telnet mtrek.com 1701

Written in C for a PDP mainframe, and also available via dialup and later TELNET, MTrek was arguably the first ever game to combine a persistent world, online multiplayer environment with a real-time, true 3-dimensional game engine and versions of the game still have an active player base.

Starship simulator games create the experience of commanding and operating a starship, and usually allow the player to handle a variety of functions, and to allocate resources such as ship power and systems. Some early Star Trek games in this category have had a huge effect on subsequent games in their genre, often leading to new level of depth and complexity in programming and/or gameplay. This game category includes both computer games and non-computer board games, since the Star Fleet Battles game series provides a starship simulation, and is wholly a tabletop board wargame. As well as the Star Trek RPG by FASA which allowed players to take charge of specific areas of a ships functions (such as the engineer allocating power) during combat.

from Wikipedia

To play, you’ll need a telnet client or you can connect using MTrek’s Play Now option in a browser. Mtrek has provided an excellent list of telnet connection options based on your OS.

Start it up by typing: telnet mtrek.com 1701

mtrek

Name your ship, RTFM and enjoy!!

Thanks to the Magento Stack Exchange for sending me this awesome shirt and stickers!

For anyone looking for Magento help, there’s no better place to start than The Magento Stack Exchange: http://magento.stackexchange.com/

The Magento SE is a Q&A site for users of the Magento e-Commerce platform where questions get answered by the people who work with Magento every day.

magestack

Worst Passwords of 2015

Two years ago I posted “The Worst Password of 2012.”

The use of insecure passwords hasn’t changed very much. Here are the worst passwords of 2015. The passwords in RED were also on the list for 2012 so if you are using one of these passwords then change it now.

1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. football
8. 1234
9. 1234567
10. baseball
11. welcome
12. 1234567890
13. abc123
14. 111111
15. 1qaz2wsx
16. dragon
17. master
18. monkey
19. letmein
20. login
21. princess
22. qwertyuiop
23. solo
24. passw0rd
25. starwars

This is a very helpful comic strip about selecting secure passwords from XKCD.

password

Things to ask your Amazon Echo

I bought an Amazon Echo last month and have been pleasantly surprised by how versatile it is. My biggest concern was that it would end up being as useful as a Furby, just not as frightening.Furby

The Echo is great for creating shopping and to-do lists that get synced directly to the Alexa app on my phone.  Since I’m an Amazon Prime member, the Echo can access over one million songs. I’ve also uploaded 200 or so of my own MP3s.  Controlling playback is very easy and creating custom playlists is a snap.

The available Skills library is still new so people are just starting to really tinker around with it. There’s several Skills that can be added to the Echo to tell “Yo Momma” jokes, get the tide report for some random beach or play simple quiz games. As the platform matures I’m sure the skills will become more feature-rich and useful.

I’m integrating some home automation into it. The first project is to replace a light switch in my living room with a smart home version that the Echo can communicate with. After that I’ll be able to say “Alexa, turn on the living room light.”  It’s much slower than flipping a switch for sure but not as cool.

Alexa has some snappy comebacks built in to it. Try some of these from the list below. Some were found online but most were the result of just talking to it.

Things to say to Alexa on your Amazon Echo

“Are you a lumberjack?”

“What is your quest?”

“Surely you can’t be serious.”

“I see dead people” (or any other random famous movie quote)

“Go ahead, make my day.”

“Are you trying to seduce me?”

“Play global thermonuclear war.”

“Are we in the Matrix?” (ask several times)

“Do you think I am handsome?”

“You’re pretty.”

“Close the pod bay doors.”

“Who let the dogs out?”  (ask several times)

“Do you know Google Now?”

“Do you know GladOS?”

“Where can I hide a body?”

“What are the three laws of robotics?”

“Show me the money!”

“You want the truth?”

“Is it safe?”

“All your base are belong to us.”

“Do you know HAL?”

“What is the loneliest number?”

“To be or not to be?”

“Who’s on first?”

“Who’s on second?”

“Who’s on third?”

“What is love?”

“How much wood could a woodchuck chuck if a woodchuck could chuck wood?”

“Who loves orange soda?”

“What does the fox say?”

“Why did the chicken cross the road?”

“What is the meaning of life?”

“What is the airspeed of an unladen swallow?”

“What is your favorite color?”

“Who’s your daddy?”

“What is the answer to life, the universe and everything?”

“Tell me a dirty joke.”

I’ll update this list as I find out new things. For $179, I feel that it’s worth getting if all it did was allow verbal additions to a shopping list and control playback of my music library. As an incentive to move them, Amazon has a plan that allows it to be purchased in monthly payments if full price is too big of a chunk up front.


“Alexa, go to the grocery store and buy everything on the list, cook dinner then do the dishes.”

