what did him in?
  6. You also took on Jeb's brother President George W. Bush in South Carolina, a state that he won in 2000. And then you won it handily, even though you took on George W. Bush. Do you see Jeb's loss and your victory in South Carolina as a vote on the entire Bush legacy, in a way?
  7. There's a lot of concern, as you know, among Republican Party leaders in Washington about, can you win a general election? Let's talk about demographics for a second. If the next Republican nominee wins the same share of the white vote that Mitt Romney did in 2012 -- that was 59 percent -- that nominee would need to win 30 percent of the non-white vote. Now, with all due respect, sir, a lot of Republican leaders in D.C. struggle to envision you accomplishing this, especially given the fact that there are white supremacist groups and individuals like that who support you, some of whom you have even retweeted.
  8. I want to get some clarification on comments you made this week at the CNN town hall about Obamacare. Take a listen. ... So, sir, what did you mean when you said, "I like the mandate"?
  9. But -- but, just to clarify, you're saying now that you would not support requiring every individual in America to have health insurance? You wouldn't support that?
  10. Last question, sir. We heard from your wife, Melania, last night, which doesn't happen a tremendous amount. Are we going to hear more from her going forward?

By my count that's seven straight horse-race questions that are solely about who's leading and who's trailing, one policy question with a follow-up and then a nice softball question that lets him say something nice about his wife.

Trump is the Republican front-runner and the favorite to win the GOP nomination. There's a great deal of importance in the media getting beyond his vague policy statements to pin him down on actual things he would do as president. Making America Yuge Again is not a concrete policy objective.

Tapper had an opportunity to do this, but he thought the bulk of his time with Trump was better spent with such queries as "Are you unstoppable?"

That's the kind of dumb-ass question a non-journalist would never ask. Political reporters ask them all day long.

The one time Tapper delved into Trump's actual policies on health care and the individual mandate, we got to see that Trump is completely out of his depth. After he took insurance away from millions of Americans by killing ObamaCare, the only things Trump could suggest are to let states compete and offer healthcare savings accounts.

The answer Trump gave was as floundering and repetitive as the Marco Rubio debate answer when he was accused of being robotic. Trump twice repeated that we're going to have great health care if he's president, and three times said people won't be dying in the streets.

Or the sidewalks: "They're not dying on the sidewalks, and they're not dying on the streets if I'm president," he said. "They're just not."

Unless he shoots them, I guess.

The Sunday show reporters should ask candidates as many questions about policy as they do about winning and losing. If they did, it would be clear to millions that Trump's a bag of hair whose ideas never go beyond braggadocious posturing.

My Web Server is Older Than Your Web Server

This post is dedicated to the dedicated server I just shut down. A single Linux box at a server farm in Dallas was for many years the center of my one-man media empire. Over time I moved sites and services off of it, but it remained the home of my weblog Workbench, my 25 computer programming books, a client's business site and an email server for six users. Every month as the billing day approached, I told myself I was going to move everything to another server I own and save myself $69 a month. But I managed to successfully avoid the task until now.

On Wednesday I got up at 6 a.m., two hours earlier than usual. Waking up abnormally early always makes me feel like I'm getting a jump on the rest of the world. Before that mood passes, I dive into something ambitious. That morning felt like the perfect time for a server move.

Eighty six hours later, I am punchy from exhaustion, completely devoid of ambition and remember why I never did this before. But the move is complete!

The following command on Linux revealed the date and time a file system was installed on the server's main hard drive:

/sbin/tune2fs -l /dev/hda2 | grep created

The server was born on Friday May 14, 2004, at 7:10:10 a.m.

I submitted the request to shut it down today at 8:52 p.m.

Ray Dureault in 2004 glasses, photo by John Tlumacki of the Boston Globe

During those 4,237 days, the server went from being cutting edge to a museum piece. It has a Celeron P4 processor and just 72 gigabytes of disk space. (Today you can buy a thumb drive with 128 gigabytes for $30.) The operating system it runs is Red Hat Enterprise Linux 3 (Taroon) from 2003. At least five years ago Red Hat stopped taking my update requests, so I had to do my own software upgrades.

I did a lot more than web hosting on the little server that could. As I wrote books about Internet technology, I installed the software and developed sites and web applications on the box. Digging through the server this week looking for things I might want to save, it felt like archaeology. I unearthed layers from the days I was using Movable Type, WordPress, Radio UserLand, Java Server Pages, Blogger and server-side includes. There were programs and scripts I had written in PHP, Java, Python, Perl and Bash.

I won't be letting any more of my servers become senior citizens (one year is equal to 10 in PC years).

Instead, this is the new plan:

1. Only store content on a server that's currently being shown to the public. If I take something down, I will move all of that data offline along with scripts and software that are no longer needed.

2. Jump to a new server every 1-2 years.

This is an overcorrection. I'm replacing too little ambition with too much. But I no longer have to do the two things that were the most difficult: serving email and domain name queries. During this move, I found ways to offload both of those tasks. So all I have to focus on are the web server, database program and any server-side technology that's required.

A server move always improves my sites. I find mistakes and things that were written poorly, like a database login script with a hard-coded IP address in it.

I also like the added security of running on a new Linux box, where security updates are still available and there's less chance a hacker snuck in and installed something nefarious.

In 2026, if I write a blog post about retiring the septuagenarian server that's hosting this blog, consider that a sign my plan failed.