Security Diligence Required to Prevent ePub or Mobi Javascript Hacks

Why Tendenci doesn’t support epub uploadS through the standard ui.

We love knowledge and knowledge sharing. And all of us read a lot – more and more on mobile readers. And yet the Tendenci software doesn’t support uploading epub files. First understand you have TONS of options to achieve your business goal and keep your site secure.

Free ebooks? We recommend you upload the epub to a resource like an Amazon S3 bucket or Dropbox and link to it from your site. That immediately solves the problem – you have a link to the resource on your site, just not “in” your site for safety and security.

Selling ebooks? Look at Amazon or Shopify or google it for tons of options. Even if the books are free, “selling them” on shopify will give you analytics and insight into consumers who are interested in your topic because they are being delivered to people next to other books!

As for the upload restrictions in Tendenci, here is why we are cautious:

While knowledge is great, security is more important. YES – TECHNICALLY YOU CAN PUT EPUB FILES ON YOUR TENDENCI SITE. But to do so your network administrator will need to do it for you for security reasons. The reason is that epub and mobi files can contain viruses or malware just like many other file formats (*cough* “Adobe flash” *cough*).

A book can have a code example. Depending on how your browser or e-reader “reads” that code example it may or may not execute the code. And that may or may not be malware. Typically the code itself would not be infected and would pass a virus scanner. Rather it would call another site and download a virus from that alternate location.

For more on the wonderful functionality that makes epubs more accessible, but also a security threat if not carefully vetted, visit http://epubzone.org/news/epub-3-and-interactivity

Two screen shots from the epubzone.org site are pasted below.

epub javascript

And examples:

pop ups from js in epubs

To be sure I love learning sites that have code that I can use to learn with in my web browser. MOOCs are awesome. But Tendenci is not a MOOC. So our current system is not set up to allow uploads of epubs or mobi given the millions of people who log into hundreds of open source tendenci sites hosted or in the wild. We are just cautious.

And again – there are alternatives.

  1. Upload it to a different location and link to it <– RECOMMENDED!
  2. Sell it with a company like Amazon who takes care of all of it for you <– RECOMMENDED!
  3. Have your Network Administrator upload it if you must. But if this is the case, why not just make it a PDF? <– NOT RECOMMENDED

PS – One part of being a hacker is you are frequently accused of being an “Eeyore.” This is tiring. And incorrect. Caution online is really – well – the teamwork of Q and Bond. Aware of current reality. Curious. The ability to think perhaps a bit deviously. To know what is possible – both good and bad – to protect you.

Tendenci Exports – Plus Easy Ways to Make Static Copies of Your Site

Today’s Tendenci community knowledge share. Here are three very easy free or low cost methods of making a static copy a web site. Use with caution, just know you have the power.

On Windows you can use HTTrack https://www.httrack.com/

HTTrack_Website_Copier_-_Free_Software_Offline_Browser__GNU_GPL_
Download a static version of a web site to your PC

On a Mac computer you can use sitesucker ($5) http://ricks-apps.com/osx/sitesucker/index.html

SiteSucker to download a static site to your Mac Computer
SiteSucker to download a static site to your Mac Computer

On the go? You can also use sitesucker from the app store to download to your iphone or ipad for $2 http://ricks-apps.com/ios/sitesucker/index.html

Use IOS to download your site for $2
Use IOS to download your site for $2

Of course for structured data in Tendenci, there are TONS of ways to export including exporting a copy of your entire database. There are help files on common exports like How to export your membership . There are too many options to list them all, but I’d encourage you to visit the support center or just google “tendenci exports” for more.

If you are on version 5 and want to “kick the tires” on Tendenci version 7, use https://demo.tendenci.com – you can login here https://demo.tendenci.com/accounts/login/ using “admin/admin” or “user/user”. It does reset every hour or so because of spammers but you can still get a feel for it. A HUGE upgrade from version 5.

Tendenci Admin Default Dashboard
Tendenci Admin Default Dashboard

There is also a previous post on making a static copy of your site here that is a bit more technical as well.

Why do we point out all of the ways to copy your Tendenci site (or most sites really)? Doesn’t that make it easier to leave?

Yes. Yes it does. BUT people rarely leave. Or if they do, they typically stay on Tendenci and self host. They’re still part of the Tendenci community which helps us all.

Another reason we promote exports and offsite backups is because we know the more freedom you have, realizing you have that freedom especially on the Tendenci open source platform, makes it less likely for clients to leave.

Think about it. Why would anyone who actually understands their product is open, does far more than other options, is lower cost, and they can self host if they want… why would that person make the decision to leave? It’s illogical.

