It turns out that there is a limit to the number of domain aliases you can have. For our account, the limit seemed to be set at 20 domain aliases. After contacting Google, and asking them to raise it, I was told that the maximum number of domain aliases is tied to the maximum number of nicknames per user, which in our case was set to 30.

The more domain aliases you have, the less nicknames you can have, and vice versa. This makes sense as every nickname becomes a valid e-mail address for every domain alias. So if they allowed too many they’d quickly end up with a huge amount of potential e-mail addresses to manage.

The golden rule seems to be:

Max Domain Aliases multiplied by the Max Nicknames Per User must not exceed 600

Therefore, you could have the following rations:

- 6 domain aliases and 100 nicknames per user
- 10 domain aliases and 60 nicknames per user
- 20 domain aliases and 30 nicknames per user
- 30 domain aliases and 20 nicknames per user
- 60 domain aliases and 10 nicknames per user
- 100 domain aliases and 6 nicknames per user

Looking through our 26 user accounts, I could see that only 2 of them had more than 6 nicknames. Initially, I thought this would rule out an increase to 100 domain aliases – but it appears that groups can be used to achieve pretty much the same effect.

Some testing revealed that groupname@primarydomain.com also received e-mails to groupname@aliasdomain.com, and so works in a similar way to a nickname.

So my next task is to remove some of the nicknames and replace them with groups. I should then be able to increase the domain alias count and migrate the remaining domains across!

To get it working with iChat you simply follow these steps:

1. Navigate to iChat > Preferences > Accounts
2. Click the plus icon in the bottom left hand corner, to add a new account
3. Select Jabber as the Account Type
4. Enter username@chat.facebook.com in the Account Name (where username is your facebook username).
5. Enter your facebook password in the password box.

And that’s it!

Facebook has some instructions on how to set up other popular clients here.

So here’s my wish list for our next government:

• All government spending and contracts should be published openly, and available for anyone to download as raw data. The only exception should be staff salaries, which I would consider personal information. Each department should publish their total wage bill, and the number of staff they employ so that the average wage can be seen. Currently, nobody, not even the opposition, may scrutinise government spending on certain large contracts – so no-one knows the true extent of our nations commitments. Commercial confidentiality is often cited as an excuse not release such information – in my opinion, if you are a business who deals with government – you should  accept that your contracts will be public knowledge.
• All Ordnance Survey and Postcode data should be open and free. There should be a central, authoritative address database that anyone can use. I strongly believe that freeing up all this data will encourage a huge amount of innovation and bring economic benefits of several orders of magnitude bigger than the cost to the public purse.
• Prevent any bank or business from becoming too big too fail. If a business is too big too fail, it’s too big. It’s not fair to privatise the profits, and socialise the losses, therefore these businesses should be broken up.
• Pay back the national debt. It’s not a good strategy for individuals or governments to consistently spend more than they earn. Nor is it fair that every child in the UK is born with £30,000+ of public debt. Let’s try to boost the economy through sustainable activities rather then borrowing from the next generation.
• Simplify the tax system. The current system is hideously complex and inefficient. Surely we could save some money by simplifying things. Do tax inspectors really add much value to society? Couldn’t we redeploy most of them as Doctors, or scientists instead? (Or indeed any other job!)
• Encourage entrepreneurship. Cut back on the amount of paperwork (red tape) that businesses must complete.
• Streamline public procurement and encourage small business to bid for contracts. Let’s make it easier for small business to compete to provide products and services to the government.

What are you wishes for the next government? Add a comment to this post!

General

• Private limited companies no longer need to have a company secretary.
• Private limited companies are no longer required to have an annual general meeting (AGM).
• There are new standard company constitution documents (memorandum and model articles of association). The model articles replace Table A as the new default articles.
• Companies are no longer be required to specify their objects on incorporation.

Company Directors

• Director’s general duties have been formally codified in law.
• Company Directors are no longer required to publish their residential address for all to see.  They may opt to provide an additional service address for correspondence, which can be the same as their company’s registered office address. A residential address must still be given to companies house, but this will only be shared with selected 3rd parties (certain public bodies, and credit reference agencies).
• Company Directors must now be at least 16 years old.

Accounts and Reports

• The statements that appear on a company’s accounts have changed.
• The accounts filing deadline has been reduced from 10 months to 9 months for private companies, and 7 months to 6 months for PLCs.

Members / Shareholders

• Companies are able to make better use of electronic communication to communicate with shareholders.
• It’s no longer as easy for external parties to demand to see a company’s list of shareholders. Interested parties must declare their name, address, and the purpose of their request. It must be for a “proper” purpose – whatever that means! A company can apply to a court to reject the request.

