DO NOT CREATE ANY REQUISITIONS ON MONDAY JUNE 30. Any requisition created on June 30 will be canceled by Purchasing and you will need to recreate it on July 1 with new year funds and your name will be removed from the book of life.

But thanks to WordPress, I find out (belatedly, of course) about Gravatar. You upload your avatar – a small photo or icon – to a central place, and the icon will auto-magically appear next to your name the next time you comment on someone’s blog. Of course, it only works with those blog sites that are using compatible blogging tools or plugins (WordPress now supports it natively).

But what a great idea! And they’ve implemented it in true web 2.0 style – not AJAX for AJAX’s sake but a clean and simple interface that lets you do exactly what you need and then gets out of the way. Bravo!

I am at sxsw interactive. This is my second year. This conference gives me the ideas and the energy to try and make a place for myself in the web industry. This is Day Two, and the panels have been great (most of them), the people I meet and re-meet have made this a blast (most of the time), and in the same day I met Heather Armstrong (dooce.com) and Jonathan Coulton. I also walked past Mike Birbiglia but he was sitting at a table and I figured it would be like swooping down on a helpless rabbit who told really funny jokes, so I kept on walking.

I’m not a fanboy. Right, I have an iPhone. Right, I wear Converse or Adidas shoes. But I have never a) stolen a set list and gotten it autographed, or b) told a famous blogger that my mother doesn’t like it when she uses the F-word. Until today.

I started reading Heather Armstrong’s blog because of my aunt Tori and my mom. I suppose that reading a chick blog is not the manliest thing one can do. Especially one referred to you by your mom. I mean, I prudently wear boots, hunt deer, and spit a lot while I read it (for balance), but my sxsw friends were mildly amused at what I hope wasn’t too starstruck an expression on my face. Heather joined her friend-blogger Margaret Mason to discuss keeping blogging under control (”Content Boundaries, a 12-step Program“). Heather is great to hear speak. It’s refreshing to find that she talks like she writes, frankly and honestly. I especially liked when she switched places with me for our photo, to get on her good side. I respect that.

Daniel with Jonathan Coulton
Originally uploaded by scottfidd

Jonathan Coulton got on my radar because of the portals song, of course. My oldest brother played it for me, and it is just brilliant. So I jumped at the chance to see him live. He gives a subtle but hilarious show that I enjoyed. And I’m hooked. I’m now a total fan.

If my laptop had a battery that lasted longer than a very interesting 10 minutes, I would be putting more information about the cool stuff I’m actually learning here. That will have to come later, in a more distilled form.

Three Hats

White hat hackers are members of the security industry hired specifically to test and find security vulnerabilities in production systems and applications. A company might hire a white hat hacker to attempt to breach their networks and systems without their knowledge. This is very similar to popular television shows where a homeowner learns just how easy it is to break into their own house. The television burglar is videotaped getting through all of their security systems, and then offers advice on how to secure their property. White hat hackers are obviously not going to cause any damage for their clients, and their intent is to strengthen the security measures a client takes against attack. They do not break any laws, as their access to the network, while using the same methods that a malicious hacker (or “cracker”) might use, is perfectly authorized by prior contract.

Black hat hackers are, naturally, the antithesis to a white hat hacker. The hacker community refers to these programmers (often as skilled as true hackers) as crackers, due to their malicious intent to harm or gain profit from hacking. Black hat hackers do not follow any particular ethic, and break into systems for no other reason that to commit a crime of some sort. These are the types of hackers that are most covered in the media, and are often the focus of legislation and public outcry. It is the actions of black hat hackers that have generated a negative image for hacking.

Gray hat hackers are a hybrid of the previous two types. They share the same ethical foundation as the original hacker, but they stretch the boundaries of that ethic into a sort of vigilanteism. The gray hat hacker’s intent is much the same as the white hat hacker: these hackers want to expose vulnerabilities in public and government systems in order to force these systems to become more secure. Yet they do not seek prior consent or authorization. They prefer to hack into these systems anonymously and leave their mark, informing system owners of the vulnerabilities on the way out. They often do not cause any irreparable damage, although they have been known to cross the line into black hat behavior. Because they are not regulated by the security industry’s public ethics (as white hat hackers are), there is no hard and fast code that means a gray hat hacker will always have the greatest good in mind. But for the most part, the intent is to show off by showing other people how vulnerable their systems really are. Gray hat hacking often occurs as a type of “tagging,” much like the graffiti artists of subway fame.