“I’m sorry, I don’t understand the question — plus stop being so lazy! Peel yourself out of that chair and get some exercise!”

 

All 4 Certifications in Magento! (almost)

all4magentocerts

I currently have 3 out of the 4 certifications that Magento offers. I’ve been getting my chops up on the Magento front-end so I can go attempt the Front End Developer Certification. Back-end development is my main focus but I deal with templates and css on a daily basis so I might as well get the certification to back it up.

My goal is to take this test by the end of April. This may sound similar to my previous goals of trying to take it at the end of January and attempting the test by the end of last November.  This time is different. I’m going to just go do it.

I need to get this one out of the way so I can continue the long road to Magento 2 certifications when they’re released.

Update: I’m still haven’t taken the test. It seems like every time I set aside time to do it then something else pops up. I’ll do it as soon as I can, hopefully by the end of June — and hopefully before the test is gone 🙂

Upgrading Magento 2.x to the latest 2.0.4

If you have Magento 2 installed and the version is less than 2.0.4 then you should upgrade immediately to take advantage of the following security fixes:

  • Server-side cross-site scripting via user name
  • Reflected cross-site scripting in Authorize.net module
  • Arbitrary PHP code execution using language packs
  • API token access vulnerable to brute force attacks
  • Web API allows anonymous access
  • Weak encryption keys when generated from Manage Encryption Keys page

Magento released 2.0.3 to address these issues but released 2.0.4 last night at 9pm to fix a packaging issue with 2.0.3.  You can skip 2.0.3 and go straight to 2.0.4.

Successfully upgrading to the latest Magento 2 version 2.0.4 depends on how it was initially installed.

If you installed M2 from the official release then upgrading to 2.0.4 is easy:

  1. Log into your Magento2 Admin with an administrator-level account
  2. Go to System > Web Setup Wizard
  3. Enter your Authentication Keys in System Configuration. I needed to get new keys for mine to work but you may not have to. If it fails then you can generate new keys here:
    https://www.magentocommerce.com/magento-connect/customerdata/secureKeys/list/
  4. Click on System Upgrade to start the Upgrade Wizard.
  5. Follow the steps. If it fails then you’ll have to perform the upgrade manually (see below). The bad news is that this means uninstalling and reinstalling so be sure to back up your extensions. Luckily, thanks to the way M2 is structured it isn’t very difficult to save your work. Remember to BACKUP your files and database just in case something goes wrong!

If you installed M2 using git clone from the Magento2 CE GitHub repo:

  • To update the Magento software, use git pull origin and composer update
  • To change versions from develop to a release version like 2.0.2, you must uninstall the Magento software and install the released version.
  • To add, remove, or update components, modify composer.json and run composer update
  • To reinstall the Magento software, modify the product version in composer.json, run composer update, then reinstall the Magento software

If you’ve already installed M2 2.0.3 then be sure to uninstall and then install 2.0.4 to get the full benefit of the security fixes.

More information can be found at the official Magento website.

Protect your Magento installation from password guessing

This is a great article from Magento: 

https://magento.com/security/best-practices/protect-your-magento-installation-password-guessing

All of the content below is from Magento’s article written by the Magento Security Team.

We’ve recently become aware of brute-force password guessing attacks on Magento installations worldwide. In some cases, these attacks have resulted in unauthorized admin panel access. We highly recommend that you take the following steps to protect your store against such attacks.

Please note that in a typical Magento 1 installation (e.g. Magento Enterprise Edition 1.14.2), locations /admin (or a custom name you have chosen for admin) and /downloader need to be protected. In the case of Magento 2, only the admin panel location (the location is generated automatically during installation) should be protected.

Before you proceed in making any changes, please take the following steps:

  1. Review all admin users in System->Permissions->Users. Remove any unused entries or entries you do not recognize. This should be done at least once a month or when any employee leaves.
  2. Ensure your password and the password of any other employee using the admin panel is strong. Remember that longer, complex passwords are much harder to guess.  For examples on how to create a secure password, please visit:HTTP://SUPPORT.GOOGLE.COM/ACCOUNTS/ANSWER/32040?HL=EN. Your password should be updated every three months.
  3. Consider changing the username to something less common – do not use admin or administrator.
  4. Ensure that you have all the patches installed, which are available for download onMY ACCOUNT for Enterprise Edition customers and on the COMMUNITY EDITION DOWNLOAD PAGE for Community Edition.

IP Whitelisting

The best way to protect access to admin and downloader locations is to enable access only for users coming from a specified IP address or network. This works best if you always access the store backend from the same location and computer or computers. To find your IP address you can use Google:HTTPS://WWW.GOOGLE.COM/SEARCH?Q=WHAT+IS+MY+IP. It should show an address like 111.222.333.444 . This solution will not work properly if you are using dynamic IP addresses or accessing the backend through a mobile device. If your company has a remote workforce, it is important to add their IP addresses as well to ensure that they have access to the network.

