Paul O'Flaherty

Scoble Admits Incompetence Yet Blames WordPress

I thought I was done making fun of the naive yesterday, who couldn’t understand the simple premise of “Upgrade Now” to protect their self hosted WordPress install, but it would appear that the weekend is not yet over in that respect.

Robert Scoble should know better than most the necessity for security updates. He was Microsofts blogger evangelist for long enough, yet now that he’s self hosting his own blog he’s apparently forgotten what he once used to preach.

At some point in the last few weeks (not months, weeks) Scobles WordPress install was hacked and now that there is a big hullabaloo about making sure people update to 2.8.4. He’s decided to jump on the bandwagon and tell his story.

Normally I would have no problem with A-list bloggers like Scoble sharing their story and promoting the need to keep your installs up-to-date, but if I were working or developing for/at/on WordPress I would be incredibly pissed off at Scoble right now.

Not only should people directly involved with WordPress be annoyed at Scoble right now, but anybody who develops for clients and promotes the WordPress platform.

In a post titled “I don’t feel safe with WordPress, hackers broke in and took things” Scoble tells the story about how the blog he neglected to upgrade from 2.7.X (despite all the security updates released between 2.7 and 2.8.4, the notifications of new releases in the dashboard, internet wide talk every time a new release gets pushed etc…) and how he got hacked as a consequence.

Do you see now why Matt Mullenweg and all WordPress developers should be up in arms against Scoble?

In his post and the comments, Scoble repeatedly states that he neglected to upgrade, (despite that fact that it’s a one click process) yet the title of his post, which is what most people pay attention to and probably the only thing that people skimming their RSS readers or Twitter will see, clearly lays the blame at the feet of WordPress.

Scoble just took a big swipe at the perceived security of WordPress. A big unjustified swipe, that serves only to bring him traffic as he jumps on the bandwagon of the push to get people to update to the current version on WordPress, while deflecting attention away from the fact that the only reason it happened to him was because he failed to update.

That’s very much like complaining that you’ve been hacked because you failed to install all the critical updates on your operating system.

Bad form Robert.

As a tech blogger and a geek Robert should know better, on all accounts.

WordPress (or Mashable) Users Can’t Be This Stupid? Can They?

I’ve just seen Mashables post about a security exploit that exists in older versions on Wordpress, versions prior to 2.8.4, and how imperative it is that you upgrade your self hosted WordPress immediately. Of course the post is getting a lot of attention across the interwebs and on sites like Twitter.

Like what I hope are the vast majority of WordPress users, I shrugged my shoulders and paid very little heed to it as it’s only a concern for installs older than 2.8.4. We’re running WordPress on all but one of our 9 sites and like most people we upgraded to 2.8.4 as soon as it was released and always upgrade to the newest release straight away.

The only thing that ever stops us upgrading immediately is if there is a conflict with one of our plugins which we set about fixing straight away and then upgrade ASAP.

After all, WordPress is like any other piece of software. It may run on your server or webhost but just like your windows installation it requires regular updating for stability, speed and security improvements.

Unless you have a very specific reason not to (other than you are just too lazy to upgrade your plugins or theme), upgrading to the latest version is always a must.

Anyhow, I was calling WordPress users stupid wasn’t I? Or was that Mashable readers? Actually it’s the segment of WordPress users who commented on Pete Cashmores post today, who obviously failed to comprehend the article and have issues with the most simple of advice! Upgrade Now!

Here’s some examples for your amusement:

Σχολή Χορού That’s really annoying. I have some blogs about dancing with very personalized themes and who knows what will happen if i upgrade.

You’ll get hacked and all your pretty personalized themes will disappear forever.

happymind how do you upgrade ??????

See the button that says “Upgrade Automatically” – Click it! When was the last time you logged in to your WordPress Dashboard?

Mitzi Szereto yeah, but everytime i log in, i see that the NEW version has holes in it, and they have to keep fixing it. so frankly, i am not sure i trust it. nor i am sure i trust that it won’t screw up my entire site.

and:

i’m still on 2.7.1 – should i leave it the hell alone? please advise.