Case Study

In 1999, a seventeen year old hacker with the handle “ytcracker” exploited a weakness in Microsoft NT’s web service and replaced the homepage of three U.S. government agency web sites. The homepages of NASA’s Goddard Flight Center, the office of Land Management’s National Training Center, and a Defense Contracts Audit Agency suddenly showed an image of a graffiti-like rapper with gold necklaces and the message:

To the U.S. government and military–I have warned you about these security flaws. Please secure our military systems to protect us from cyber attack.

ytcracker’s message was accurate–he did send messages to the administrators of these systems notifying them of the vulnerabilities. When they did not fix the security flaws, he used them to breach their systems. The seventeen-year old was charged and fined $30,000 for unauthorized access of a computer system.

Ethical v. Legal

Ethics often entail a philosophical discussion of the greatest good, and an analysis of the “right” decision over the legal decision. This means there are times when committing a crime might still be an ethical act. Or an unethical act might not involve a victim or a crime at all. Legality, on the other hand, pertains to the protection of society. Laws determine what behavior or action is socially allowed. Damage to society or to an individual member of society is often considered illegal.

The actions of gray hat hackers often break the law. The breach of any computer or network without authorization is a violation of the law in many U.S. states and other nations. But the avowed purpose of these actions, according to many gray hat hackers, is to strengthen otherwise weak security systems. Because a question of ethics often involves both intent and a choice for the greater good, it can be argued that gray hat hackers are providing a service that benefits the greater good: the increased security of the Internet. White hat hacking, by its very nature of prior agreement (warning) with the client cannot be 100% effective at exposing unknown vulnerabilities. It is often only once a system has been breached via an unknown weakness that system administrators are forced to take action. The more gray hat hackers expose, the more security holes are closed. The Internet, being a fairly unregulated space (thus is its flexibility), is improved by a joint effort between white hat and gray hat hackers. We need both to create the best possible security environment.

In 2003, broadband usage grew by over 25% in just six months. That trend has continued as the cable and phone companies have expanded their infrastructure. Faster access to the Internet has meant an increase in the number of applications. Instead of existing only at the home office desk, the Internet provides information for the kitchen (recipes, shopping, organization), the living room (media centers, gaming consoles), and the bedroom for those workaholics. Because not everyone can afford to have a computer in every room, or network cable run throughout the house, wireless network devices have become a popular solution. Computer manufacturers have made wireless adapters standard in laptop computers. Phone and cable companies have worked hard to increase their customer base, making the setup of wireless, high-speed Internet connections incredibly simple. Even for the most beginner of home users.

With wired networks, you must have a physical connection in order to use the network. The security is through physical access. Wireless networks have no such security. You must configure your wireless device for this security. This is fine for techies, but non-techie home users rarely have the savvy to secure their wireless networks. It’s not surprising that pirating or piggybacking of these open wireless networks —using someone else’s Internet connection without their knowledge or approval—is extremely commonplace. Is wireless piracy stealing? Or is it a victimless crime?

In 2005, Benjamin Smith, III, was arrested and charged in Florida with unauthorized access to a computer network. In 2006, David Kauchak pleaded guilty in Illinois to “remotely accessing another computer system without the owner’s approval”. In 2007, Michigan resident Sam Peterson was charged under the state’s “Fraudulent access to computers, computer systems, and computer networks” law. Each time, the “criminal” was observed using a laptop computer from their vehicles outside of a business or home. They were taking advantage of unsecured wireless networks to gain access to the Internet.

There are three ethical issues here. First, a network’s owner purchases Internet access from an ISP. The Internet connection is basically licensed to the customer for their use. When other people pirate an Internet connection, the ISP is missing the opportunity for additional revenue. Second, the fact that the networks are unsecured is important. If I were to place a bag of money on the street in front of my house, is it a crime for someone to come by and take it? I know people who leave their wireless networks open on purpose, as a sort of public service for their neighborhoods. How can a laptop user determine which networks are open on purpose, and which are not? Finally, a major problem with unauthorized access to a network is that the network owner doesn’t know what the pirate is doing on their network. If it is something illegal, the network owner is unwittingly an accomplice to a crime, at least in the eyes of the ISP. When an open wireless network in a coffee shop was being used to generate spam, the ISP shut down the coffee shop’s connection.

ISPs need revenue to build up their infrastructure. We need a bigger infrastructure in order to offer Internet speeds equal to those found in Japan and other countries. If someone is able to piggyback on their neighbor’s connection, they’re shooting themselves in the foot. This would mean wireless pirates are slowing down the growth of Internet infrastructure by not purchasing high-speed Internet themselves. But you could also hold network owners who are leaving their wireless networks unsecured (including public libraries and small businesses) just as liable for the loss in revenue. Eric Bangeman of ars technica thinks this is too much of a stretch:

Take the case of public WiFi hotspots: official hotspots aren’t that difficult to find in major cities—every public library in Chicago has open WiFi, for instance. Are the public libraries and the countless other free hotspot providers helping defraud ISPs? No, they’re not. There’s no law that using the Internet requires payment of a fee to an ISP, and the myriad public hotspots prove this.

