I occasionally re-think my arrangement of automated backups. Recent reading about somebody else’s backup method inspired me to take better care of backups (yet again). I used to have 40 GB mirrors in 3 separate sites, which seemed beyond sufficient. Nevertheless, last Tuesday I bought a 300GB external hard-drive. Unwrapped, connected to SuSE and voila! New drive appears on Desktop. Linux has become easier than ever before. Almost frustratingly easy as there is no challenge and rarely a need to install any software.

The only downside of this device is the noise level, which is resulted from rotation at 7200 RPM inside relatively small housing. This can become loud and persistent during overnight baskups. Since the noise bothers me, I suppose could rely on earplugs. The internal hard-drive on the actual box probably has greater noise levels than the new external unit. Usually, however, it is idle or asleep, so only noise from the fan is a true factor.

I never lethargically back up my hard-drives, but nightime appears to be a must for backups, owing to (to put negatively — due to) duration. Matters used to be worse if defragging hard-drives, back in the days when I had a Windows laptop in my apartment. It required some overnight maintenance jobs and fortunately no such issues exist with Linux. Backups, on the contrary, become larger and larger (thus taking longer to complete).

All in all, I have 300 vacant gigabytes to fill. But where will I ever find that much pr0n? I kid, I kid. [smile /]

The WordPress dashboard, as secure as ever

ORDPRESS continues to be a secure and robust piece of Web-based software. Rumours, however, sometimes stand in its way. Below is one example among several, which have been ‘severe’ enough to trigger high-profile advisories. All the hoi polloi was, needless to mention, in vain.

It sometimes appears as though such rants are desperate attempt to stir up a hornet’s nest. WordPress has become a prime target due to its popularity and existence as Web-based software, making it more exposed to the factor of traffic en masse. Google have become a target for rumours, the reasons being very similar.

Apart from minor wishlist items or bugs, such as one that I recently filed, there are more pressing issues that need resolving and require open clarifications from the community. More latterly, a concern was raised over the visibility of WordPress plug-ins to all site visitors. My opinion on the matter was phrased therein (see full thread for context).

Directory listing, which in turn exposes plug-in names, is never being linked to. Thus, it will not be indexed by search engines and flawed plug-ins will not be easily discoverable.

You could trivially scan many blogs using a script in attempts to find vulnerabilities. PHP-Nuke, Advanced Guestbook and Coppermine are notorious in that respect.

All in all, getting a list of plug-ins may be a convenient way for learning the blog’s composition. If you target a particular vulnerability (due to third-party code), it gives the hacker no advantage. That, marke1, is why your argument and its ludicrous, overstated backing are void.

According to a recent article from the BBC, there was collaboration involving the British Government and Microsoft — collaboration over getting the back door to Windows Vista.

In jeopardy: people’s privacy, on thier own workstation.

The controversy: encrypted filesystems made futile due the ability of governments to penetrate them. Government were said to be liaising with Microsoft, which could theoretically provide a ‘master key’. In turn, Microsoft denies any such claims.

Windows Vista won’t have a backdoor that could be used by police forces to get into encrypted files, Microsoft has stressed.

ILL Gates comes from a dynasty of businessmen and politicians. Over the years he was trying to commercialise software and nowadays he monopolises it. So what gives?

Commercial software companies liquify no assets into cash. They merely sell binaries (not even code) and offer little or no direct customer support. Accruing profits in such a matter is just lush, but is it acceptable at all? Is the final product doing what ‘it says on the tin’? Often it is not the case. Microsoft will soon sell a product to fix yet another broken product of theirs, which is absurd. Rather than offer refunds and benefits, which somehow compensate for a broken operating system, more money is extracted from the customer.

The above leads to serious questioning. Such marketing tactics do not appeal to anyone but the obedient Microsoft programmer whose understanding of hacking is flawed and often inexistent. That perhaps is why Windows fails to cope with that vital aspect which is security. That is why minor DDOS attacks pose a big threat to Windows servers, machines get hijacked and remote execution of code has become worryingly prevalent. Planting of programs and vandalism from afar is a face of evil that continues to take place. And yet, only few among us choose to blame the real culprit — Microsoft software.

