Please Don’t Pull Up Ragwort

Ragwort is a very attractive plant. When it is left to grow unmolested it can be quite spectacular, reaching a height of several feet, topped by a dome of yellow flowers. It is a native British wild flower, and is important for a variety of insects, including the beautiful Cinnabar moth. Bees love it.

This is a picture that I took of some ragwort at a local nature reserve, Bannerdown Common near Bath. I am not sure what these creatures are, but they were evidently having a good time among the ragwort, it was the insect version of Love Island.

Ragwort at Bannerdown Common

Unfortunately the plant has developed an unfairly bad reputation, to the extent that some people take it upon themselves to roam about the countryside casually uprooting it. I have seen several examples of this recently. This is in fact illegal behaviour, as well as being pointless, ignorant and wantonly destructive.

Near to where the above picture was taken, I found this:-

uprooted ragwort found at Bannerdown Common nature reserve.

This was only one of several examples.

The excuse given is that ragwort is toxic to horses. I don’t have a horse, but if I did, I would certainly want to protect it from something that might poison it.¬† That’s perfectly reasonable and what any responsible horse owner would want. The thing is, though, horses don’t like the taste of fresh ragwort so will normally avoid it where it is growing. It is only when ragwort is dried and mixed with other plants in hay that horses will actually eat it. So the answer is to be careful what you feed your horse. The rational way to do this is surely to make sure that any feed that you give your horse comes from a reputable supplier who takes care to exclude ragwort.

What makes absolutely no sense is to wander the countryside pulling up a native wild plant, or encourage others to do so. One of the worst examples that I have seen recently was at East Harptree woods nature reserve, where I took this picture of Cinnabar moth caterpillars feasting on ragwort.

Cinnabar moth caterpillars feasting on ragwort

Sadly nearly all the nearby plants had been uprooted, so there will not be many of them maturing this year. The most ludicrous aspect of this is that no horses graze there, and horse riding is expressly forbidden at East Harptree, so no horse was ever going to go near them. It is just utterly pointless vandalism.

So please don’t pull it up. You are not helping horses, and you are committing criminal damage if you do. Why not do something for nature instead and grow it in your garden? It’s a lovely plant and deserves protection.

 

Countering the Idiocracy

I was struck by this item of news recently, about the fact that Macmillan, the well-known cancer charity, have appointed someone to counter the myths about cancer being promoted online (see http://www.bbc.co.uk/news/health-41780776). It is sad that this is necessary, but it surely is. This is a subject that affects me personally, because I have had cancer twice. It was my experience that mentioning this in conversation acts as a kind of beacon for the deluded: like the well-meaning person who insisted on telling me about the woman in Bristol who had “cured herself” of cancer (presumably she also diagnosed herself in the first place); or the person who solemnly assured me that it could be cured with lemon peel.

I decided early on in my treatment that I would ignore the idiots, and accept that the doctors treating me were exactly what they seemed to be: humane and intelligent people, who would not recommend a treatment unless it was actually likely to of real benefit. So I had surgery, and chemotherapy and radiotherapy, and yes, it is quite brutal, it is not an experience that I would recommend to anyone looking for a laugh. But the thing is that it actually works, and I am still here several years later.

Of course it is not a new thing that some believe that their ill-considered opinions are as valid as those of people who have spent years of their lives studying and researching a subject. But it is only recently that the internet has given them such a powerful platform, so at least the harm that they could do was more limited in the past. There is something particularly pernicious about promoting myths about cancer, it can quite literally kill people who are gullible enough to believe them. I have noticed that those who do so, while being all too quick to condemn “Big Pharma”, usually gloss over their own interests in promoting dubious “cures”.

There is no conspiracy among doctors and drug companies to suppress some safe and “natural” cure for cancer, whether it be vitamin C, or green tea, or magic beans for whatever. Why? Conspiracies just do not work because most people are absolutely terrible at keeping secrets. And the biggest reason is because doctors are human beings too, they get cancer too, and so do their husbands, wives, lovers, parents, children, brothers, sisters and friends. If such a cure existed they would want it to be developed, and would want to use it.

I called this post “Countering the Idiocracy”, but in truth I don’t know what the solution is. I still think that the internet is (on the whole) a force for good, and that there is no morally acceptable way of preventing idiots from having access to it. I think that the best thing that we can do, at least on an individual level, is to try not to be one.

And don’t be these people: http://www.thebeatlesneverexisted.com/

Painting: Broadmoor Lane, Bath

This is a painting of Broadmoor Lane near where I live in Bath, where I often walk the dog.