If there is not a crime against ISPs, then the crime must be against the network owner who left their network unsecured. A wireless pirate is portrayed as a burglar, breaking and entering a property without permission. I find this to be too much of a stretch as well, because the radio signals are entering my house where my device can pick them up. If I had snaked a network cable into someone’s house, or perhaps hooked into their cable box and ran it back over to my house, I could see where I had broken the law. But technically, a wireless network owner is sending their wireless signal into my location (be it out to a public street or into my apartment). Bangeman correlates it to owing a neighbor money because some of the neighbor’s water from their water sprinkler got on my lawn.

If there is no crime against the network owner, then the only time that unauthorized use of an unsecured wireless network should be related to a crime is when that use results in another crime. Pirates should be prosecuted for spamming, downloading child pornography, or any of the other countless things we already have federal laws for, no matter where they gain access to the Internet. And network owners cannot be held responsible for these crimes, just like I cannot be held responsible if someone takes my car and commits a crime with it.

I think state legislatures have been too broad with statutes and laws related to accessing unsecured wireless networks. Until a real crime is committed, accessing something publicly available without “hacking” or compromising information hardly deserves the label “crime”. At most, it could be considered impolite, especially if a pirate uses up all the bandwidth.

And now, WordPress processes my forms for me.

Preempting Genius

The WordPress Plugin API provides hooks into the execution of its code via Actions. As someone views a page on your site, a chain of events is triggered until the requested page is displayed. All along this chain, WordPress notifies itself that it is completing certain Actions.

Plugin developers can use the fact that WordPress has just triggered one of its core functions and execute one of the plugin functions as well. In this way, your plugin can insinuate itself quite deeply inside the main WordPress package.

The earliest Action hook that I could find is named init. The WordPress Codex describes this Action:

Runs after WordPress has finished loading but before any headers are sent. Useful for intercepting $_GET or $_POST triggers.

Translation: Runs after WordPress loads its function environment but before it has displayed anything in the user’s browser. Use our software for your own nefarious goals.

Amazing. They suggest that you use this to turn their software into something else entirely. With a minimum of 8 lines of code, I subverted my favorite open-source software into a simple forms processor that had the power (and data set) of my entire WordPress tool behind it.

The Method

Using WordPress Actions is basically a two step process:

1. Write a PHP function that you want to be triggered at some point in the WordPress execution chain.
2. Use the add_action() function to inform WordPress of a) the core function you want to piggy-back on, and b) the name of the function you wrote in step 1.

Write the Function

I wanted people to be able to use my WordPress as the action URL in HTML forms. Something like:

<form action="http://almostdaniel.com/?form_submit=123" method="post">

I needed a function that could check for a particular attribute each time my site is accessed, and if the attribute is there, preempt everything else WordPress does (such as loading my actual site) and instead process the form that is (hopefully) being submitted.

function form_submit() {
 $form_ID = $_REQUEST['form_submit'];
 if ( !empty($form_ID) ) {
  form_do_submit($form_ID, $_REQUEST);
  exit;
 }
}

Note: I’m only checking to see if some value got passed in “form_submit”. A well-written function would validate the information and only process the form if useful information was being passed. I could even go so far as to make sure that the origin of the submission is allowed. But that is for another post.

The form_submit() function checks to see if the query item “form_submit” was passed to WordPress. In this case, the value of the query item is the form ID number that I will use in processing. If the query item “form_submit” was submitted, I execute a the function form_do_submit() (I put it in its own function just for cleanliness of code) that actually processes the submitted $_REQUEST object (i.e., the contents of the form the user just submitted).

And here is the beautiful part: While I am processing the submitted form, I can use any WordPress function I want. I can store and retrieve data from the WordPress database. This proves quite useful.

Let WordPress in on the Secret

Now, to tell WordPress when I want it to execute this function, I use the add_action() function to my plugin’s main execution space. This ensures that I will always trigger my query check each time my plugin is loaded no matter what.

add_action('init', 'form_submit', 1);

As soon as WordPress loads its environment, my form_submit() function is executed. The ‘1’ just tells WordPress to execute my function as early as possible (a ‘10‘ would have told WordPress to execute my function as late as possible).

Jump Ship

Why does WordPress run my function and not load my website? The handy exit command I put in my form_submit() function. As soon as I’ve processed my form, I just tell WordPress to take a coffee break. And we’re done!

The Code

Here is the code in my plugin’s main file:

function form_submit() {
 $form_ID = $_REQUEST['form_submit'];
 if ( !empty($form_ID) ) {
  form_do_submit($form_ID, $_REQUEST);
  exit;
 }
}

add_action('init', 'form_submit', 1);