Yes, they’re called fixes. Your old version probably has all the vulnerabilities and more of the new versions. They’re fixing the problems as they find them. As for you still being on 2.7.1 – Is it really that hard to comprehend –“Upgrade Now!”. Tell you what, stay on 2.71. Can’t wait for lazy people like you to start bitching about WordPress security when you get hacked.

ronaldredito This is annoying! Can anyone pinpoint who is behind this?

Yes, it was Barrack Obama! It’s a plot to take over the world by brainwashing everybody through plugins that have been covertly installed in WordPress blogs, which then send subliminal suggestions to everyone prompting them to elect him in for another 4 years and agree with all his policy decisions. And the WordPress dev team are going to just start taking out people like him instead of ever working on security updates. Assassinating random people  is much more cost effective and less disruptive to the WordPress user base than pushing security releases.

Arthur Wilkie And this is why I use Blogger…

I’m really, seriously praying that was sarcasm Arthur

achernow Already did the upgrade apparently.

Maybe the hacker did it to prevent any more hackers taking control of your WP? Sheesh, how could you not know you upgraded, and why would you need to post that you had?

Okay, obviously these people aren’t stupid, but they are very naive and I’ve got to ask myself, if you’re not confident enough to deal with upgrades, plugin upgrades and security releases on self hosted WordPress installs why are you using it in the first place?

Don’t cite customization to me as a reason, as if you’re confident enough to customize the PHP in your themes files you should be able to at least perform an upgrade!

I know some of you are going to call me elitist and an arse for making fun of people who are less knowledgeable in this area, but lets be serious, if you’ve been using WordPress since 2.7.1 (came out 7 months ago)… enough said!

Update 15/09/2009:

Just came across this excellent post by Jeff Chandler: “Are You Responsible Enough To Run WordPress?“

This Is Why You Need To Be Proactive About Online Privacy

Privacy is not a given online. It’s certainly not something that some else should provide and it is your responsibility to make sure you are doing what’s needed to protect yourself.

It’s simply all too easy to find out what someone has been up to without having to resort to any kind of elicit hacking or illegal activities.

Don’t believe me?

Click through to WhatTheInternetKnowsAboutYou.com and it will become all to apparent how easy it can be for nefarious websites to become way more aware of what you do online than you would wish!

Has that scared you?

Yes? Good, now you should be open to learning a little about protecting your privacy online!

Here’s two links that will help you, both of which are from the EFF (Electronic Frontier Foundation), who you can consider amongst the good guys on the wild west of the internet.

12 Top Ways To Protect Your Privacy Online.

Six Tips To Protect Your Search Privacy.

To Unsubscribe Or To Unsubscribe?

I received an email yesterday asking to be unsubscribed from the double opt-in daily newsletter which goes out from this site.

Now, despite the, as stated, double opt-in nature of signing up for a newsletter with Feedburner, what confused me about this email was that the sender was afraid of using the “Unsubscribe now” link at the bottom of the email for fear it would verify existence of their email to a spammer.

I don't believe I ever subscribed to this newsletter.  Someone at your end must have decided to include me in your mailing list, without reference to me.  Usually it is not a good idea to click the "unsubscribe" link on this sort of spam -- it simply confirms one's existence to the spammers

Yet, they were completely content to hit the reply button and send an email asking to be unsubscribed directly to the email address which the newsletter originated from.

I for one am not afraid to use “Unsubscribe” links on email newsletters as I keep track of the newsletters and sites to which I subscribe and am sure that what I am clicking on is legit. Well, legitimate enough for me to have signed up in the first place.

If I receive a newsletter from a source I did not signup for, I simply sentence it to live forever in my spam folder and ignore it.

Experience shows that most people don’t keep track of what they’ve subscribed to and if they don’t remembered signing up for a legitimate newsletter ,or simply don’t want to receive it any more, they don’t bother emailing to be unsubscribed or clicking the unsubscribe link. They simply hit the “mark as spam” button and forget about it.