One of the good things about Bath is that it is very compact, it only takes a few minutes walk from the city and you are in open countryside and farmland. This is working farmland, there are often cows in the lane.

Painting – Kennet and Avon Canal

I’ve finally got around to doing some more painting recently.

This is the Kennet and Avon canal near Limpley Stoke. I was trying to capture the patterns of intense light and shade caused by the sunlight falling through the trees.

Kennet and Avon Canal near Limpley Stoke

Canal near Limpley Stoke

 

It’s not 100% successful but I think I did manage to get the feeling of walking down a tunnel of trees that you get along the canal. It’s a lovely place to walk and was particularly magical on the day last autumn on which this picture is based.

I am also pleased with the colours. I did try and paint the canal once before, it ended up looking very brown, which I avoided this time.

 

How to Deal with Mean People

Some time ago I had the novel experience of being abused on social media by a member of the Joomla! community (novel for me anyway, although I think not that uncommon in the Joomla world). It was a bit of a surprise, mainly because I don’t normally bother much with social media.

But unfortunately one of my previous blog posts went unexpectedly viral and clearly annoyed this person. At the time I was a bit shocked and upset at his response. I did think about responding in kind, because actually I enjoy insulting people as much as the next person when they are the ones that start it. But really I could not foresee anything good coming out of exchanging insults with him.

Then I realised something important: I actually just did not care.

I regard this as real personal growth: there was a time when I was abnormally sensitive and probably would have been crushed at someone saying mean things about me. It’s a huge relief, to realise that actually I don’t really care very much any more about what people think or say about me.

What I mainly put it down to is this. I have had cancer twice in the last four years. That’s an actual problem, it is something that matters. I don’t bang on about it, because it is private, but dealing with it has been really tough. But I have, and I am OK.

By contrast, a civilly-challenged person abusing me on social media matters very little. I have no intention of identifying him by the way, I really am over it. I do not even feel any ill will towards him.

So my advice on how to deal with mean people is this: if you find yourself caring about what someone says about you on Twitter, Facebook, Reddit or whatever – just get a grip. It is not important. Go and do something that does matter: hug your children, or your spouse; take the dog on a lovely long walk; go out and have tea and cake with a good friend; paint a picture; play an instrument. Do anything that expands your life rather than contracts it.

There are a few people in the Joomla community who unfortunately seem to think that it is OK to indulge their own feelings of frustration by abusing others on Twitter and elsewhere. They are wrong, it is not. But they are like the mean kids at school, my mum always told me to just ignore them, and she was right.

 

Improving Quality Control in Joomla Code

Since writing my previous blog post, in which I explained how a coding error had protected older versions of Joomla from the serious security vulnerability which was patched in Joomla 3.6.4, my friend Bernard Toplak has been doing some research into how it came about that the coding error in the vulnerable user controller was fixed.

It seems that a user called lecoeurlou joined Github on 30 August 2015, submitted a patch for the faulty function call to $model->validate() to the Joomla CMS project that same day, which was accepted without question and has never had any activity on Github since.

You can see the activity here: https://github.com/lecoeurlou?tab=overview&from=2015-11-01&to=2015-11-30&utf8=%E2%9C%93

Now this may in fact be innocent, but to my mind it is at least possible that someone had noticed the potentially vulnerable controller in the code, had experimented with it and found the coding error. Then they realised that if they could quietly fix it, they could open up a critical vulnerability in one of the world’s most popular content management systems, which they could then exploit.

I think that the lesson is that there needs to be more quality control on patches submitted through Github, because unfortunately there clearly is scope for a malicious actor to wreak havoc.

Update

Since I wrote this yesterday, I have been astonished at the level of interest. I expected it to be read by a dozen people at most, and to provoke no reaction whatsoever. Instead it seems to have been read by several thousand people and to have annoyed quite a few of them.

But there was a serious purpose to the article: when something goes seriously wrong, then I think it makes sense to look at why it happened rather than burying our heads in the sand, carrying on as normal and pretending it can’t happen again.

I will deal quickly with a few of the points that have been raised:-

Firstly, I am definitely not trying to point the finger of blame at any individual. I have no idea whether lecoeurlou is an evil genius or just a helpful person trying to fix some code. The problem is that we have no way of knowing.

Secondly, I am not suggesting any kind of conspiracy. Frankly it hardly required a conspiracy. If the code patch was malicious, it was far more likely just opportunism.

Thirdly, yes I really did think of saying all this by myself, I am not being used by anyone.

I am saying it because I think that it matters. Open source software is a wonderful thing, and so is the Joomla project. I would like to see it thrive. But I think that is more likely to happen in the long run if we are honest with ourselves about what the problems are.

