Security Diligence Required to Prevent ePub or Mobi Javascript Hacks

Why Tendenci doesn’t support epub uploadS through the standard ui.

We love knowledge and knowledge sharing. And all of us read a lot – more and more on mobile readers. And yet the Tendenci software doesn’t support uploading epub files. First understand you have TONS of options to achieve your business goal and keep your site secure.

Free ebooks? We recommend you upload the epub to a resource like an Amazon S3 bucket or Dropbox and link to it from your site. That immediately solves the problem – you have a link to the resource on your site, just not “in” your site for safety and security.

Selling ebooks? Look at Amazon or Shopify or google it for tons of options. Even if the books are free, “selling them” on shopify will give you analytics and insight into consumers who are interested in your topic because they are being delivered to people next to other books!

As for the upload restrictions in Tendenci, here is why we are cautious:

While knowledge is great, security is more important. YES – TECHNICALLY YOU CAN PUT EPUB FILES ON YOUR TENDENCI SITE. But to do so your network administrator will need to do it for you for security reasons. The reason is that epub and mobi files can contain viruses or malware just like many other file formats (*cough* “Adobe flash” *cough*).

A book can have a code example. Depending on how your browser or e-reader “reads” that code example it may or may not execute the code. And that may or may not be malware. Typically the code itself would not be infected and would pass a virus scanner. Rather it would call another site and download a virus from that alternate location.

For more on the wonderful functionality that makes epubs more accessible, but also a security threat if not carefully vetted, visit http://epubzone.org/news/epub-3-and-interactivity

Two screen shots from the epubzone.org site are pasted below.

epub javascript

And examples:

pop ups from js in epubs

To be sure I love learning sites that have code that I can use to learn with in my web browser. MOOCs are awesome. But Tendenci is not a MOOC. So our current system is not set up to allow uploads of epubs or mobi given the millions of people who log into hundreds of open source tendenci sites hosted or in the wild. We are just cautious.

And again – there are alternatives.

  1. Upload it to a different location and link to it <– RECOMMENDED!
  2. Sell it with a company like Amazon who takes care of all of it for you <– RECOMMENDED!
  3. Have your Network Administrator upload it if you must. But if this is the case, why not just make it a PDF? <– NOT RECOMMENDED

PS – One part of being a hacker is you are frequently accused of being an “Eeyore.” This is tiring. And incorrect. Caution online is really – well – the teamwork of Q and Bond. Aware of current reality. Curious. The ability to think perhaps a bit deviously. To know what is possible – both good and bad – to protect you.

Tendenci Exports – Plus Easy Ways to Make Static Copies of Your Site

Today’s Tendenci community knowledge share. Here are three very easy free or low cost methods of making a static copy a web site. Use with caution, just know you have the power.

On Windows you can use HTTrack https://www.httrack.com/

HTTrack_Website_Copier_-_Free_Software_Offline_Browser__GNU_GPL_
Download a static version of a web site to your PC

On a Mac computer you can use sitesucker ($5) http://ricks-apps.com/osx/sitesucker/index.html

SiteSucker to download a static site to your Mac Computer
SiteSucker to download a static site to your Mac Computer

On the go? You can also use sitesucker from the app store to download to your iphone or ipad for $2 http://ricks-apps.com/ios/sitesucker/index.html

Use IOS to download your site for $2
Use IOS to download your site for $2

Of course for structured data in Tendenci, there are TONS of ways to export including exporting a copy of your entire database. There are help files on common exports like How to export your membership . There are too many options to list them all, but I’d encourage you to visit the support center or just google “tendenci exports” for more.

If you are on version 5 and want to “kick the tires” on Tendenci version 7, use https://demo.tendenci.com – you can login here https://demo.tendenci.com/accounts/login/ using “admin/admin” or “user/user”. It does reset every hour or so because of spammers but you can still get a feel for it. A HUGE upgrade from version 5.

Tendenci Admin Default Dashboard
Tendenci Admin Default Dashboard

There is also a previous post on making a static copy of your site here that is a bit more technical as well.

