Hung Truong: The Blog!

iOS Photo Editing Controls With A Custom Camera Overlay

This is one of those blog posts that’s basically for me and anyone else who cares to Google these search terms, so yeah.

I’m currently working on an app that does camera capture. Instead of using the normal Apple control, I’m using a custom overlay. Typically to do this, you do two things: set the UIImagePickerController’s “allowsEditing” to YES and add your overlay view to the controller’s “cameraOverlayView” view. Oh, and you also set the sourceType to UIImagePickerControllerSourceTypeCamera, obviously.

I learned through searching about 10 StackOverflow questions and doing my own testing that the custom photo editing control only shows up when you show the normal apple camera controls. So unless you want to do some weird hacking to get your overlay to show up over the normal controls and then have them disappear when the photo is taken, it’s not possible to use a custom overlay and still get the built in photo editing tool.

Unless someone wants to correct me…

The annoying part is this is not captured in Apple’s official documentation (or anywhere, really). So hopefully this blog post helps someone who is trying to use a custom overlay and the built-in Apple photo cropping tool.

Pharma Hack Update: Finally Gone

A good while ago, I wrote a blog post about how my blog was pharma hacked, and I thought I had gotten rid of it. I was actually extremely wrong, and it’s taken about half a year of off/on again fiddling to get rid of the infection for good. I thought I’d write up what I did in case anyone else has issues with this hack.

In order to remove it, I tried searching for solutions from other bloggers. They got me to a certain point, but after following the directions and letting my blog sit for a week or so, I’d use the Google Webmasters feature to “fetch as Googlebot” and find that my site was reinfected.

Here’s a step by step summary of what I had to do to finally get rid of the nasty pharma hack.

I downloaded the latest tar.gz from WordPress here and extracted it to my root web directory. My blog lives in the subfolder “/blog/” so I just moved the wp-config.php file from /blog/ to the /wordpress directory, then I renamed the blog folder to something else and renamed wordpress to blog. I found that I’d also have to re-set the permalink settings to get pages besides my home page to show up correctly.

My main mistake was copying the wp-contents subfolders back to the /blog/ directory. I assumed that the main infected file (wp-loads.php) was the only culprit. It turned out that I also had multiple php backdoors in my wp-contents directories, in /plugins, /themes, and even /uploads.

I basically had to re-download anything in plugins and themes so that I knew those directories would be fresh. I ran a command to delete anything in /uploads that was a .php file, as that was how the backdoor worked. I believe it was something like

find /path/to/uploads -name "*.php" | xargs rm

but you probably want to double check that before running it on your server.

I also noticed that some backdoors existed in the root of my web directory, where I keep my portfolio. If you have other directories besides your blog in your web root, it’s probably worthwhile to check those out.

At this point I was pretty close to having a clean WordPress install. But for some reason my site would still eventually fall to the pharma hack. I checked my server logs and it looked like someone was modifying header.php in my theme directory from the admin panel. This was pretty surprising because I thought I had my password locked down pretty tight. I am actually still not sure whether the password was compromised, or some other feature in php (or a cookie) allowed the hacker to access the admin theme editor. Either way I’m pretty sure the header.php was hacked to write a new backdoor file which would then create other backdoors. Pretty smart!

To fix this, I put another layer of security on my wp-admin directory with a .htaccess and .htpasswd file. I also updated my password to a 40 character random string that even I can’t remember. Finally, I just erased the file that does theme editing in the admin interface since I never use it and it seems like a really weak vulnerability.

So far, the pharma hack hasn’t resurfaced and it’s been about two weeks. I’m going to say that I’m slightly confident it won’t return (unless there’s another vulnerability in WordPress that pops up).

I feel like I learned quite a bit about security while playing whack-a-mole with this hack. I got to look at the backdoor files and figure out how they were hidden and obfuscated, and eventually found what I think was the root of the problem in the WordPress theme editor. I also hacked together some scripts to show recently modified files (hacked together from stuff I found doing some searches). If I end up getting hacked like this again, I’ll probably be able to remove it faster.