I don’t know what the solution is. I certainly don’t want to discourage anyone from contributing to an Open Source project, quite the contrary. But we are really kidding ourselves if we think that every single person who does so does it from the purest motives, because that I am afraid is just not human nature.

I think that these are issues that need to be discussed, and if I have upset a few people by encouraging that then I can live with it, though that was not the intention.

Joomla Security Release 3.6.4: Breaking the Code by Fixing It

Many people will have noticed (including a lot of bad guys) that there is a security release of the Joomla! content management system.

Previous versions contain a vulnerability which allows a malicious person to register a user account on a Joomla site by carefully crafting their own html form, even when user registration has been turned off, and also to manipulate the user group. This is done by accessing a vulnerable controller in components/com_users/controllers/user.php, which includes a register task that does not check the site configuration or properly validate the data.

The controller has been around since Joomla 1.6, so it has left a lot of people wondering if older versions of Joomla are vulnerable, such as 2.5 which is still widely used. In fact the good news is that older versions are not.

If you try to submit a crafted html form to a Joomla 2.5 site, you get the following fatal error:-

Warning: Missing argument 2 for JModelForm::validate(), called in components/com_users/controllers/user.php on line 114 and defined in /libraries/joomla/application/component/modelform.php on line 258 Fatal error: Call to a member function filter() on a non-object in /libraries/joomla/application/component/modelform.php on line 261

Or something similar depending on your exact version. The reason for this is that the user controller includes a coding error, it uses

$return = $model->validate($data);

 instead of
$return = $model->validate($form, $data);
so that it fails because the data object is null when the model is called to register the user.
Then in Joomla 3.4.4 someone helpfully fixed the coding error in the controller without asking themselves what on earth the controller was doing. I am sure they meant well, I think it would be unfair to blame only the person that fixed the code, these things are supposed to be tested. But still, it opened the CMS up to a serious vulnerability.

Web Security: An Example of How Not To Do It

Quite a few news sites are reporting this story at the moment, about hackers hitting online stores using the Magento E-commerce system: http://www.bbc.co.uk/news/technology-37643754. The reports seem to originate from this site https://www.magereport.com which has been set up to help owners of Magento sites scan for vulnerabilities in their store for free.

A nice idea you might think, and it is. The problem is that those behind the site don’t really seem to have given much thought about verifying who is doing the scan. Anyone can use it. It is easy to find sites that use Magento online, for example Googling ‘inurl:/checkout/cart/’ will bring up a nice crop. Then run the scan, it will bring up a nice handy guide to what vulnerabilities the site suffers from.

The makers excuse themselves by saying:

The MageReport tool only tells you what is wrong, not how to exploit it

However this is really not good enough in my view, once you know what the weaknesses are, it is the work of a minute or two to find the exploit online, my dog could do it.

The only way to protect against this is apparent to block the “magereport” user agent in the site robots.txt file, I would suggest that owners of Magento sites do this, but if site owners do not know that they have vulnerable software on their site, are they really going to know that they should do that?

New Painting: The Hills Near Bath

This is a new painting of the hills near Bath.

The hills near Bath at eveningThe thing about Bath is that it is surrounded by hills, so nothing necessarily extraordinary there. What I particularly liked about this view was the colours of the early evening in winter. The leafless trees have a rather ghostly, ethereal shape, which made it an interesting scene to paint.

The picture above is in oils. Before I began it, I tried a sketch in oil pastels:-

Bath hills, in oil pastelsThe sketch concentrates on the broad shapes of colour, and light and shade, and was quite successful I felt. I don’t always make a sketch before beginning a painting, but I do find it helpful sometimes. In this case it encouraged me to paint the scene.

Some recent paintings

Some new pictures that I have completed in the last few months.

View of Weston

View of Weston

This painting (in oils) is a view of Weston (where I live), from the nearby hillside. It has some good points, although I don’t feel that the colours all work. They individually make sense, but somehow don’t quite come together.

Lake view

Lake view

I actually prefer the background in this picture, I kind of wish that I had left the foreground out, and kept it as an atmostpheric view across a misty lake.

Roses

Roses

Well, it is a picture of some roses. I actually like it more than I expected to. I like flowers, but it is difficult to paint them in a way that does not look a bit twee.

Moonlight

Moonlight

This is another of my brooding, Bath at night pictures, and is my favourite of my recent pictures. I was trying to get the effect of moonlight and also illumination by streetlight on a row of houses, I think it works very well, there is a nice contrast between the warmth of reflected streetlight on the houses, and the much colder light of the moon.