So what can you do with Unite? Several things, including:

• Share files, including photo downloading and music streaming.
• Host chats with your friends.
• Run a web server for a simple web site.
• Leave or receive notes on your computer.

Unite requires an Opera account, and an alpha build of Opera 10b (Windows, Mac, Linux).

Opera Unite is a local web server, but it interacts with a proxy server. This means that end users don’t need to establish a firewall or set up port forwarding on their machines. They can just install Opera and go.

After starting a service, you can set three levels of access control: Public (open to anyone), Limited (open to anyone with a password), and Private (available to you). With file sharing and web serving, you also control which directory you want to make available.

Once you have made a directory available, you can send the url — in the form of http://computernickname.yourmyoperausername.operaunite.com/ — to your friends. It’s viewable in any browser, including mobile devices.

Don’t be a dummy: be a safe(r) Unite user

As with any service that lets users share their hard drive’s contents, Opera Unite can be a potential resource hog and security hole. Opera got it right by making these services easy to start or stop, and by supporting restricted access via password. Still, it’s up to users to understand how it all works.

For example, I stumbled across one user’s web server directory that hosted PHP files. Unite, however, is a simple and light-weight HTTP server. There is no PHP, which means that everything — including his database configuration details — is being served as plain text.

So there are two lessons learned:

1. Unite is a basic non-Apache server with no modules that means there’s no PHP, Perl, Python, or even server-side includes available.
2. Don’t share directories with sensitive data, and limit the number of directories that are exposed via Unite

Something else to know: Unite ties you in to the My Opera social network and makes other members aware that your services are running.

Is Unite a game-changer?

I think it depends on what the game is.

I don’t think Unite is compelling enough for most users to switch to Opera as their primary browser or to join the My Opera community. But I would not be surprised if it gained some traction with the geek set.

The concept of Opera Unite is pretty powerful. I can see this being useful as an impromptu office file sharing network, or to stream music from a computer at home to another at a friend’s house party.

Keep in mind that Unite also comes with a JavaScript API that supports file I/O (input/output). In a way, Opera is moving us closer to ubiquitous computing and the browser as OS.

And perhaps that’s the real story of Opera Unite: it is now dead-simple to give as much as you get from the web and use the skills you already have to build new tools.

Yeah, as I type this, I’m getting hit with an attack. I’m not precisely sure of the motive. I just know that there are two directories on my server that should not be there and the attack appears to be coming through a specific URL. It’s been happening for several days nowIt just started today, according to my server logs, and the attacker is using / attempting to use PHP functions that interact with the shell.

He was also able to grab a whole bunch of data about my server as you can see from the above-linked code. I have my suspicions about how it is getting through, but nothing I can prove just yet. I’m going to look into it and see what I can come up with.

In the meantime, I’m just going to ask nicely that he (assuming this is a guy) please, please stop, and don’t mess up any of my stuff while visiting.

And please take steps to disable certain system-affecting functions in your php.ini file (if you have access).

UPDATE: This crack appears to involve a ShellBOT as well.

UPDATE 2: ShellBOTs are bad. Apparently they open a connection to an IRC server allowing all kinds of nasty things to happen. So hoping nothing serious was compromised.

UPDATE 3: Interesting to know: when working in the shell, your file name does not need to have the ‘proper‘ extension that it would on a web server in order to be executed.

Let’s say you have a plain text file named ‘hello.txt.’ It contains one line: <?php echo 'hello world';?>. In order for this file to run as a web page, it would need to have a .php (or whatever is designated in your server configuration file). But as a shell script, it could have just about any name and still be executed by typing ‘php hello.txt’ at the command line.

In this case, the attacker grabbed (or attempted to grab) a ShellBOT written in Perl from another server (file name b.txt) and execute it by sending the ‘perl b.txt’ after the wget command.

UPDATE 4: I’m pretty sure my suspicions have been confirmed. It seems that at least one other person has had an issue with WP Super Cache opening their server to attack. I suspected this early on, and deleted the plugin and its associated files. As an added measure, I disabled those functions that can execute system commands. So far, so good. I can’t say my server is now secure, but I’m hoping that hole has been filled.