I mean, who wants to be the President of an Association that takes it backwards in time to proprietary technology or an older open source software built on an unpopular programming language? That’s not in the best interests of the association long term.

Tendenci is written in Python and uses Java and Javascript libraries. This linked chart says it all.

programming-popularity-2016
THE 8 MOST IN-DEMAND PROGRAMMING LANGUAGES OF 2016

Popular programming languages means more coders for open source projects written in that language. And more capable people to modify and customize your install if you choose.

One of our goals is FREEDOM from the tyranny of per-user-licensing, proprietary products that want to own YOUR DATA, long term contracts, sites that post your events on THEIR site so if you leave then the history of that event is gone in the blink of an eye. Companies don’t own your data and they shouldn’t trap you.

We think that is unethical and just wrong.

Membership Management Software should be Open Source, Accessible, Responsive, and Search Engine friendly by default. Tendenci does all of those things.

Further we believe that Open Source Membership Management Software should be written in a Modern Programming Language like Python (watch out for bunnies) and the software should documented and open source (free, as in beer.) Even the US Government likes Open Source!

Want to change something? Get involved! Post on the forums at https://ww.tendenci.com/forums or post an issue at https://github.com/tendenci/tendenci/issues . If you are a programmer or into documentation, submit a pull request.

We make it easy to leave because we hope you don’t. Hence Tendenci has an incredibly low churn rate. That creates stability you can count on.

#peace

AUFS and Docker Deployment (Developer Track)

The AUFS file system, part of what gives us C-Groups, now called containers, now called Dockers, etc, but it is the onion-style file system that gives Dockers (we’re gonna just settle on calling them dockers) their magical powers.

AUFS on Ubuntu for Dockers
AUFS FIle System with Dockers. Not your ordinary file system

This can lead to some very unexpected results, for example deleting a file in container “X” will appear to delete it. However let’s presume the previous base box “A” had the file and you want to make an new image and container from “A”. You might presume that file “abc” was deleted from all of the layers. But with AUFS that isn’t how works. You either keep layering up (meaning build your new site as a container from an image of the latest container you were working on.

This layering is a critically important concept to fully understand if you are working with dockers and the aufs file system. Rather than take my amateur explanation of it, I’ll refer you to the full docs on and let you go from there. Just *please* don’t overlook file system layers in AUFs when trouble shooting issues with containers.

Python still the most popular coding language and growing

Tendenci, the Open Source Membership Management Software, is written in in a programming language named Python. (Named after Monty Python of course!)

python ranks 1 for popular coding languages
Python – the most popular coding language of 2015

And Python is the most Popular Coding Language of 2015. A nice winning streak! This matters to people choosing membership software because open source means it can’t be taken away from you. Lots of options to export from Tendenci as well if a better solution for your particular needs comes up.

The more people who know a given programming language means you have lots of resources to support, extend, upgrade and hopefully also contribute to the tendenci software and get involved.

So let’s be honest, we all like playing on the winning team. We bet on Python very early. We used Python even on the windows platform in the early 2000s. Python has truly hit a critical-mass among developers.

Given the Django web framework behind Open Source Tendenci is written in Python, and all of Tendenci’s apps are written in Python, we feel pretty good about the future stability of our technology stack.

In other words, the future looks bright and we welcome more developers to join the Tendenci community!

(source: http://blog.codeeval.com/codeevalblog/2015#.VohU45MrLeQ= )

“Old Developers Just Don’t Get it. Yes They Do. No They Don’t” – Ed Schipul and John-Michael Oswalt at Ignite OSCON

Ignite OSCON Ed JMO

This week, we sent our CEO Ed Schipul and Programming Manager John-Michael Oswalt to speak at the Ignite session of OSCON 2013 Open Source Convention in Portland!

Ignite’s format is made up of five-minute presentations using 20 slides that auto-advance every 15 seconds – known as “speed dating for ideas” by some.

 

Take 5 Minutes and Watch this Video!

Below is Ed and JMO’s five minute talk on the generational differences of programmers – particularly Millennials vs. Gen Xers – and how that has influenced Tendenci’s development.

“Old Developers Just Don’t Get it. Yes They Do. No They Don’t”

 

Thoughts? Please share in the comments!

Come Brainstorm Ways to Use the City of Houston’s Big Data for Good with Netsquared this May!

houston netsquared logo 2012 twitter

 

#NET2Houston will host the City of Houston and Houston’s Civic Hackers on May 14th for our monthly meetup at Stag’s Head Pub. RSVP on the Netsquared Houston meetup group.

