08 September 2009

 

My lazy personal response to the latest WordPress hack

A few days ago, many people running slightly out-of-date versions of WordPress blogging software on their servers had it hacked in very nasty ways. Understandably, that's caused a lot of consternation, including suggestions (via John Gruber) that you shouldn't run that kind of software on a public server yourself. Indeed, perhaps you should use crazy complicated workarounds involving Unix terminal commands and such instead. (As if doing so is less complicated than keeping WordPress up to date, but anyway...)

Now, to be clear, I do run several sites using WordPress, and was lucky enough to have all of them up to date so that they weren't bitten by this hack. But this site, my personal blog, has always used Blogger, the original easy blogging application. Not only that, but I use it in its original configuration, which provides the benefits of the weird Unix approach above, but without the hassle.

I didn't come to this approach because I'm especially security conscious. Mostly, it's just inertia and laziness. I started publishing this blog using Blogger almost nine years ago, in October 2000. It works, so I just kept publishing it that way, through several redesigns and a couple of hosting moves. In other words, I got lucky. On to the details.

John wrote:

[Creating blog posts on a local, non-public computer] is how a lot of early blogging software worked. The software generated static files and uploaded them to the publicly available server, which meant the software was not publicly available. This is very secure, especially if you’re using SFTP, but the downside is that you can't post from multiple machines.

...and Maciej Ceglowski said:

Either host your blog with a competent centralized site (like LiveJournal or Blogger) that takes the burden of upgrading, backing up and patching off your hands, or use whatever personal publishing software you like (WordPress, Movable Type, and so on), but keep it on a local machine.

I wrote to John that:

There is a third way. Blogger still allows you to use its original, intermediate model: access the blogging software on Blogger's server, but publish via FTP or SFTP to your own server (i.e. the files travel from Blogger's server to your web server). That's the way I've run penmachine.com since 2000, and it has the advantages of:

  1. publishing static files that don't require Blogger or a database to stay alive.
  2. having Blogger maintain upgrades, backups, and databases.
  3. working from any computer with a web browser.

Many people don't know this option still exists, and many of the more newfangled features of Blogger's newer templates, widgets, and so on don't work with it, but since I create my own templates and don't want the extra stuff, that's not an issue for me.

I should note that my approach permits comments via Blogger or a third-party service, as well as other plug-ins and whatever else you want to do via regular HTML, CSS, JavaScript, PHP, and so on. The approach is slightly more technical than using a hosted service like Blogspot, TypePad, WordPress.com, Squarespace, or whatever—but it's a lot less tricky than installing WordPress (five minutes? yeah right)—or, for that matter, installing Movable Type, or Expression Engine, or Drupal—on your own server in the first place.

Oh, and publishing via Blogger and FTP or SFTP is not perfectly secure, of course. Someone could still hack my Google/Blogger account, or compromise my server, or (more unlikely) both. But I can regenerate my blog via Blogger's database (if the server is hacked), via my server (if Blogger is hacked), via my hosting provider's backups, or from my own local copies of my blog. So I'm in a better position than someone running everything on the server without proper backups.

Then again, anyone who has backups is in a better position than someone who doesn't, always.

Labels: , , , ,


27 April 2009

 

Worrying about Mac security

Last week's TidBITS has a great set of tips from Rich Mogull to evaluate Mac security claims, as to whether they're worth concern. (Some are.) Not sure how I missed it when it came out, but John Gruber highlighted it. The basic questions:

  1. Is the Story Based on a Vendor Press Release?
  2. Is the Story Really New?
  3. Is the Security Issue Really New?
  4. What's the Mechanism of Action?
  5. Does the Story Defend Mac Security Based Solely on History?

While a lot of claims of Mac vulnerabilities, exploits, viruses, and trojans are questionable, Mogull notes that, "The latest version of Windows (Vista, not that most people use it) is provably more secure in the lab than the latest version of Mac OS X 10.5 Leopard."

Incidentally, TidBITS is turning 19 this month—it is one of the very oldest Internet publications that has continued to operate that entire time. It remains a valuable resource for techies in the know. I can't even recall when I first subscribed, but I must be somewhere around 15 years as TidBITS a reader myself.

Labels: , , , ,


09 April 2009

 

The terrorists you read, hear, and view

Buzz Bishop has a good point: if you measure the effectiveness of terrorism by the fear it generates and the behaviours it changes—the goals of terrorist organizations, after all—then the biggest terrorists are the news media. We humans, as usual, suck at evaluating risks, so TV, paper, and radio news often take advantage of us because of that.

Labels: , , , , ,


07 March 2009

 

Links of interest (2009-03-07):

  • The first animals that people domesticated were wolves—we call them dogs now. Coincidentally, within an hour last night I read a Slate article and saw an episode of "Martin Clunes: A Man and His Dogs" on that very topic.
  • From Salon: "To this day when I walk into a grocery store and see a mom with her teenage daughters, I have to leave. Every time I just get tearful, I just can't be in the same room, even after all these years. It just kills me that I don't get that time back."
  • The Economist makes a compelling argument that all recreational drugs—yes, even hard drugs like heroin and cocaine—should be legalized (via Dan Savage). That's a pretty radical position, but the magazine posits it as the "least bad" option, after "the war on drugs has been a disaster, creating failed states in the developing world even as addiction has flourished in the rich world. By any sensible measure, this 100-year struggle has been illiberal, murderous and pointless."
  • Don't forget to put your clocks forward by an hour tonight for Daylight Saving Time, if you're in a part of the world that invokes it early Sunday morning.
  • Scanwiches are sandwiches, cut in half and imaged on a flatbed scanner—which I presume needs very frequent and thorough cleaning (via J-Walk).
  • New Homestar Runner meta-cartoon: 4 Gregs.