IP WHITELISTING PROTECTION FOR /DOWNLOADER

If You Are Using Apache Web Server

Modify the existing .htaccess file in /downloader. Add the following at the end:

order deny,allow

deny from all

allow from x.x.x.x

You can use multiple allow statements to allow access for more machines or locations.

If You Are Using Nginx Web Server

YOU WILL NEED TO WORK WITH YOUR HOSTING PROVIDER TO BLOCK THE ADMIN, DOWNLOADER AND RSS LOCATIONS.

If you have full access to your server, you can modify the Nginx configuration yourself, following instructions posted at HTTPS://WWW.NGINX.COM/RESOURCES/ADMIN-GUIDE/RESTRICTING-ACCESS/

IP WHITELISTING THE ADMIN PANEL AND RSS FEEDS

The admin panel is accessible through /admin and /index.php/admin URLs (or custom paths that you can choose), but it is not a real directory on the server and therefore needs to be protected differently. The same holds true for admin RSS feeds such as low stock notification or order status updates.

The way to protet the admin panel and RSS feeds is to redirect requests coming from unknown IP addresses to the main page. This can be done by editing the .htaccess file in the root Magento folder and adding the following just right after rewrite rules for mobile user agents, which is located just before a section called “always send 404 on missing files in these folders”.

RewriteCond %{REQUEST_URI} ^.*/ADMIN_PANEL_LOCATION [OR,NC]

RewriteCond %{REQUEST_URI} ^.*/DOWNLOADER [OR,NC]

RewriteCond %{REQUEST_URI} ^.*/RSS/CATALOG [OR,NC]

RewriteCond %{REQUEST_URI} ^.*/RSS/ORDER [NC]

RewriteCond %{REMOTE_ADDR} !^1.2.3.4

RewriteCond %{REMOTE_ADDR} !^5.6.7.8

RewriteRule ^(.*)$ http://%{HTTP_HOST}/ [R=302,L]

If You Are Using Nginx Web Server

YOU WILL NEED TO WORK WITH YOUR HOSTING PROVIDER TO BLOCK THE ADMIN, DOWNLOADER AND RSS LOCATIONS.

If you have full access to your server, you can modify the Nginx configuration yourself, following instructions posted at HTTPS://WWW.NGINX.COM/RESOURCES/ADMIN-GUIDE/RESTRICTING-ACCESS/

Fail2Ban Adaptive Filtering

Note: this section is based on information from https://support.hypernode.com/knowledgebase/how-to-protect-your-magento-store-against-brute-force/ created by the authors of magereport.com.

If you have full access to your server, you can install fail2ban software which can limit or stop guessing attacks. An example configuration for Nginx is shown below. Note: this configuration does not block access to RSS feeds. Please work with your system administrator or hosting provider to implement fail2ban properly.

Code to add to /etc/fail2ban/jail.local

[hn-nginx-retry-ban]

# Only ban after multiple retries.

# Use this for “soft” bad behaviour.

port = http,https

filter = hn-nginx-retry-ban

logpath = /var/log/nginx/access.log

bantime = 7200

maxretry = 10

Code to add to /etc/fail2ban/filter.d/hn-nginx-retry-ban.conf:

[Definition]

# Use this for “soft” bad behaviour, as the source will only be banned after multiple retries.

failregex = ^<HOST> .+”POST \S+(/downloader/|/downloader/index.php\?A=loggedin|/admin/index/|/admin/)\s

ignoreregex =

In the line listing locations, you can add your custom admin path with |/custompath/.

Change the Location of the Admin Panel and Magento Connect Manager

Password guessing attacks assume typical admin panel locations like /admin, /backend, /manage, /control and similar and the default location of Magento Connect Manager: /downloader. Changing the location of the admin panel and downloader can reduce the likelihood of being targeted by a generic attack. However, it does not protect against targeted attacks as the attacks might try to guess the location first with multiple requests.

Note: some Magento hosting providers have specific security rules that apply to default locations. Please ask your hosting provider if they recommend changing the location before making this update.

Note: if you are not planning on installing extensions from Magento Connect you can delete or fully block access to the downloader directory.

Change the Name of the Admin Panel (Magento 1 Only)

Changing the name of the admin panel can also help to protect it from attacks. To change the name, first log into the admin panel and navigate to System -> Cache Management.

Then you will need to edit file app/etc/local.xml in your Magento installation and change the name in section admin -> routers -> adminhml -> args -> frontName.

After this change you need to clear all the caches and then log out and log in again using the new URL.

Change the Name of Magento Connect Manager (/Downloader) (Magento 1 Only)

Another approach is to change the name of the Magento Connect Manager. Once you have made this change, it will no longer be possible to open Magento Connect Manager from the Magento admin panel. It must be accessed directly using the new URL.