 

Houston’s City Data Goes Open Source

I’m really excited about our upcoming event, where we’ll learn about the City of Houston Hackathon to kick-off the City of Houston’s Open Data Initiative.

City of Houston Open Innovation HackathonBruce Haupt, from the City of Houston’s Finance Department, will share the vision of Mayor Annise Parker and Council Member Ed Gonzalez for utilizing Houston’s Open Data Initiative to improve our city.

Bruce will show you some examples of how initiatives like this have benefitted other cites, and tell you about some of his favorite projects. You can view a few ideas the Mayor’s office has developed on the HoustonHackathon.com Projects page.

We’re going to also be brainstorming our own ideas about how open City data sets can help advance civic-minded causes in Houston!

Learn More about Open Data and Your City

Open source data sets are rapidly being released by local, state and Federal governments regularly now, and thanks to newer technology frameworks, like Django and Rails, it’s easier than ever to connect to different databases and sync or share data sets.

Here’s 3 awesome links to get quick facts and juicy details about the City of Houston and Code for America’s Open Data and Innovation projects:

1) The Code for America App database aims to be the “most complete and up-to-date database of government and civic software”, according to their website: (http://commons.codeforamerica.org/apps/), and some of the apps they have listed are really incredible and they’re open source.

ckan_logo_box2) The open data portal software that Houston’s data portal will utilize is called CKAN. CKAN provides the tools needed to enable and manage file and data sharing between two databases. Learn more about Code for America’s open source data portal platform: http://commons.codeforamerica.org/apps/ckan.

3) Read the Mayor’s Press Release announcing the Hackathon and Open Initiative Program launch: http://www.houstongovnewsroom.org/go/doc/2155/1762955/.

How Will You Use the Data for Good?

Tuesday May 14th – Join us for Netsquared at Stag’s Head Pub

Come share your ideas for using the city’s data with Bruce and other civic-minded hackers and techies. Your ideas on how to use these data sets can dramatically improve our community by providing us with more accurate, real time data about our city’s resources and how they’re utilized.

May 17th-May 19th – Join us at the Houston Hackathon

The City of Houston will Kick-Off the Open Data Initiative with a weekend long Houston Hackathon.

Ed and I will be sharing Tendenci t-shirts and stickers at the Hackathon, and we’re available to help with your project if you need an extra geek. If you’re interested in using Tendenci’s open source platform for building a city data app, come find me because I have a few ideas about how nonprofits and associations might want to use public city data with their websites and membership databases.

Join Us Tuesday, and Bring a Friend!

Leave your comments below if you have ideas to share, and follow the conversations on Facebook, too!

“Like” Net2Houston on Facebook

“Like” Tendenci on Facebook

RSVP for the Houston Hackathon Pre-Launch Happy Hour on Facebook

PyCon US 2013 – Python Conference in Santa Clara, Californa

[![image][audience]][audience-link]
[Photo by Eloy Zuniga Jr.][audience-link]

### You’d like it

For those of you who love to tinker with things or reverse engineer them (destroy them) to figure out how they work, [this is your place][pycon-url].

It’s always great to see the latest and greatest being invented by **2500** of your closest friends. When services and features are extremely undervalued and success is at it’s infancy.

Have doubts about the size of this annual event? [Check out the sponsors][sponsors].

I’ve been a programmer now for more than 10 years and a Python developer for over 3 and I can sincerely say I may never grow old of this stuff. It keeps me young, can I say that? Just did.

### What you’ll see and maybe learn

What to expect when your “[Excepting][exceptions],” little bit of nerd humour there, don’t mind if I do. But seriously, what should you expect if you come on down?

[![image][photo-guido]][guido]
[Photo by Ed Schipul][guido]

1. Well we have lightning talks with rapping programmers. [Listen to this intro][lightning-talks].

2. We have the benevolent dictator which only [speaks genius][keynote]. One of these days I’ll be able to understand his entire talk. AKA the creator of Python.

3. [The creator][keynote2] of the [Raspberry Pi][raspberry-pi]. A less-expensive computer that’s providing for those on the other side of the digital divide.

4. People sporting the latest technology such as [Teslas][tesla] and [Google Glasses][glass]. Maybe the car had more to do with the fact we were in California.

[![image][photo-tesla]][tesla]
[Photo by Ed Schipul][tesla]

### Tell me more about these “Lightning Talks”
Anyone attending PyCon can have 5 minutes to talk about anything that is *remotely* associated to Python. Bright minds are sitting in the audience, they could be sitting next to you … you could be one. So why not let them speak.

For 5 minutes you can talk to one of the widest Python audiences you’ll probably ever encounter. Talk about a pet project, do a little venting, bring a community together and promote your conference.

