security — Search Results

May
15

[P]sychological evidence suggests that is is close relationships, a meaningful life, economic security, and health that contribute most to well-being. While there are marked improvements in happiness when people at low levels of income earn more (as their economic security improves and their range of opportunities grows), as incomes increase this extra earning power converts less effectively into increased happiness. In part, this may stem from people’s tendency to habituate to the consumption level they are exposed to. Goods that were once perceived as luxuries can over time be seen as entitlements or event necessities.

By the 1960s, for instance, the Japanese already viewed a fan, a washingmachine, and electric rice cookers as essential goods for a satisfactory living standard. In due course, a car, an air conditioner, and a color television were added to the list of “essentials.” And in the United States, 83 percent of people saw clothes dryers as a necessity in 2006. Even products around only a short time quickly become viewed as necessities. Half of Americans now think they must have a mobile phone, and one third of them see a high-speed Internet connection as essential.

Emphasis mine. From the State of the World 2010: Transforming Cultures. They also have a nice, WordPress-powered blog. (A necessity.) You can see the context of the quote in Google Books.

Jan
13

Facebook McAfee

Filed under: Open Source

Facebook is offering its users a 6-month free trial of McAfee and promoting it heavily, and even forcing people to run a scan before they can reactivate a hacked account. They’re “not aware of another free Internet service that takes this much responsibility for helping people keep their accounts secure.” (Didn’t Google promote McAfee through Google Pack at one point?) I think this is a laudable step, more security is intrinsically good, but I have to suspect this is more about revenue than security. They will probably make many millions of dollars from their users installing or buying McAfee as a result of this.

Modern versions of Windows include free tools like Defender which are just as good and appear to have less of a performance impact on the computer. But if they really wanted to have a long-term impact on desktop as a vector for attack on web services I’m surprised they didn’t start, sponsor, or promote an Open Source equivalent of McAfee. This seems like a space very well-suited to address with an OS tool in the digital commons, much like a Windows anti-spyware equivalent of SpamAssassin, with self-updating rules and a completely transparent process.

Apr
14

115

SecurityFocus SQL Injection Bogus

Filed under: WordPress

Tags: Security

Since people are asking, this so-called alert on Security Focus appears to be completely false and has no information that an attacker or the WordPress developers could use. It is completely content-free, except for making claims that every version of WP since 2.0 is vulnerable.

Online, apparently, it’s fine for someone to run into a crowded theatre and yell “fire” and the less basis there is in fact the more people link to them. It’s not uncommon to see crying-wolf reports like the above several times in a week, and a big part of what the WP security team is sifting through things to see what’s valid or not.

A valid security report looks like this, it usually includes sample code and a detailed description of the problem. The WP security team was notified of the KSES problem and it was fixed in 2.5. You can impress your friends by saying whether a security report is valid or not, so it’s a good critical facility to pick up.

All that said, there is a wave of attacks going around targeting old WordPress blogs, particularly those on the 2.1 or 2.2 branch. They’re exploiting problems that have been fixed for a year or more. This typically manifests itself through hidden spam being put on your site, either in the post or in a directory, and people notice when they get dropped from Google. (Google will drop your site if it contains links they consider spammy, you’ll remember this is one of the main reasons I came out against sponsored themes.) Google has some guidelines as well, what to do if your site is hacked. If I were to suggest WordPress-specific ones, I would say:

(more…)

Dec
29

The Airport Security Follies. “And rather than rethink our policies, the best we’ve come up with is a way to skirt them â€” for a fee, naturally â€” via schemes like Registered Traveler.”

Nov
27

The Register is reporting that Al Gore’s climate change site hacked. I looked at his WordPress blog and it’s running version 2.0.4, which was released in July of 2006, about 16 months ago. I wonder if these people want to upgrade but just need help, and if there’s something as a community we could do to assist them? Like install4free but for upgrades. What’s unfortunate is that people see this as an indicator of WP security, they’re judging us by bugs that have been fixed for more than a year.

Aug
25

After my airport security complaint the other day I found this interview of the head of the TSA by Bruce Schnier really, really interesting.

Aug
17

I just found a pocketknife in my laptop bag. This is not unusual, except I remembered that I must have taken it with me both to and from Houston earlier in the week, passing through security both times with a 2 inch blade in my bag. This happened once before, but was caught on the return flight. Total I have passed through airport security at least 4 times with a forgotten pocketknife, and only once did they stop me. A 25% hit rate? That’s just going to frustrate me more next time I’m standing in a security line for an hour.