EVERAL times in the past I whined about the state of the Internet. It is too susceptible to various faces of evil — something which is finally recognised at a higher level and is attributed to the way the Internet was initially conceived, engineered and set up. Blame it on Al Gore if you wish, for he is the one who “invented the Internet”.

My main domain continues to suffer from zombie attacks and brute-force hacking attempts, all of which are unsuccessful. Such attacks may seem like benign inconveniences when properly filtered, yet all such attempts contribute to ‘noise’. They also require a lot of work to circumvent and defeat.

If a Web page, let us say /foo/bar/ includes the word “guestbook” (especially in the page title), one may find errors in the site logs which resemble a particular pattern. These would be common sensitive addresses such as /foo/bar/addentry.php or /foo/bar//addentry.php, which indicate an attempt to spam em masse. The culprits are lazy spammers who scan a page (often a search results page) and run some scripts. The aim is to exploit widely-known vulnerabilities, which have been already patched in most cases. There are rarely open sores in Open Source, but large-scale spam continues to pose a risk and devours precious bandwidth.

As an example of spamming attempts, I find many requests that are similar to:

[Tue Jan 31 07:33:56 2006] [error] [client 69.31.80.114] File does not exist: /home/schestow/public_html/Weblog/archives/2005/07/addentry.php

These are, of course, automated attempts which are directed at pages containing the word “guestbook”. The attacks are thrown at many sites simultaneously, regardless of what software is actually used.

In other circumstances, hacking attempts involve hijacking of a content management systems or an entire Web site, which is worse than spam. These are attempts to deface, being the equivalent of a UseNet defamation or complete name mocking, crossposted for public humiliation (an example).

I used to very much worry about people’s ability to write self-derogatory blog comments, newsgroups posts, and mailing list messages ‘on behalf’ of somebody else. I saw it happening many times before. The least one can do is embrace PGP for signatures. No less. Not everyone can spot IP addresses and track them. People can nymshift without any restrictions.

If manners are the glue of on-line communities, what are the motives of such vandals? When has cracking (as opposed to “hacking”) become popular? The motives must be a boost to ego and clan vanity (or “klan” rather). Sometimes, Web sites are captured and then re-direct to steal ranks which are accredited by search engines.

What have I done on the matter? Not much so far, but I found a neat solution to the Windows zombies. Many common attempts to hack are being redirectd to this page rel="nofollow", to which I referred in this previous blog item. Errors and attempts to hack can be suppressed using re-directions on common URL‘s, which characterise vulnerable components or exploitation of script for mass-mailing or spam. All in all, after much work, Web malice has been lowered to a manageable level.

ANY items on security were published last night. Perhaps the most prominent among these was the mentioning of a possible Mac OSX vulnerability (more details here). On yet another front, a ‘bounty hunt’ for Windows critical flaws has begun. Last but not least, Red Hat further beef up Linux desktop security.

Linux appears to be the least notable victim of vulnerabilities, despite the prevalence of Linux (and UNIX derivatives or variants) servers. A survey confirms this while debunking Microsoft’s deceiving, self-funded campaigns, which try to convince people otherwise. With that in mind, Korea plans Linux city and Novell is preparing for the big Linux adoption wave.

Previous items on Windows security (or lack thereof):

• Microsoft and Windows Zombies
• Yet Another Windows Patch
• Phishing Vulnerability
• 3 More Critical Flaws in Windows
• Internet Explorer Trojan

On Mac security: the BBC article which begged for an outcry.

Technology commentator Bill Thompson is worried about the lack of herd immunity among his fellow Apple Mac users.

A recent study suggests that Mozilla Firefox is tremendously safer to use than the more prevalent Internet Explorer.

Internet Explorer users can be as much as 21 times more likely to end up with a spyware-infected PC than people who go online with Mozilla’s Firefox browser, academic researchers from Microsoft’s backyard said in a recently published paper.

In other news, the number of spyware per PC in Europe exceeds a dozen!!

Computer users whose machines have been hijacked by potentially dangerous software are being asked to add their tales of woe to an online campaign.

In Poland, 867 of every 1,000 domestic PCs have been infected by trojans, unsolicited programs that can allow remote users to control the machine.