Just be careful, developers tend to be highly sensitive to the ole sales-pitch.

### See you next year

We had a great time — I hope this is obvious — we did a lot of learning, and we hope to see you next year.

[![image][photo-group]][group]
[Photo by Ed Schipul][group]

### References

1. [Full List of PyCon US 2013 Videos][pycon-videos]
2. [Photos taken by Ed Schipul][pycon-photos]
3. [PyCon 2011 Blog Post][pycon-2011-blogpost]

[pycon-videos]: http://pyvideo.org/category/33/pycon-us-2013 “PyCon US 2013 Videos”
[pycon-photos]: https://tendenci.com/photos/set/58/ “PyCon US 2013 Photos”
[pycon-2011-blogpost]: http://blog.schipul.com/pycon-2011/ “Pycon US 2011 Blogpost”
[lightning-talks]: http://pyvideo.org/video/1853/friday-evening-lightning-talks “Lightning Talks”
[exceptions]: http://docs.python.org/3.3/tutorial/errors.html “Errors and Exceptions”
[keynote]: http://pyvideo.org/video/1667/keynote-1 “Keynote Guid Van Rossum”
[keynote2]: http://pyvideo.org/video/1668/keynote-2 “Keynote Eben Upton”
[raspberry-pi]: http://www.raspberrypi.org/ “Raspberry Pi”
[audience]: http://distilleryimage2.s3.amazonaws.com/fc91835c8d8e11e2beb722000a9f3ce2_7.jpg “PyCon US 2013 Audience”
[audience-link]: http://instagram.com/p/W4pwjGHu4G/
[guido]: https://tendenci.com/photos/1604/in/58/
[photo-guido]: http://tendenci.com/photos/1604/640×360/
[sponsors]: https://us.pycon.org/2013/sponsors/
[pycon-url]: https://us.pycon.org/2013/
[tesla]: https://tendenci.com/photos/1614/in/58/
[photo-tesla]: http://tendenci.com/photos/1614/640×360/
[glass]: http://www.google.com/glass/start/how-it-feels/
[group]: https://tendenci.com/photos/1599/in/58/
[photo-group]: http://tendenci.com/photos/1599/640×360/

Post Django Dash 2012 Recap

We did it. Django Dash for our second year in a row. A little different, but still memorable.

From home

This year we spent the majority working from the comfort of our own homes.

Thanks to Schipul and our decision to move toward a remote work lifestyle we were able to easily face this year’s competiton in style aka in our jammies.

If anything this saved us valuable travel and setup time.

Lessons learned

I said this last year, but I’ll say it again this year; because apparently we did not learn our lesson.

Make as many decisions as possible before the competition. Think roadmap or dare I say clipboard of fun.

One of our greatest strengths is our team. We work together every workday, this competition was no different. I can only imagine the stop-and-go speed of competing on a team that doesn’t know each other.

Not the time to learn

This year I spent some time on two things I’ve only spent a couple of minutes on in the past. The Twitter Bootstrap project and Class Based Views. While my colleagues spent their time learning about Google authentication and the interim their experiencing as they adopt new technologies.

Competition time is definitely not the time to learn new things. It’s just so hard not to. You find yourself inspired and when inspiration strikes all you want to do is strive, learn new things and create.

In the case of Google authentication, it had to be learned.  Our project was dependent on it, as always; it’s amazing what you can do when you have to.

I don’t foresee this habit waning any time soon. If anything I look forward to it. I learned a lot of useful things this weekend and I’m left wanting more. Give me that feeling anyday.

Veering from the original mission

Early Sunday morning we found ourselves having to make a choice. A choice between accumilating more points by submitting more commits and focusing on specific code requirements such as standards and creating tests. Or making a product that might actually provide some value to many in the near future.

We chose the latter. The idea of our project actually being useful at more than just collecting points is an honor. With this in mind we refocused and put effort into submitting a finished product that’s worth demoing.

We’ll be demoing our finished 48 hour project to the office and get our first ouside perspective. No matter what people say I’m not-so-secretly wishing we can keep up this momentum and continue improving our project.

What did you build, tell me already!?

Without getting into too much detail – at this point in time – it’s best summarized here. http://theoldmail.com

You can sign up for the site now and take it for a spin. Keep in mind that this was 48 hours of code. You might find some quirks and so-called missing features.

What about the competition?

It’s been said that we get our results some time this week; but as I mentioned before we’re more excited about the project itself and what it can bring to others.