Labels: , , , , , , , , ,


30 August 2008

 

Public service announcement: learn your own email address

None of the people I'm referring to will ever read this message, but I have to get it off my chest:

Please learn your own damn email address!

Over the past year, I've received numerous email messages from airlines, mailing lists, and even MySpace, sent to my Gmail address (I'm dkmiller over there, as I am here). While I've used Gmail as my main email interface since the beginning of 2006, that's not the address I give out to people—I either use my address here at penmachine.com or the forwarding address I've had at pobox.com since 1996.

However, there are a few people out there—a guy named Darren Miller, a gal named Debra Miller, and others (all in the U.S. so far), who seem to think their email addresses at Gmail are the same as mine. Thinking it's their own, they have entered my address into airline reservation systems, MySpace profiles, Volkswagen buyer registration websites, and various subscription forms. Which means I get emails intended for them.

If I were a bad person, I could do all sorts of nasty things to them because of their mistake—quite often I get a copy of their password in the first message, and if they're like many people, that password probably works at a whole bunch of different places. But instead I try to contact them (if I can get the info), or tell the places they registered about the problem, or (worst case, as at MySpace) simply cancel the registration so I stop getting the messages.

So, to everyone who does actually read my site here, when you're putting your email address into a website form, please make sure it's the correct email address. If you don't get a confirmation message from the site, be suspicious. If your private information is being sent to an incorrect email address, all sorts of things could happen. Thanks.

Labels: , ,


30 April 2008

 

Hey neighbour

From Salon: "More and more, the strict new [U.S.-Canada] border rules appear to be a huge cultural and economic mistake. As the United States walls itself off against illegal immigration and terrorism, the relationship between Americans and Canadians will be a casualty."

Labels: , , ,


31 January 2008

 

The looking glass

Spring in Vancouver 020 at Flickr.comnice boots at Flickr.comVancouver's Downtown Eastside is infamous worldwide. Even though it's home to thousands of people from all walks of life, most folks here and elsewhere know it for its poverty and widespread drug use.

When my mother was young, it was our city's main shopping and entertainment district. Her parents often visited for dinner and dancing. Even when I was a kid in the '70s, we went there all the time, to Woodward's, Army and Navy, Gastown, and elsewhere in the neighbourhood. Then, when Woodward's shut down in the early '90s, the area's gradual decline became an implosion.

But it's part of a much bigger picture. The Downtown Eastside is the symbol, but Greater Vancouver's poverty and addiction problems are widespread. There are hotspots of dealing in New Westminster, Surrey, and other places too. Beyond those, the consequences—illness and disease, property crime, street prostitution, violence, despair—are everywhere in my hometown, from the city centre to its most far-flung suburbs.

Yet this is still a delightful place, a wonderful one to live in, beautiful and clean and vibrant and diverse. How can that be?

I've never been an addict, nor poor, nor in danger from addiction or poverty, but I know people who have, some of them very close to me. When they are part of that world it is like they pass through the looking glass, into another realm, a parallel city that is here, beside the rest of us. Or inside, but largely divorced from the green transparent condo towers and the parks and the trendy shops and the well-maintained Vancouver Specials.

In that shadow city, people steal from friends and relatives for money to buy cocaine, booze, heroin, and meth. They and their associates get abused, beaten up, and threatened. They live in crappy apartments or basement suites or rooming houses or run-down hotels or on the street. Or in decent places they fear they could lose in an arbitrary moment. They hang out with gangsters, frequent places I'd rather not know about, flick lighters and burn lips, or tap needles and hunt for veins.

Those of us on the bright side of the glass encounter touches from the other side. Should we believe the rumours: are those 99-cent slices of pizza so cheap because the cheese is fenced by addicts stealing from supermarkets? Should we buy those steel screen doors because our houses have been burglarized and our CD collections stolen once too often? When we see that man or woman begging on the street, or sleeping in a wet mummy bag under the overpass, or standing in line on Welfare Wednesday, can we look them in the eye?

Closer to home, more bitterly, we see people we love, or want to keep loving, drift back and forth across the glass, sometimes healthy and engaged and employed, sometimes ill and disconnected and aimless. We can't tell which version is real, because they both are.

So Vancouver, like many other cities, is amazing and happy and prosperous, not just on the surface, but all the way through. Also all the way through are the other, hollow parts that might be hard to see, or simply hard to look at. The parts intertwine, they interlock, they form the social structure of our city. If you slip through the looking glass into the hollows, it can be hard to find the way back, even when the other side, and your old life, is right there.

I don't have a solution, or even an ending. Smarter people than me are working hard to try to figure things out. But maybe these things resist figuring, resist logic. We are all here, and there. We don't know which road, if any, leads out of the wood.

Labels: , , , , ,


19 May 2007

 

Feeling safe vs. being safe

Via netdud, I read once again another highly sensible article from Bruce Schneier about how badly we as a society usually react to security threats. It's a strange contrast to, and yet also a perfect demonstration of, my post yesterday about the Air India bombing, where it seems that direct, credible, likely threats didn't receive the attention they deserved—while today we confiscate nail clippers and remove shoes at airport security in a way that is likely totally ineffective.

I've written repeatedly about this stuff over the years here on my blog: about how our African savannah brains are poorly equipped to deal with the risks we face in the modern world.

But in another essay, Schneier also makes the point that "security theatre," as he terms it, isn't always wasteful, because sometimes it makes our perception of our security more closely match the statistical reality. That is rare—most of the time it throws money away and skews our perceptions further from reality—but we do also have to take into account how safe we feel, as well as how safe we are.

Labels: , , , , ,