Jul
16

Price of Freedom

Filed under: Ask Matt, Essays

Tags: Linux, Open Source, Wikipedia, WordPress, free software, gpl

I got asked an interesting question today:

The only thing why (at least) I encode the footer is to prevent people from removing my designer link. I usually spend around 6 hours designing the graphics and coding the theme and some people simply take my link off and some of them even dare to write that the theme was designed and coded by them! How would you feel if someone took your WordPress script (since it’s free) and said they made it? Wouldn’t you like to bite their head off?

The response became too long for a comment, so here it is:

Kate, thousands of people every day remove the WordPress link, or my link, or search and replace the WP logo with their own and redistribute it, use it to spam, distribute hate speech, or any number of awful things you can imagine. So why have hundreds of people spent thousands of hours working on it?

Though the freedom intrinsic in the GPL that has allowed people to abuse WordPress it has allowed even more people to do amazing things and over time the good far, far outweighs the bad. Most importantly I feel like WordPress would have never gotten off the ground if it hadn’t been open from the beginning. (In fact there were several more functional blogging programs started around the same time that have since withered away.)

Ultimately I know our software isn’t going to change anyone’s spots. Good people will do good things with it, and bad people will do bad things with it — regardless of any protections I put in place. Windows Vista, a multi-billion dollar enterprise, was cracked within days. Does any piddling encoding I can do in PHP really matter? If protection like that isn’t broken it’s a statement of popularity, not security. I suppose could harass the bad guys, shut down their host, send them scary letters, but it’s just going to stress me out and like cockroaches they’ll pop up someplace else. I also know that most projects, software, and ideas die from obscurity, not piracy.

If you accept that bad people are going to be bad then the real question becomes how do you maximize the effect of the good instead of treating them just like the bad. (No one likes to be treated like a criminal.) In my brief experience here’s three things that work:

Give people the tools they need to succeed. This can be interpreted on a lot of levels, but personally I’ve found at the most base the freedoms provided by the GPL and other open source licenses are incredibly empowering.
Celebrate the successes. Talk, connect, promote, and embrace the people who are creating things on top of your creation. (The best revenge against someone doing something bad is helping create something awesome.)
Provide a way for people to choose to help you, and try to remove as much friction from that process as possible. Now that you’ve ignored the bad people and delighted the good, by their very nature they’ll want to give something back.

The success stories around this model are numerous and growing every day. People can and do rip-off the entire Wikipedia, but it’s still become one of the top ten sites on the internet and a marvel of what can happen when you let go. (Not to mention it is run entirely on open source software.) WordPress itself was built on top of a pre-existing GPL product called b2/cafelog. Anyone can run the software behind our hosted service WordPress.com and create competitive sites, and many have, but it hasn’t hurt us one bit. Linux, GNU, and the thousands of related desktop projects haven’t taken a bit longer than folks had hoped, but the impact they’re having, especially on emerging economies, is dramatic. The list goes on and on. It’s not hard to join the movement, but first you have to figure out who you’re fighting, who you’re trying to help, and if the price of freedom is something you’re willing to embrace.

Jul
13

103

On PHP

Filed under: Essays

Tags: php4, php5, rant

PHP.net has announced that they will stop development of PHP4 at the end of this year, and end security updates on 2008-08. (In 2007, their site still doesn’t have obvious permalinks. They do have a RSS 1.0 feed though, remember those?)

PHP 4.0 was release in May of 2000, by 2004 when the first version of PHP 5.0 was released, PHP 4 had achieved complete dominance and was completely ubiquitous in both script and hosting support.

Fast forward 3 more years and PHP 5 has been, from an adoption point of view, a complete flop. Most estimates place it in the single-digit percentages or at best the low teens, mostly gassed by marginal frameworks. Even hosted PHP-powered services who have no shared host compatibility concerns like 30boxes, Digg, Flickr, and WordPress.com, have been slow to move and when they do it will probably be because of speed or security, not features.

Some app makers felt sorry for PHP 5 and decided to create the world’s ugliest advocacy site and turn their apps in to protest pieces at the expense of their users. (Hat tip: Mark J.) They say “Web hosts cannot upgrade their servers to PHP 5 without making it impossible for their users to run PHP 4-targeted web apps” ignoring the fact that there isn’t a released PHP app today that isn’t PHP 5-compatible and recent upgrade issues have been caused by PHP itself in point releases. (See WP#3354.) It’s easy to always promote the newest thing, but why, and is it for us or our users?

Now the PHP core team seems to have decided that the boost their failing product needs is to kill off their successful one instead of asking the hard questions: What was it that made PHP 4 so successful? What are we doing to emphasize those strengths? Why wasn’t PHP 5 compelling to that same audience? Are the things we’re doing in PHP 6 crucial to our core audience or simply “good” language problems to solve? Will they drive adoption? How can we avoid releasing (another) PCjr?