It’s open sourced

One of the rules of the Django Dash competition is that the project itself must remain open sourced. So feel free to take a glance at our code on github.com and fork the code if you’d like to start contributing.

The 2012 Django Dash is This Weekend!

We are happy to be sponsoring and participating in the 2012 Django Dash!

What is Django Dash?

The Django Dash is a 48 hour code marathon starting tonight at 7pm CST where teams compete to produce the best app they can in 48 hours! The winners get prizes from the sponsors (including Tendenci)! We’re supplying $100 gift cards to the top three teams.

The Rules:

  1. Majority in Django
  2. Nothing Gets Built Ahead Of Time
  3. 48 Hours To Build
  4. Max Team Of 3
  5. Your Choice Of Git Or Mercurial
  6. Your Entry Is Open Source
  7. Any Third Party Code Is Fine (But Affects Your Score)
  8. You Must Use Pip Requirements Or Buildout

Our experience last year

We competed last year, our first year ever; with a team made up of Glen, Luke, and myself (Eloy). We built a blogging platform specifically for coders. The niche idea being that we can easily reference github.com code blocks using short codes. This means we spend less time writing blog posts, and more time sharing anecdotal code discoveries.

It’s hard to believe that the project Codrspace.com has lasted the full year and is still receiving updates regularly.

Last year’s experience could best be summed up as fast and fun. Imagine developing but without the meetings, without constant interruptions, and without having the roadblock of approval. Ideas flowing and tangible features being created in minutes. It’s this for 48 hours straight with the occasional break for eating, sleeping, and … other things.

What you come out with, is a product; ideally mostly finished. Not just a conversation, or a thought, but an actual product. That in itself is worth celebrating. A weekend that can easily be filed under productive.

The freedom of developing for fun and not to pay to the bills. The reason you originally started developing; you remember when all you wanted to do was create.

Look for our Team This Year!

Our team this year will be made up of Jenny, JMO and myself (Eloy). Our team name is Jeff Goldblum and we won’t share what we’re building just yet. Check out our progress on http://djangodash.com/teams/c3/jeff-goldblum

More on Django Dash!

Whether you’ll be coding through it or not, follow the latest from Django Dash by following @Tendenci on Twitter and the hashtag #djangodash and on irc.freenode.net.

 

 

 

Tendenci Updates January 19th, 2012

Maintenance Announcement | Planned Website Outage to Upgrade Your Tendenci Database

Sunday January 22nd, 2011 Between 1:00AM and 2:00AM CST:

Some Tendenci Sites will experience a 10 to 15min downtime early this Sunday morning while we upgrade Tendenci 5.0 MySQL Database on client websites.  Please contact us at support@schipul.com if you have any questions.

Check out all of our awesome updates this week on your Tendenci software for association website management!

This update is so big that you might have to clear and refresh your web browser before you can see the changes on your Tendenci website.  We’ve got a great help file from the Schipul website on how to clear your web browser for you:  http://schipul.com/help-files/how-clear-or-bypass-your-browser-cache-5-seconds/.

Our biggest update this week is our addition of the physical location application – enabling your site visitors to search for the nearest physical location of your organization on your website!

Global Settings and Content Management

  • Searches using the Global Search or File Search now include results from PDF documents stored on your website
  • The Directory “Add” link is now visible by anyone with a login account on your website
  • You now have the option to preset tags when adding a story via query string
  • Updated the stories search page to be translation compatible

Custom Forms Module Updates

  • Increased Custom Form titles from 50 characters to now allow 100 characters for titles

Membership Module Updates

  • You can now paginate through subscribers on the group page
  • Graceful degrading when associating a subscriber with an existing account during import.

Physical Locations Module Added to Tendenci 5.0!

  • Tendenci 5.0 now has the physical locations module
  • Site visitors can search your locations by distance located at, all locations, or nearest location
  • Find the “location” application on your Tendenci admin bar to add, edit, and manage your physical locations
  • When a location is added or edited, the latitude and longitude are auto-saved

Tendenci Template and Design Updates

Tendenci Email Newsletter Marketing Dashboard

  • Your Campaign Monitor subscriber lists now automatically sync when subscribers are imported into a group 

Click Here to learn how to improve your email marketing using Tendenci’s Newsletter Marketing Dashboard integrated with Campaign Monitor’s email marketing software and find other resources for email marketing success!

Not using Tendenci for your website CMS? 

Find out all the awesome things Tendenci can do for your Association with our 30-Day FREE Trial.  Then – show us what you can do with your Tendenci website!

Questions about these Updates? 

Hit us up in the comments or over on Get Satisfaction and try out our newest self sign-up version of the Tendenci Software FREE for 30 days!