Why do we point out all of the ways to copy your Tendenci site (or most sites really)? Doesn’t that make it easier to leave?

Yes. Yes it does. BUT people rarely leave. Or if they do, they typically stay on Tendenci and self host. They’re still part of the Tendenci community which helps us all.

Another reason we promote exports and offsite backups is because we know the more freedom you have, realizing you have that freedom especially on the Tendenci open source platform, makes it less likely for clients to leave.

Think about it. Why would anyone who actually understands their product is open, does far more than other options, is lower cost, and they can self host if they want… why would that person make the decision to leave? It’s illogical.

I mean, who wants to be the President of an Association that takes it backwards in time to proprietary technology or an older open source software built on an unpopular programming language? That’s not in the best interests of the association long term.

Tendenci is written in Python and uses Java and Javascript libraries. This linked chart says it all.

programming-popularity-2016
THE 8 MOST IN-DEMAND PROGRAMMING LANGUAGES OF 2016

Popular programming languages means more coders for open source projects written in that language. And more capable people to modify and customize your install if you choose.

One of our goals is FREEDOM from the tyranny of per-user-licensing, proprietary products that want to own YOUR DATA, long term contracts, sites that post your events on THEIR site so if you leave then the history of that event is gone in the blink of an eye. Companies don’t own your data and they shouldn’t trap you.

We think that is unethical and just wrong.

Membership Management Software should be Open Source, Accessible, Responsive, and Search Engine friendly by default. Tendenci does all of those things.

Further we believe that Open Source Membership Management Software should be written in a Modern Programming Language like Python (watch out for bunnies) and the software should documented and open source (free, as in beer.) Even the US Government likes Open Source!

Want to change something? Get involved! Post on the forums at https://ww.tendenci.com/forums or post an issue at https://github.com/tendenci/tendenci/issues . If you are a programmer or into documentation, submit a pull request.

We make it easy to leave because we hope you don’t. Hence Tendenci has an incredibly low churn rate. That creates stability you can count on.

#peace

The Reveille Club is Back on Tendenci. Thanks!

As an Aggie I am particularly appreciative of earning a client back. Especially it’s my Aggies! (Whoooop! Class of ’90 myself.) From the press release:

Reveille Club Returns to the Tendenci Platform for Membership and Event Management

HOUSTON, February 3, 2016 –Tendenci (www.tendenci.com), the software development company spearheading the Tendenci Open Source platform for associations and other nonprofits (NPOs), is proud to release a dynamic membership website for the Reveille Club of Houston.

hire-an-aggie-2016The website, http://www.reveille.org, promotes local networking events for Aggies and non-Aggies alike to build new business relationships in the Houston area.

Tendenci Open Source was released as an open source solution for associations and non-profits to give membership organizations greater freedom and control over their online presence.

The Reveille Club of Houston is focused on building a professional community

Source: https://www.tendenci.com/news/reveille-club-of-houston-launches-new-tendenci-website/

Note: This blog post is one of several of us playing a bit of catch-up on posting site releases to our blog as well. We are proud of the work our team and our partners do with Tendenci. Open Source is powerful stuff. It’s like Freedom – it’s a good thing.

Python still the most popular coding language and growing

Tendenci, the Open Source Membership Management Software, is written in in a programming language named Python. (Named after Monty Python of course!)

python ranks 1 for popular coding languages
Python – the most popular coding language of 2015

And Python is the most Popular Coding Language of 2015. A nice winning streak! This matters to people choosing membership software because open source means it can’t be taken away from you. Lots of options to export from Tendenci as well if a better solution for your particular needs comes up.

The more people who know a given programming language means you have lots of resources to support, extend, upgrade and hopefully also contribute to the tendenci software and get involved.

So let’s be honest, we all like playing on the winning team. We bet on Python very early. We used Python even on the windows platform in the early 2000s. Python has truly hit a critical-mass among developers.

Given the Django web framework behind Open Source Tendenci is written in Python, and all of Tendenci’s apps are written in Python, we feel pretty good about the future stability of our technology stack.