I wonder if PHP 5+ should be called something other than PHP. A unique name would have allowed the effort to stand on its own, and not imply something that’s an upgrade from what came before when in many cases it’s just different, not better, from an end-user perspective. Continue to maintain PHP 4 as like a PHP-lite. Make it harder, better, faster, stronger.

For all the noise though, this isn’t a big deal. It’s easy to forget that PHP 4 hasn’t had any real innovation in the past 3 years while at the same time apps and services built on top of it have created some of the richest and most compelling user experiences the web has seen. (NÃ©e Web 2.0.) None of the most requested features for WordPress would be any easier (or harder) if they were written for PHP 4 or 5 or Python. They’d just be different. The hard part usually has little to do with the underlying server-side language.

Someday on our mailing lists I hope half the words wasted pontificating on “language version wars,” which are even duller than language wars, go toward design, copywriting, information, performance — the things that truly matter.

Jun
22

110

On WP Security

Filed under: WordPress

Wincent Colaiuta has no problem throwing flames at WordPress, but doesn’t see fit to enable comments. (Apparently disabled to make Movable Type more secure.) His table-layout blog isn’t too notable but it got linked from Daring Fireball so a lot of people saw his article trying to draw the line between a routine point release and encouraging people to never use WordPress on the public internet. Here are a few points for thought in response:

The SQL problem in 2.2 requires both registration to be enabled (off by default) and the blog to be upgraded to 2.2. It is a serious problem but I’ve heard of fewer than 5 exploits from the flaw. Even if you assume there are 100 blogs for every one we heard about, that’s still an incredibly small percentage of the millions of WordPresses out there, especially considering, as Wincent points out, the problem has been in the public for a while now.
Getting people to upgrade web software is hard. We work as best we can with hosting companies, but a consideration is that it’s best to roll several security fixes into one release. It’s not responsible to do a release if we know of another problem, so sometimes there is a lag between an initial report and a final release, not to mention the testing required of a product used as much as WP.
Wincent digs up the server crack that modified the files of 2.1.1 for a few days. Ignoring the fact that it was a server issue and had nothing to do with WordPress the software, we actually had NO reported exploits of the problem. (Though I’m sure there are at least a handful out there with problems, it wasn’t enough to hit our radar.) Despite that we took a hit and publicized the issue as much as we could to get the word out.
Also about 2.1.1, the problem was found through someone proactively auditing the codebase.
Finally Wincent says of WP “[a]nd if you insist on installing it, then you need to watch the trac like a hawk.” You would think complete transparency of the problems (it was on our bug tracker and mailing list) would be a good thing, especially considering the software Wincent uses doesn’t have a bug tracker, and the only way to submit a bug is through a contact form.

We can and do review new code for problems, and pick the vast majority up before any releases. I think the real issue though is not that WP has bugs which are sometimes security related, which all software not written by djb does, but that the mechanisms for updating complex web software are a pain. Right now the best experiences are probably with folks like Media Temple or Dreamhost that have pretty foolproof one-click upgrades and are quick with updates.

Making notification better and upgrading more painless for people not lucky enough to be on a host like that are problems with some very clever minds on them, and I’m confident that we’ll have good progress toward each in the next major release of WP.

Finally, I suppose we could act more like our proprietary competitors and try to downplay or hide security issues instead of trumpeting them loudly in our blog, but I think the benefit of having people well-informed outweighs the PR lumps we take for doing the right thing. I truly believe talking about these things in the open is the best way to address them.

In some ways it’s a good problem to have. When a product is popular, not only does it have more eyes from security professionals on it, but any problems garner a level of attention which is not quite warranted by the frequency of the general event, like Angelina Jolie having a baby. There are certainly things intrinsic to coding that can make software more or less secure, but all things being equal the software with the most eyes on it, which usually means Open Source, will be the most robust in the long term.

Sep
22

After a security update my 12″ Powerbook asked me to reboot, after which it decided that it will only boot to a command line. I have no idea how to even start to fix this, I can navigate around it like it’s Linux but there is no indication of what went wrong or how to fix it. I’m going to take it to the Genius bar in hopes they can do something, but all-in-all this is pretty disappointing.

Sep
15

Wired had an article out last month called Spam + Blogs = Trouble where I share some of my perspectives on the whole spam thing. It’s a good article, but I strongly disagree with Anil’s comments at the end around a global identifier or “Internet Social Security number.” Akismet has shown we don’t need to boil the ocean or make commenters jump through hoops to get effective spam protection on blogs (and blog hosting services).