Forms

• Lots of the companies house forms have been redesigned / renamed with much more logical names. Rather than being named after the section of the companies house act that describes them, they are named after their purpose. For example, the Annual Return is now Form AR01 rather than Form 363. The relevant law sections are now referred to within the body of the form.
• Companies must now complete a Statement of Capital when they are first registered, whenever share capital changes, and every year when they file their annual return. This is a snapshot of the companies share capital at a given point in time, and also gives details of voting and dividend rights for each share.

Companies House is holding a number of seminars to help businesses understand the implications of the new Companies Act. They will also give some demonstrations of how to use the web filing system to file forms online. You can book a place a the seminar online and, at the time of writing the next ones available are:

Basingstoke
Holiday Inn Basingstoke, Grove Road, Basingstoke. RG21 3EE
Thursday 11 February 2010 at 9.30am and 2.00pm

Norwich
Holiday Inn Norwich, Ipswich Road, Norwich. NR4 6EP
Thursday 11 March 2010 at 9.30am and 2.00pm

Clear Books integrates with a number of Government APIs, including:

• Companies House WebCheck – Lets you purchase official documents (annual accounts, annual returns, director appointments, share allotments) that have been filed for most companies registered in England & Wales.
• Online VAT Filing – Allows you to generate and file VAT returns online. Also allows you to pay by direct debit, so no need to send a cheque in the post.
• Online CIS Filing (coming soon) – A feature specifically for the Construction Industry – this lets you file monthly CIS300 returns and verify sub-contractors from within Clear Books.

In the future we plan to add a number of other services, such as:

• Online Filing with Companies House – File your annual return, annual accounts, and other forms electronically.
• PAYE forms filing with HMRC  - File P14 , P35 , P45, P46 etc online.

We have also made a lot of our code available as open source under the php-govtalk project, so if you are interested in collaborating with us – we’d love to hear from you.

1)  If you haven’t already, download and install VirtualBox.

2) Download the Askozia disk image that you want to use. I’m using the latest Linux port release at the time of writing (r1161)

3) Uncompress the image, and then convert it to a Virtual Disk Image

gzcat askozia-pbx-generic-pc-x86-i486-uclibc-r1161.img > test.img
VBoxManage convertdd test.img test.vdi --variant Fixed

4) Load up VirtualBox and create a new virtual machine. Use whatever name you want, and select “Other” as the operating system. Allocate some memory (I used 256MB), and then choose the virtual hard disk that you created in the previous step as the boot hard disk (primary master). Click Finish.

5) Select your new virtual machine and go to Settings > Network. Specify Intel Pro/1000 MT Desktop, Bridged Adapter, and then en0: Ethernet in the three drop down boxes. Click OK to save. This will join the virtual machine to the same network as your host machine is on. We have DHCP configured on our network, so the virtual machine should pick up an IP address from that.

6) Start your virtual machine.

Once the virtual machine has loaded it should tell you what IP address it has been assigned at the terminal. You can then access the control panel from a web browser by going to that IP address using admin/askozia as the login details.

In this post I am going to look at ways you can tell if your blog has been hacked, suggest some ways to fix it, and then discuss techniques to prevent being hacked again.

Before we start, the most important thing you can do to prevent being hacked in the future is to regularly update your blog software. The easiest way is to use subversion. I’ve written how to upgrade your blog with subversion in an earlier post.

Symptoms

So firstly, you’ll probably want to find out if your blog has been compromised. There are a few things to look out for:

Unauthorised Admin Users

Disable JavaScript in your web browser, then navigate to the Users page in the WordPress admin panel. If you see some additional administrator users there that you didn’t expect, you have probably been hacked. They sometimes use an e-mail address like www@www.com

Strange Files in the Uploads Folder

Strange files may also appear in your WordPress uploads folder, including ones that have hidden PHP code inside them (try grepping for “events or a cale” or php).

grep -R -l "php" wp-content/uploads/

The files might have random names like:

faceboutique-spot-less-150×150.bak.php
mandseyeshadowpalette.bak
cliniqueblusher_old.jpeg
.wp-cache.cache.php

The uploads folder is writeable by apache, so hackers use this area to save malicious code to your server. They may then include such code as a plugin.

Strange Records in the Database

Check for suspicious data in wp_options by running the following queries:

SELECT *
FROM  `wp_options`
WHERE  `option_name` LIKE 'active_plugins';

Hackers use the plugin system to include their rogue scripts. You may see some strange files being listed as a plugin. You can delete this row and manually re-activate any plugins via the admin.