For a while, I was considering moving to Jekyll for my blog. But that seemed like a bit too much work moving posts and comments, and learning a new blogging system, especially for how infrequently I blog nowadays. For now, I will stick with WordPress with all of its vulnerabilities, which have hopefully been mitigated with the few extra precautions I’ve added.

Winning at Jeopardy

I just had another dream that felt very real up to the moment when I checked my phone and realized I hadn’t won on Jeopardy. I might need to start up a series on my blog about weird dreams if this keeps up.

There was a news story on AnnArbor.com yesterday about a local Ann Arbor guy appearing on Jeopardy that I tweeted from my parody account, so that’s probably what fueled this weird dream.

For some reason I’m on the Jeopardy website, checking out the hall of fame. I vaguely recall having been on Jeopardy. This is cool because my old friend Susan was always trying to get onto Jeopardy and now I can brag to her that I was on it. I investigate further and realize that not only did I appear, but I won! My total winnings amounted to around $21,000 in June of 2011. At this point I’m wondering why I never got the check from Alex.

The first thing I did was search for “jeopardy” in my gmail (this is also what I do in real life if I need to remember something). This was harder than I expected, because spelling “jeopardy” in a dream is harder than in real life. That only brought up two random emails, so I checked the hall of fame webpage again. It listed that my email address on file was “[email protected].” So apparently a typo was all that stood in the way of me and my prize money.

The website had an email form to fill out (as well as a fax number) for corrections, etc. I didn’t really question why the public-facing website had so much information on it. As I raced to fill out my correct information “I regret to inform you that you have not paid me yet, and I am the Hung Truong who won back in 2011”, I woke up to the sobering reality that I was never a Jeopardy winner.

That’s always the hardest moment. Realizing that you didn’t win at Jeopardy, don’t have an awesome dog, etc. sucks. But I guess I can take consolation in the fact that today is a new day where literally anything is possible (except for winning at Jeopardy, obviously).

Weird Dream Starring Cameron Diaz and Ellen Page

I had a weird dream that won’t fit into Twitter, so I might as well write it down here since my blog hasn’t seen much love lately.

This was the sort of dream where I’m watching a movie. The movie starred Cameron Diaz and Ellen Page as two roommates (or some people living in the same house) who have recently become zombified. Apparently they’re fighting to survive in a dream/cyber world with other people in the same predicament. Now that I think of it, the plot resembles a modern Beetlejuice.

For some reason, Tina Fey was cast as their PR specialist. In one scene, Page and Diaz dump off Fey at the beach, along with one of their boyfriends. Apparently they don’t want their significant others and family worrying about the fact that they’re zombies now, so they leave without a word. I wasn’t sure how the family didn’t notice the smell (maybe they were being polite).

If someone can get this green-lighted I’m sure I can fill in the rest of the details.

SXSW Panel Idea: Mashups – Noble Bootstrapping or Downright Stealing?

I checked SXSW today and noticed that the deadline for panel proposals is tonight. I originally wasn’t going to post anything, but I sat and thought for a bit about things I know enough about to propose/speak about at a conference. I remembered the whole craigslist incident and thought it would be interesting to propose a panel discussion about the state of mashups today.

In the past, mashups were held to a pretty high opinion. The proper mashup might be able to take two things and simplify a process to critical acclaim. I think in those days, mashups weren’t thought of as startups or businesses, just small tools that people could use. Flash forward to today and sites like Mapskrieg and Padmapper (and others like AirBnB) are being C&Ded for their terms of use violations. Something happened in the startup world that made mashups into a viable threat, which the bigger players did not approve of.

While the term “mashup” seems a bit archaic now, I think it would be interesting to revisit that term and see what it means today. Take some pioneers of mashing up and some new startups and get them talking about stuff.

In other news, it looks like the Panel Picker requires some kind of “visual resource” like a video or slideshow or something. I don’t see how my proposal could be improved by that (it’s pretty cut and dry) so I’ll probably just link to this blog post and insert a lot of unrelated pictures of things being mashed up. CC licensed, of course.