This behavior makes me wonder 3 things:

1. What percentage of spam is actually legitimate email that people have forgotten they’ve subscribed to?
2. How badly this “false positive” spam pollutes the spam filters used by ISP’s and email providers?
3. Whether there is another way to handle to issue of ensuring that real email and newsletters are not marked as spam?

Finally I wondering what you do when you no longer wish to receive a newsletter you’ve subscribed to?  I’ve added a poll to the comments section so that you can have your say.

Those of you reading this in an aggregator or in the newsletter, will have to click through to have your say.

Twitter is getting hacked???

Sara just spotted what appears to be hacking of twitter accounts. Check out these screengrabs of @bobbyzeez and @BabyPatches.

As you can see a twitter search for the term “mikey” is displaying a huge number of accounts being compromised that is increasing very very rapidly.

My advice for now, is to sign out of the web interface, change your password and see what happens.

UPADATE: 17th April 20:49

It appears that this is a resurgence of the Mikeyy worm from last week (albeit with somewhat different output! See this mashable post for details of how to deal with it.

Most realistic spam I’ve seen in a while

This attempt at a PayPal phishing scam is the most realistic spam email I’ve seen in a while.

Their only slip up is the return email address and the fact that the gmail address they sent it to is not my PayPal account.

from service@paypal.com <service@paypail.com>

reply-to service@paypal.com

to Paul <paul.oflaherty@gmail.com>

date Tue, Nov 18, 2008 at 8:08 AM

subject Notification of Limited Account Access

Dear Paul ,

PayPal Resolution Center: Your account is limited.

Why is my account access limited?

As part of our security measures, we regularly screen activity in the PayPal system. During a recent screening, we noticed an issue regarding your account:

Our system detected unusual number of invalid logging attempts on you account from these blacklist ip address.

Your case ID for this reason is PP-0042310.)

How can I restore my account access?

For your protection, we have limited access to your account until additional security measures can be completed. We apologize for any inconvenience this may cause. In order to assist us with this security measure, we ask that you send us a photocopy or scan documents listed below and return them via email to security@paypalfraudcheck.com :

- A clear copy of your Passport or Photographic Drivers Licence or I.D. Card (both sides).

- A clear copy of both sides of the credit/debit card on your Paypal profile.

- A clear copy of a recent bank statement or utility bill on which your name and address are clearly visible -  less than 3 months old.

Completing all of the checklist items will automatically restore your account access

Thank you for using PayPal!

————————————-

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click the Help link located in the top right corner of any PayPal page.

Deliberately crashing Google Chrome

One of the really cool features of Googles new browser “Chrome” is that all of the tabs (and plugins such as flash player) are run as separate processes.

This gives excellent crash control as is evidenced if you go in to task manager and start closing the chrome processes.

Killing a single process doesn’t result in failure of the application, or even the tab in question closing.

Instead it results in the tab remaining open with the following message displayed:

Something went wrong displaying this webpage. To continue press Reload or go to another page.

This is accompanied by a rather sad looking icon of a tabbed folder.

I really like this way of handling the tabs as it means that even if a rogue page brings down the process it will not kill the browser but you also do not lose the URL of the page that you were on.

I do however, worry about potential memory consumption issues as large amount of tabs are opened!

As you can see from the screen shot below, with 10 tabs open the memory usage from multiple processes really starts to eat up.

Memory usage per tab of course varies based on the size and complexity of the page loaded, but even though Chrome does start to eat a lot of memory (120,631 K for the 10 tabs I had open) it compares very well in terms of memory usage to my extension laden Firefox install.

I’m hoping that this will stay this way as the Chrome becomes more feature complete.

Another cool thing about Chrome is the apparent lack of a status bar.

When you load a page their is nothing to be seen at the bottom of the browser, yet mouse over a link and the URL it goes to will appear on the bottom left of the browser and then fade away once you move the mouse.

While I’m still unsure as to whether or not I like Google Chrome enough (I’ve only been playing with it for an hour) to say that it may ever lure me away from my beloved Firefox, I can say that as it stands it looks very promising and has a heck of a lot of potential (and I do love the simplicity of the design).