SELECT *
FROM  `wp_options`
WHERE  `option_name` LIKE  'permalink_structure';

This will show you the permalink structure – the most recent vulnerability modified this so look out for anything abnormal.

SELECT *
FROM  `wp_options`
WHERE  `option_name` LIKE  '_transient_rewrite_rules';

You can delete this row if it exists (it should be rebuilt dynamically)…. it may contain cached

SELECT *
FROM wp_posts
WHERE post_content LIKE  '%iframe%' OR post_content LIKE  '%noscript%' OR post_content LIKE  '%display:%';

This will look for posts that contain iframes, or hidden links.

Fixing a hacked WordPress Installation

The cleanest way is to re-install WordPress, re-import your posts and comments via the import tool and then to copy in any files that you know are safe…

• Back up your database and site code.
• Export your posts, comments, tags and categories in a WordPress WXR File (Tools – Export).
• Set up a new mysql database, username and password. Ensure the user only has access to the WordPress db.
• Install a fresh copy of the latest version of WordPress (with the correct permissions), and configure it to point at the new db.
• Delete any files that include PHP from the uploads folder.
• Import your posts, comments etc from the WordPress WXR XML file. There is an option to get WordPress to fetch image uploads, but I haven’t had that much luck with this. To get it to work, you will need to install your new blog in a parallel location so that it can access the old blog. When I tried, it seemed to grab the files, but not update the location urls in posts, thus requiring a script to update the urls in the db. Instead, you might find it easier to just copy your uploads folder across – but they won’t then show in the media gallery. Neither route seems ideal!
• Re-install your themes and plugins.
• Move the old blog to a location outside your web root as a backup, or delete it all together.
• Set up new WordPress users with secure passwords.

It’s not a fun job!

Securing WordPress

• Ensure you have the right permissions set on your WordPress scripts. Only the uploads folder should be writeable by the web server.
• Use a separate database, db username and db password for WordPress.
• Add an additional layer of authentication above the WordPress admin area, e.g. http authentication in Apache. NB: When I did this, it seemed to stop uploads from working with the flash uploader (gave a HTTP ERROR), so I had resort to using the basic browser uploader.
• Some people also recommend removing the default “admin” user, and setting up an administrator with a new name – to make it harder to brute force crack your passwords.

Further Information

Here’s some of the pages I read while researching this article….

• http://blog.4rev.net/2009-09/wordpress-hacked-eval-base64_decode-_serverhttp_referer/
• http://groups.google.com/group/google-reader-troubleshoot/browse_thread/thread/39a7eef288c65dd0/c057b39d2f6e7455?pli=1
• https://support.mayfirst.org/ticket/2291
• http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
• http://www.teohuiming.name/blog/wordpress-exploit
• http://linux.byexamples.com/archives/397/wordpress-exploit-we-been-hit-by-hidden-spam-link-injection/

We’ve also released this as a wordpress plugin. You can install it via subversion if you prefer using the instructions below.

Installing the WordPress Plugin via Subversion

From the command line, navigate to your WordPress plugins folder and then edit the svn externals for the folder.

cd wp-content/plugins/
svn propedit svn:externals .

This should open the file in your favourite text editor (I use vim). You should add a line like:

futube http://svn.wp-plugins.org/futube-video-player/trunk/

Save and exit, then run:

svn update

At current prices, an installed 2 KW PV system costs around £12,000 (£6 per installed watt), and it’s estimated you would save / earn around £830 a year with the new subsidy (15 year pay back, 6.9% return). There is also currently a £2,500 grant available (expiring April 2010) which would bring the overall cost down to £9,500 (12 year pay back, 8.7% return).

This estimates are based on electricity costs of 13.95p / KWh (which is also roughly what I am currently paying with EON on their online saver tariff once you’ve averaged out the various rates and daily fees).

It’s very likely that over time electricity prices will rise, especially in the UK where we have not built enough capacity to replace our Nuclear plants as they shut down. As prices rise, the effective ROI will increase, but for this to become really popular I think we need to see returns of closer to 20%.

The government is also considering green mortgages, where you would be lent up to £10,000 to make energy efficiency improvements to your house (such as double glazing, energy efficient white goods, insulation), and then this would be paid back via your electricity bills – the cost of which should be covered by the savings you make. The charge would be against the property rather than the owner, and so would be transferrable if you move house in the future.

GovTalk is a set of standards for interacting electronically with government services.

In the future we will extend the class to work with individual government API’s such as Companies House, and HMRC. This will then be used on a number of projects, including our online accounting product, Clear Books.

We welcome contributions from other developers in the community, so if you want to help please contact any of the project admins.