In other words, the future looks bright and we welcome more developers to join the Tendenci community!

(source: http://blog.codeeval.com/codeevalblog/2015#.VohU45MrLeQ= )

10 Million NGOs Worldwide (who just might want open source multilingual software)

Let’s start 2016 off with some great news. NGOs are growing internationally and their role in our society is becoming more important.  From the post:
https://www.ongood.ngo/portal/facts-and-stats-about-ngos-worldwide

NGO Facts - 10 Million#NGOfacts is an ongoing campaign that highlights statistical data about NGOs, nonprofits and charities worldwide. Committed to building a comprehensive list of facts and stats about the NGO sector, please check back regularly for updates.

1. There are an estimated 10 million (non-governmental organizations) NGOs worldwide.
Source: The Global Journal

2. The number of people worldwide donating money to NGOs increased from 1.2 billion in 2011 to 1.4 billion in 2014. By 2030, the number is expected to grow to 2.5 billion.
Source: Charities Aid Foundation

(those are the first two points of 14 – go read the full post here!)

And yes, we are pretty happy to see greater adoption of Tendenci – an open source software solution for NGOs that is already multilingual. Join us!

RIP Ian Murdock

ian-murdockRIP Ian Murdock,the  founder of Debian Linux. Without Ian’s work in the Open Source Community there could be no Tendenci. This is a sad way to end 2015.

News links below:

#RIP

Why Use Open Source Software: The Benefits – LinuxIT Europe

This video is one of the best explanations of why people are switching to Open Source solutions like Tendenci,

The video is from LinuxIT Europe so go check them out.

And if you’d like to learn more about Tendenci functionality for non-profits here is a video from us.

Example: Our web site is at www.tendenci.com with membership management software functionality in addition to high end cms capabilities.

But what about the code? It’s right on github for you to peruse right now https://github.com/tendenci/tendenci because …. well, just watch this video to understand how differentiated open source is!

Django 1.49 EOL drives Tendenci 5 EOL date – time to upgrade

Tendenci 5.x or earlier clients should upgrade to Tendenci 7+ now.

If you are on Tendenci 5 or earlier, you need to upgrade. For open source self installed users the instructions to upgrade tendenci are on readthedocs. For hosted clients please contact us.

Why? What is driving this notice?

Primarily as a safety precaution even if there are no known issues at this time because Django has declared EOL for Django 1.49 which is behind Tendenci 5. (Note: Tendenci 7 uses Django 1.8+ and is not impacted.)

What happens if we don’t upgrade to a newer version of Tendenci?

First – it’s in your best interest because of changes in search engine technology and user’s browsing behavior. But…

In the short term, probably nothing will happen as there are no known issues that I am aware of as I type this. But if the community is not maintaining Django 1.49 then that means nobody is watching on a daily basis and opens the door to possible security issues being undiscovered.

Is there a cost to upgrade from Tendenci 5 to Tendenci 7? Yes.

Earlier this year google changed it’s ranking system to strongly favor mobile web sites. As a result Tendenci 6 and Tendenci 7 use a significantly different template theming based on Bootstrap 3. In the industry this was referred to as “Google’s Mobilegedon”

http://money.cnn.com/2015/04/21/technology/google-mobilegeddon/index.html

Is there a cost to upgrade from Tendenci 6 to 7?

No. There is no cost to upgrade from T6 to T7.

It is redoing the layouts to be mobile responsive that causes the need for human intervention to do the upgrades from T5. And this was driven by google and by you, the user, who now browses the web more on their mobile device than their computer.

More mobile web than desktop or mobile apps
How you browse the web now

We strongly recommend you upgrade with the team at Tendenci or with your own developer. The full upgrade instructions are posted on readthedocs.

The good news is we expect future upgrades to be less painful now that we are bootstrap3+ and mobile compatible. Which is why the T6 to T7 upgrade is free for our hosted clients.

We can’t guarantee that all future upgrades after T7 will be free because you never know what Apple, Google, Microsoft, or Samsung are going to do. But we are doing our best to help you control costs and stay safe on this whole crazy Internet thing.