I’m just wondering how long it will take Mozilla to integrate things like separate processes for tabs into Firefox and steal Chromes thunder before it can gain traction?

Security for the dumbass generation…

Since I’ve been back in Ireland I’ve found the need to get broadband installed in my grand parents house, (they’ve been kind enough to let me stay here until I move on again) and in my search for a reasonably priced provider with a reasonable service I ended up ordering a DSL connection from Eircom.

Now while I don’t have any complaints about the service (as yet) I do have some complaints about the setup of the DSL routers when they arrive at a customers home.

One of the most important steps in encrypting your wireless network is the use of a good random key of minimum 20 characters in length. I normally go longer than that but lets keep that at a minimum.

Now, all Eircom DLS routers come with WPA security enabled by default.

“Well and good”, you might say, “What the hell is he complaining about”?”

What makes networks keys secure is that nobody is supposed to know them.

One of the worst things you can do is write them down in case some unscrupulous little git, like say your neighbors teenage child, gets hold of it and then decides to use your internet connection to download gigabytes of hardcore porn.

But Eircom in their infinite wisdom have chosen to ship their routers, not only with a pre-enabled WPA key which is PRINTED on the router, but also to provide you with a stupid little manual that has the serial number, MAC address and SSID of the router printed on the front of it. Not only that, but the WPA key is also printed on the front.

So now, all little one armed bandit Johnny from next door, has to do is lift that booklet or get a quick look at the router in order to know your WPA key. He can happily use your internet connection to download porn, until one arm becomes disproportionately larger than the other and someone finally takes notice.

Lets be honest here, the majority of people are scared of concepts such as encryption and tend to opt for the easiest an laziest solution.

If the router comes with a predefined key, the chances are that 98% of people will use it, and we ALL know how careful most people are about holding onto crappy little manuals or not just leaving them lying around the place.

I think what really ticks me off most about this is that the manual doesn’t, in any way encourage the user to change the WPA key from the default.

The closest it comes in it’s 24 pages of encouraging changing the default key is two lines at the bottom of one page which read:

Your modem comes with WPW (WIFI Protected Access) security enabled.

For further information and to make changes to your security settings please go to www.eircom.net/wirelesssecurity.

We know they’re all going to be rushing off to follow that link…

How would you handle this?

Okay so looking back on this site I noticed a post which I wrote in the middle of February called "Proactive Security" which bemoaned the fact that little had changed with respect to end users attitude towards security since I had written a post 4 years earlier.

Well that post got me thinking about an email I received a while back (which has had the senders name removed to protect the deluded) and spawned the question: "How would the readers of O’Flaherty deal with this"?

After all it’s a common problem that I’m sure most of us have to handle fairly regularly for friends and relatives.

So, answers please as trackbacks or comments.

The best answer will be promoted to a full post complete with link love back to your blog.

Please bear in mind that the sender of the email was running Windows Vista and did NOT want their hard disk reformatted.

Here’s the email:

Sorry to bother you with such a trivial matter,

but who can you recommend as a reliable and economical alternative to Norton (Symantec)?

Long story short, both home computer and laptop have been bloodly well riddled with adware spyware and a bloody worm ( can’t remember the name of the worm but lets just say the fecking thing is tenacious).

It all just managed to slip right through Norton 08 without sending up any flares.

Got onto their virus support team on Sunday night and they said it was 100% cleared, but damn it after start up last night it was there again but this time it fecked me about from pillar to post, redirecting and everything, so Norton got a second call – and this time they reckon they have it beat.

Needless to say I no longer trust my home pc to do any of the usual emailing banking etc.

How do I manage to keep it cleared and who do I get instead of Norton?

You who are all powerful and great and know everything there is to know about the www – please help?

Best of regards,

(Name removed to protect the insane)

So remember guys and gals that the best answer gets promoted to a full post which means some nice linky love sent to you own blog.

Can you help this obviously insane person?