Apr
15

The Feed Validator is Dead to Me

Filed under: RSS

Tags: Feed Validator

Is anyone else sick and tired of the so-called feed validator changing its mind on fundamental issues every other week? I’m sure Sam Ruby and whoever else is still working on the Validator mean well, but the constant ivory tower decisions to change the way it interpets “valid RSS 2.0″ is making it seem more like a political advocacy tool than anything else. Perhaps I should give the benefit of the doubt and “Never attribute to malice that which is adequately explained by stupidity.”

I’m not even talking about deciding they can change the world by decree. (Which has already been addressed.) The latest in their line of enlightened changes is that the author of the Well-formed Web spec has changed the capitializition of the wfw:commentRSS element at some unknown point to lowercase Rss. This arbitrary decision has been codified by the validator, which now reports the millions and millions of feeds that use the previously correct capitialization as invalid. Confusion ensues.

If the previous paragraph makes your eyes glaze over, congratulations, you’re normal.

Here is a post on their mailing list which also explains the issue and includes a link to the archive.org version of the page with the capitialization everyone uses, which was there for at least two years. One line can cause so much trouble.

But wait, there’s more. “In addition, this feed has an issue that may cause problems for some users.” They’ve also started marking all uses of content:encoded as potentially causing problems, which is funny because it actually avoids a ton of problems and (again) people have been using it in RSS 2.0 feeds for 3+ years now, and I even asked Dave Winer about it in the past and he said that was fine. Their documentation on the topic seems more geared toward instilling fear, uncertainty, and doubt in RSS 2.0 than addressing the reason they’ve decided to start warning about this element. Where a validator normally provides stability, the feed validator has become the Homeland Security of the RSS world, keeping us all in a constant state of dulled fear, insensitive to whatever warnings they’re giving us today because we just want it to stop.

I’m sure the content:encoded change can be rationalized with a perfectly convincing argument. I wouldn’t be surprised if someone as smart as Sam could do the same for the arbitrary wft:CommentRSS change. I know that the code is open source and we could fork it and create another version of the validator that doesn’t invalidate half the blogosphere on a Tuesday afternoon. But then we would have more than one validator, and that defeats the point.

Mar
28

When flying to Canada, BRING YOUR PASSPORT. Update: I wrote the preceding from my Blackberry at the ticket counter. After I found out about the passport, I rushed to the departure area and got the world’s best cab driver. His English was atrocious, but he understood what was going on. There was thankfully no traffic on 280 to SFO to my house and he did it in about 15 minutes. Ran in, grabbed the passport, ran back out. Lost a minute while he tried to ask me if I had “all three things”: passport, tickets, and ID. He says a lot of people run in to get a passport and leave the tickets on the table. He took 101 back to SFO, which had a bit of traffic. Big tip. No line at ticket counter, the flight was delayed. The lady was so kind, she switched me to the last window seat on the flight to Las Vegas and I got an upgrade to first class from Vegas to Toronto. (Maybe I’ll get some sleep.) No line at the security counter so I breezed through. Had time to grab a reuben at the deli. Sometimes I think I lead a charmed life.

Mar
4

Released on December 21, 2002
Last Updated: December 21, 2002 2:23 AM
Version: 0.1

Description

When you run your text through this code it will define all the acronyms it can using the acronym tag. It also has a few other niceities, so check it out.

Installation/Usage

Pass whatever text you want to use through it, and add whatever acronyms you want to add to the array by copying what I have already. The sortr_longer must be above the acronymit function.

Code

Reverse Sort Array on Length

<?php

function sortr_longer($first, $second) {

return (strlen($first) < strlen($second)) ? 1 : -1;