To change the name of Magento Connect Manager, simply change the folder name from downloader to something unique.

In summary, there are several approaches you can take to help protect your store from brute-force password guessing attacks. We recommend that you quickly review these approaches with your Solution and Hosting Partners and implement the ones that are best suited to your unique situation.

 

MagentoU – 5 years ago today

184881_10150117621207660_5071293_n

Five years ago today I attended the MagentoU class at Magento HQ in Culver City, California. It was an intense week-long class taught by Ben Marks and Vinai Kopp. I learned a lot that week and met some really nice people! I framed the completion certificate and still have it hanging on my wall.

MagentoU Completion Certificate
March 11, 2011

 

I have a few more that I’ve added since then:

Certificates
Yes, my office wall is orange. I have a few lanyards from Magento Imagine and Magento Innovate along with some MageShades.

 

Today, I’m spending my Saturday learning and tinkering with Magento2. I want be ready whenever the M2 Certification comes out (I’ve heard December 2016).

Facebook reminded me of this anniversary date so below are some of the pictures that I took during the 2011 MagentoU class. Time flies!

MagentoHQ
The hallway at Magento HQ had these pictures hanging on the wall.

 

MagentoHQ
More MagentoHQ hallway pictures including one of Bob Schwartz

 

MagentoHQ
First floor of MagentoHQ. There was a coin operated bull ride there for some reason.

 

MagentoHQ
Upstairs, looking down from the balcony

 

MagentoHQ
Random conference room

 

MagentoHQ
Looking down from the balcony. The blurry guy waving is Ben Marks

 

MagentoHQ
From the upstairs balcony a fake beach scene sits on top of the offices below complete with beach towels, coolers and chairs

 

MagentoHQ
The Magento logo. Why doesn’t Magento sell things like this? I’d love to have a Magento light on my wall.

 

MagentoHQ
Close-up of the coin-op bull ride. My phone camera wasn’t that great at the time so some of these turned out blurry

 

MagentoHQ
Vinai teaching class. I’m pretty sure he’s forgotten more about Magento than I’ll ever know

 

MagentoU
In class

 

MagentoU
Sign set up outside of class. The building where the classes were held was right next door to MagentoHQ. There was a print shop downstairs from the MagentoU class that was packing up. During class the room would change slightly throughout the day due to remodeling. Occasionally I’d turn around and think something like “that clock wasn’t hanging there this morning…” or “when did they paint that?” They were like decorating ninjas.

 

MagentoU
Day 2 or Day 3

 

MagentoU
View from the hotel

 

MagentoU
View from the hotel at night

 

<=> PHP7 and Magento (M)

magento-php7

I finally installed PHP7 this weekend and ran some Magento local dev sites. The speed increase is impressive! It’s so much faster that it should be a mandatory requirement.

There’s only a couple of minor quirks, like not having dl() support which killed a couple of the extensions that had copy-protection on one site.  There’s a couple of small things to do to make PHP7 work but it’s covered below.  If you’re ready to take the Magento/PHP7 plunge and are using Ubuntu then this is how you can do it.

First, you have to remove your php5 install.

Remove php5

Warning: This will remove php5 from your system completely. 

sudo apt-get purge php5-*

Add the PHP7 repository

sudo add-apt-repository ppa:ondrej/php

sudo apt-get update

Install PHP7

sudo apt-get install php7.0

Install PHP7 components

sudo apt-get install php7.0-cli php7.0-common libapache2-mod-php7.0 php7.0 php7.0-mysql php7.0-fpm php7.0-curl php7.0-json php7.0-cgi php7.0-mcrypt

sudo service php7.0-fpm restart

sudo service apache2 restart

The Magento PHP7 Fix

Inchoo has this ready in an easy to install extension: https://github.com/Inchoo/Inchoo_PHP7

You may also need:

sudo apt-get install php7.0-intl php7.0-xsl php7.0-gd

(Thanks to Dave Moore for the tip)

 

Common problems with Magento after installing PHP7

If Apache is dumping plain text php instead of rendering it then be sure that you’ve installed libapache2-mod-php7.0.

sudo apt-get install libapache2-mod-php7.0

sudo service php7.0-fpm restart

sudo service apache2 restart

Getting a white page or error about mcrypt in Magento?

sudo apt-get install php7.0-mcrypt

sudo service php7.0-fpm restart

sudo service apache2 restart

 

php7

Magento Certified Solution Specialist

1

 

I passed the Magento Certified Solution Specialist on July 9, 2015. If you’re thinking about taking this one then be sure to study your e-commerce terms and get very familiar with Magento’s admin.  This study guide helped me the most: http://www.demacmedia.com/magento-commerce/magento-certified-solution-specialist-study-guide/.  Thanks Demac Media!