On Neofeudalism and the Digital Manor, Cory Doctorow compares Apple, Microsoft, Google to warlords willing to defend your digital security… unless they’re compelled to turn on you by a government power, which, it turns out, happens quite a lot. A good reminder that all that sensitive information that they’re collecting on you, can and will… Continue reading Digital manors and warlords
Tag: security
Mitigating CVE-2018-6389 WordPress DoS attack with lighttpd
Early in 2018, Barak Tawily published a possible DoS attack for WordPress, that basically works by requesting all possible scripts on the /wp-admin/load-scripts.php, a script that fetches and concatenates javascript files — there’s also a load-styles.php file that does the same for styles. His vulnerability report was rejected by the WordPress team, on the account… Continue reading Mitigating CVE-2018-6389 WordPress DoS attack with lighttpd
Let’s talk about usernames
Usernames are a much, much harder problem than what you might think at first glance… even if you can get away with a really simple and naive implementation on a prototype, a large, global and secure service must consider lots of not-so-obvious details and possible attack vectors.
Let’s talk about usernames deals with the problem with uniqueness, homograph attacks, confusables and other security concerns that you might need to consider.
Basic Authentication it’s often used as a simple security measure or as a temporary authentication method while developing with certain APIs.
While the WordPress HTTP API doesn’t have explicit support for basic authentication, it’s still possible to use it as a header:
$request = wp_remote_post( $remote_api_endpoint, array( 'body' => array( 'foo' => 'bar' ), 'headers' => array( 'Authorization' => 'Basic '. base64_encode( $username .':'. $password ) ) ) );
Remember that if you’re sending an unencrypted request, all the headers will be sent in plain text, so you should only use it over HTTPS.
What happens when shit happens
There’s a very entertaining and educational thread going on Hacker News about data loss and disaster recovery that came about an actual, ongoing, massive system outage at Gliffy… I’m sure everyone has a similar story to share.
Backups are simple
… or they should be, anyway. I think that one of the more popular excuses around for not having backups it’s “I haven’t gotten to it”; usually because you don’t have the time to try that fantastic tutorial you found for encrypted-incremental-automatic-deduplicated-control-versioned-backups on Amazon S3. The thing it’s… it’s ok if you don’t have time… Continue reading Backups are simple
Comments on the Sony hack
That we live in the world where we aren’t sure if any given cyberattack is the work of a foreign government or a couple of guys should be scary to us all Bruce Schneier – Comments on the Sony hack Check Sony got hacked hard: what we know and what we don’t know so far… Continue reading Comments on the Sony hack