Skip to main content

A Strange Passion for Security

I'm not a computer security expert, but it's been part of my work for many years, in different forms.  A very long time ago, a friend hired me to write up a primer for internet security, and ever since then it's been a theme that's sat in the background and pops up every now and then.

But lately, it's started to feel like more than a theme, and but indeed a passion. You may consider computer and internet security to be a dry subject, or maybe you imagine feelings of smugness or righteousness, but "passion" is the right word for what I'm feeling. Here's google's definition:

Passion:
1. a strong and barely controllable emotion.
2. the suffering and death of Jesus.

Okay, let's just go with number 1. for now.

If you followed my link above to other posts about security, you'll notice one from eight years ago where I mused on the possibility of the discovery of a flaw in how https works. Weirdly enough, a flaw in https was discovered shortly afterwards, though not the one I was musing about. But that's not what I'm feeling passionate about. It's not smugness.

My passion this week was triggered by reading this: GoDaddy Breached - Plaintext Passwords - 1.2M Affected

And perhaps it never went away after I posted this angry screed about Pegasus spyware.

And I think my feelings are getting amplified by the approach of Christmas and the consequent increase in fraud attempts, I'm getting multiple automated and in-person phone call fraud attempts every day it seems. And that ties in nicely to the second definition of passion above.

So allow me to point out that the GoDaddy breach linked above is exactly what I was talking about in my long and rambling post about "managed services". Specifically, GoDaddy claims they are providing a "managed Wordpress service", but instead of doing it in a secure way, they compromised a key security principle ("don't store passwords as plaintext") for the purposes of "useability" (so that wordpress site managers could see a copy of their password if they forgot it). Or rather, they did it to reduce their customer service costs. And now there are 1.2 million sites that are potentially useable for nefarious purposes (malware hosting, blackmail, cryptomining, spam, etc.).

But wait, it's worse. The data breach went unnoticed for two months. That means, whoever got a hold of those passwords had two months to use as many of those sites as it wanted for those nefarious purposes. And if they were smart (in an evil kind of way), they probably installed some software "backdoors" on those sites, so that even now that the breach has been discovered, changing those passwords will not prevent the nefarious use. The only way to be certain to stop such abuse would be to reset those sites to scratch and rebuild them. And guess how many of those sites are going to want to do that, in the month before Christmas?

Oh yes, and GoDaddy described the security event as a "vulnerability", which suggests that there is a potential for a hack, but that it is not certain to have been actually used. Which is about as bald-faced a corporate lie as you can get.

Wait, and it's worse because GoDaddy bought up a bunch of other hosts that are using their system, so even if you're not using GoDaddy, you might be affected.

And that makes me really angry at GoDaddy and anyone who doesn't think large Internet near-monopolies are a dangerous thing. Which is still about most of the world. Tie in to definition number 2!

Labels:

Popular posts from this blog

drupal, engagement, mailing lists, email

I lived, worked and studied in Costa Rica from 1984 to 1989. Ostensibly, I was there to study Mathematics at the University, and indeed I graduated with an MSc. in Mathematics supervised by Ricardo Estrada (check that page, he even advertises me as one of his past students). And yes, I do have a nine page thesis that I wrote and defended in Spanish somewhere in my files, on a proof and extension of one of Ramanujan's theories. But mathematics is a pretty lonely endeavour, and what drew me back to Central America (after the first visit, which was more of an accident), was the life and politics. The time I lived there was extremely interesting (for me as an outsider, though also painful and tragic for it's inhabitants) because of the various wars that were largely fuelled by US regional hegemonic interests (of the usual corporate suspects and individuals) and neglect (of the politicians and public) - the Contra war in Nicaragua, the full-scale guerrilla wars in El Salvador and...
Read more

IATS and CiviCRM

Update, Nov 2009: I've just discovered and fixed a bug I introduced in the 2.2 branch for the IATS plugin. The bug was introduced when i updated the API files from IATS and failed to notice that the legacy method for C$ one-time donations was no longer supported. If you're using a version greater than or equal to 2.2.7, and are using IATS for C$, non-recurring donations, then you're affected . To fix it edit the file : CRM/Core/Payment/IATS.php, and remove the line that looks like this: $canDollar = ($params['currencyID'] == 'CAD'); //define currency type The full fix removes a conditional branch based on that value a little further on, but by removing this line, it'll never actually use that branch. Drop me a line if you have any questions. Update, May 2009: This post is still getting quite a bit of traffic, which is great. Here are a few important things to note: The IATS plugin code is in CiviCRM, you don't need to add any code. Y...
11 comments
Read more

CentOS4 and CiviCRM 2.1

With the new year, a new resolution to upgrade some sites to the new CiviCRM 2.1. CiviCRM 2.1 is particularly special because it requires Drupal 6 and it's the first version that supports Drupal 6. So upgrades of existing Drupal 5 sites are difficult, particularly if any custom modules or themes involved. As it turned out, my procrastination was justified. I asked my friend Rob Ellis to help with Maquila Solidarity Network , who I've been working with for a few months , and who decided that the new features in 2.1 were too good to postpone any longer. Rob did the upgrade and discovered two issues on my CentOS 4 server: The CiviCRM installer insists on PHP 5.2.x CiviCRM requires a version of PCRE with unicode None of this sounds very interesting, and I wouldn't post about it, except that I would have thought it wouldn't be as hard to fix as it was. So here's what I did, in case there's someone else out there with CentOS4 (or RHEL4) trying to run CiviCRM 2.1...
3 comments
Read more