}

?>

acronymit

<?php

function acronymit($text) {

    $acronyms = array(

'WYSIWYG' => 'what you see is what you get',

'XHTML' => 'eXtensible HyperText Markup Language',

'IIRC' => 'if I remember correctly',

'HDTV' => 'High Definition TeleVision',

'LGPL' => 'GNU Lesser General Public License',

'MSDN' => 'Microsoft Developer Network',

'WCAG' => 'Web Content Accessibility Guidelines',

'SOAP' => 'Simple Object Access Protocol',

'OPML' => 'Outline Processor Markup Language',

'MSIE' => 'Microsoft Internet Explorer',

'FOAF' => 'Friend of a Friend vocabulary',

'GFDL' => 'GNU Free Documentation License',

'XSLT' => 'eXtensible Stylesheet Language Transformation',

'HTML' => 'HyperText Markup Language',

'IHOP' => 'International House of Pancakes',

'IMAP' => 'Internet Message Access Protocol',

'RAID' => 'Redundant Array of Independent Disks',

'HPUG' => 'Houston Palm Users Group',

'VNC' => 'Virtual Network Computing',

'URL' => 'Uniform Resource Locator',

'W3C' => 'World Wide Web Consortium',

'MSN' => 'Microsoft Network',

'USB' => 'Universal Serial Bus',

'P2P' => 'Peer To Peer',

'PBS' => 'Public Broadcasting System',

'RSS' => 'Rich Site Summary',

'SIG' => 'Special Interest Group',

'RDF' => 'Resource Description Framework',

'AOL' => 'American Online',

'PHP' => 'PHP Hypertext Processor',

'SSN' => 'Social Security Number',

'JSP' => 'Java Server Pages',

'DOM' => 'Document Object Model',

'DTD' => 'Document Type Definition',

'DVD' => 'Digital Video Disc',

'DNS' => 'Domain Name System',

'CSS' => 'Cascading Style Sheets',

'CGI' => 'Common Gateway Interface',

'CMS' => 'Content Management System',

'FAQ' => 'Frequently Asked Questions',

'FSF' => 'Free Software Foundation',

'API' => 'Application Interface',

'PDF' => 'Portable Document Format',

'IIS' => 'Internet Infomation Server',

'XML' => 'eXtensible Markup Language',

'XSL' => 'eXtensible Stylesheet Language',

'GPL' => 'GNU General Public License',

'KDE' => 'K Desktop Environment',

'IE' => 'Internet Explorer',

'CD' => 'Compact Disk',

'GB' => 'Gigabyte',

'MB' => 'Megabyte',

'KB' => 'Kilobyte'

        );

    uksort($acronyms, 'sortr_longer'); // comment out if already sorted

    foreach ($acronyms as $acronym => $definition) {

        $text = preg_replace("#$acronym(?!</(ac|sp))#", "<acronym title=\"$definition\">$acronym</acronym>", $text, 1);

        $text = preg_replace("#$acronym(?!</(ac|sp))#", "<span class='caps'>$acronym</span>", $text);

    }

    return $text;

}

?>

Notes

You can speed it up a bit by commenting out the sort line if the array is in order of longest acronyms first. The reason for this is because the function goes down the array looking for that text to acronymfy, and it’ll grab whatever it comes to first. So if you have an acronym defined for LAMB and one for MB, if MB is first on the list, it will eat the last two letters of LAMB. To make people (mainly me) not have to sort it manually by acronym length I wrote a small function to reverse sort the array by the length of the key string.

Jan
21

I’ve been following the Livejournal hack closely because as someone who runs many services that allow user submitted content, any new developments in XSS are very important to stay on top of. So far the only official technical explanation I’ve seen is here on lj_dev. Since we don’t allow template editing or embedded JS or styles on WP.com I can’t think of any vectors for attack, but you never know with these things. More on moz-binding.

Dec
3

Stephen Steele (is that a real name?) just wrote in that the new Yahoo Mail updates blog is on WordPress. As far as I know this is the first official Yahoo blog on WP I’ve seen. What makes it really interesting is it’s the first time I’ve seen third-party software (like WordPress) on the yahoo.com domain. You’ll notice every time they’ve done blogs before it’s been on a different domain like yahoo.net or ysearchblog.com, I imagine because of the incredibly strict security requirements anything with access to Yahoo.com cookies must meet. This is very exciting news.

May
18

I just got a Google alert for a Red Herring article on Six Apart set to publish in a few days. They mention us here: “Critics of Six Apart say that WordPress, a blog publishing platform developed by a grassroots team, is more robust than Movable Type. WordPress is also open source and free. But things are different in Six Apart’s cash-crop enterprise space, where support and security are at the top of the list. Half of Movable Type servers sit behind a firewall, says Mr. Berkowitz.”

May
17

I just got a spam/phishing email that looks exactly like a Windows Update notification, and every link in the email is to a real Microsoft site, save one. The download link, which I must “Install now to maintain the security of your computer from these vulnerabilities, the most serious of which could allow an attacker to run code on your computer,” goes to a file named Windows-KB835935-SP2-ENU.exe on the domain windowsupdatenow.net. I’m sure the exe will do awful things to whoever falls for this. I hope Microsoft/Scoble get their lawyers on whoever is behind this, I’ll admit until I noticed the download link domain the email seemed totally legit.

May
10

A lot of the same people who rant and rave every time Internet Explorer has another security snafu are being strangely silent about Firefox’s recent flaws. I wonder how many of the web technorati are willing to give Firefox a pass every now and then because of its superior standards support? The Firefox team is also to be commended for their rapid response to the issue on the only site that’s vulnerable by default.