Software Lifecycles and End of Life Version Dates

What is this whole “End of Life” thing?

Software evolves and is developed with the ever constant changing technology. From a clients perspective this looks like this:

Software Product Lifecycle
Software Product Lifecycle

ProductEndOfLifeCycle” by ArkrishnaOwn work.
Licensed under CC BY-SA 3.0 via Commons.

Tendenci is based on Django which has a stated release cycle methodology. Django is the web framework that handles much of the heavy lifting. Therefore Tendenci which depends on Django is tied to their release and support cycles,

To a developer software development cycles look like this:

Software Development Cycles
Software Development Cycles

Software dev2” by HeyinsunOwn work.
Licensed under CC BY 3.0 via Commons.

Like a cell phone, your web site needs to be upgraded every few years as technology changes. Your old flip phone might still work, but it might also have a security vulnerability that was discovered a year or two after EOL and nobody is there to catch it.

More on that in a follow up post.

Download a Static Version of Your Site

You should backup your website yourself on a regular basis. It is after all YOUR web site, right?

We see questions in help desk tickets that are usually phrased differently like “how can I get a static version of my site?” or “do you use FTP” or similar but basically it’s the same question. And it is a great question. At Tendenci we believe that while all vendors don’t have to be open source like Tendenci is (full source code available at https://github.com/tendenci/ ) they should at least make it easy for you to get your content. But they don’t. So let’s show you how to get it anyway.

Let’s pretend you want to download an entire static (meaning not-database driven but looks almost identical) version of your site on a Mac. First the free way to do it:

Download wget for your Mac. The easiest way is using the Rudix packages (Note – I’m typing this on Sept 10, 2015 so with time, check it to be sure it is still safe.) http://rudix.org/packages/wget.html

wget-for-mac

Then you have to launch terminal. I know terminal is kind of scary if you haven’t used it much so I’ll show you a paid version way of downloading your site in a sec. First the “free” way. Launch terminal on your Mac. It should look something like this:

terminal-window

The next line looks complicated. It kind of is, but just copy and paste it replacing the part that reads MYWEBSITE with your web site. You do have to include the “http” part so it’s easiest to go to your site in a web browser and copy it from the address bar.

wget --limit-rate=400k --no-clobber --convert-links --restrict-file-names=windows --random-wait -r -p -E -e robots=off -U mozilla MYWEBSITE

In terminal I highlighted in blue the part that I typed in. In this case I was making an offline backup static site for our client http://www.texasliver.com (Dr. Galati is awesome!)

wget-down-a-site

Everything after the blue part (and again copy from where I pasted it above just change the URL to be yours), but everything after the blue part is just the system starting to download the files. It DOES cause load on the server so perhaps don’t run it at lunch or during high traffic times. When it’s done you should be able to see it in finder and it should look about like this.

texas-liver-downloaded-site

BUT, this isn’t currently on a web server. Still you can view it in yor web browser by clicking the “index.html” file for example. When viewed as offline files the browser bar look kinda like this:

exporting-web-site-to-files

And BOOM! You have all of your files for free! Even if you made a mistake and went with a proprietary vendor a while back. You CAN get your files.

Bonus round for the uber geeks. If you want to make and build wget on your mac yourself you can use these lines of code (check for newer versions as this blog post ages of course):

cd ~/Downloads/
curl -O http://ftp.gnu.org/gnu/wget/wget-1.15.tar.gz
tar -zxvf wget-1.15.tar.gz
cd wget-1.15/
./configure --with-ssl=openssl
make
sudo make install
rm -rf wget-1.15
rm wget-1.15.tar.gz

Thanks and let’s hear it for Open Source Software like Tendenci. And here’s to open source software like “wget” that allows you to get a static copy of your site even from proprietary vendors and their long contracts. Freedom is good.

Lastly a few (some paid) alternatives to download your site:

http://ricks-apps.com/osx/sitesucker/index.html

For windows you can google it although I can’t vouch for any of these products so be sure to run your virus scanner and watch for bad guys as always.

https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=sitesucker%20for%20windows