Proactive security

About 4 years ago I wrote a post called “Security, Microsoft and You…” and  I am amazed that very little has changed in that time.

Who’s running anti-virus software and thinks they’re up to date? Are you sure? Have you checked manually.. A lot of anti-virus software is configured to update once a week, but updates can and are released more frequently than that. Downloading manually, regularly, along with the automatic update keeps you safe all the time.. Also, it can reduce the size of your downloads, instead of downloading a big file once a week, little ones once a day.. you’ll hardly notice it..

Who’s got a firewall running? No, get one.. Don’t feel you need one? Do you suffer from the “Who’d want to hack me?” syndrome.. get over it.. Nobody might want to hack you, but that won’t protect you from worms that search for open ports to infect your machine…

We may be using Vista (or XP SP2) but many people are still not using automatic update properly and are still continuing to run to run their computers without anti-virus software, anti-spyware software or a descent firewall solution.

Here’s 3 quick and free solutions you can use to help protect your PC:

• Anti-virus: AVG from Grisoft.
• Anti-spyware: Spybot and Adaware. (These should be run periodically and concurrently):
• Firewall: Commodo Firewall

What solutions do you use to protect your PC?

60 minutes without MyOpenID but what if..

MyOpenID is going to be down for 60 minutes today which means that for 60 minutes any site that I used MyOpenID to create an account with will be unavailable to me regardless of whether or not that site is down.

This is a notice that MyOpenID will be having a maintenance
outage starting at 14:00 on 2008/02/03, US Pacific Time
(GMT -7 hours).  The outage may last as long as 60 minutes,
but is expected to be considerably shorter.

The reason for this outage is:

    Network modifications to enable new services

During the outage, the MyOpenID website may be unavailable or
unresponsive, and users will be unable log into OpenID-enabled
websites using their MyOpenID accounts.

What happens if MyOpenID has an extended outage, say 48 hours long? Or even worse, what if it folds?

The decentralization that is openID’s strength is also it’s biggest weakness. If your openID server goes down then you’re locked out of *all* of your other web accounts that used that login. […] In order to login to a web app with openID the web app needs to be working AND my openID server needs be working. The greater number of interconnecting parts decreases my chances of getting everything to work together much more than the benefit of not having to manage multiple user accounts. […] if you use someone else’s openID server then you’re screwed.”

Now I know I could set up a new temporary account on the site I’m suing, but who wants to do that? It defeats the purpose of having an OpenID doesn’t it?

Another option would be to have multiple OpenID’s on multiple providers, but then we are starting to get back into the territory of having lots of usernames, id’s and passwords to remember again, although admittedly not as many.

Before you all start screaming at that I can setup my own domain to act as an OpenID provider and just my own URL all the time (which I have already set up BTW), but what about the millions of people who will never own their own domain (for whatever reason)?

For those people relying on a single OpenID provider could be a disaster if the company folds and creating multiple OpenID’s is almost as bad as multiple usernames and password because you have to remember which OpenID you use on which forum or blog so that commenting would remain consistent.

Further more, using OpenID’s as your main login means everywhere is very much like putting all your eggs in one basket. If it’s compromised you are royally screwed and there is no two ways about it.

Once your OpenID has been compromised the keys to the kingdom are out and the compromiser can now happily log in as you on every site you’ve ever used OpenID on (a growing issue as OpenID becomes more prevalent).

It may be the case that for many users a good well encrypted password manager will still be best way to go about managing their online life.

If you have are a regular OpenID user or plan to be one then I highly recommend you check out the post by Stefan Brands over on The Identity Corner. It provides a great overview of many of the security, trust, privacy, usability and adoption problems of OpenID.

The reasons for this are many: OpenID is highly vulnerable to phishing and other attacks, creates insurmountable privacy problems, is not a trust system, suffers from usability problems, and makes it unappealing to become an OpenID “consumer.” Many smart people have already elaborated on these problems in various forums. In the rest of this post I will be quoting from and pointing to their critiques.

Also, if you’re completely knew to what OpenID is supposed do then this video will do a good job explaining it.