Why Does WordPress Insert Its Version Number into HEAD?

March 31, 2009

I just noticed from my other blog that uses the downloadable version of WordPress that it inserts the wordpress version number into the HEAD of the blog pages. Why does it do that? Leaking this information in this day and age only lets hackers know that a particular blog is vulnerable, if it hasn’t been updated yet.

It’s interesting that blogs on wordpress.com do not have the version number inserted into the HEAD. So why the hypocrisy?

Filed in WordPress, Security.


Importance of Sanitizing Your SQL Database Inputs (Humor)

September 17, 2008

After my experience with StupidCensorship’s hacked site, in a fit of curiosity about how sites are hacked, I came across this funny comic from XKCD. It shows how important it is that a program checks its raw input and escape quotes found in it before committing the data to the SQL database.

importance of santizing database inputs

The original Bob drop Tables joke can be found here. For non-SQL programmers: ‘drop table students’ means delete the ‘students’ database table.

Filed in Security, Humor.


Has StupidCensorship Been Hacked?

September 16, 2008

Has Stupid Censorship (WARNING: do not click), an anonymous proxy site, been hacked? When I visited it this morning and tried to get it to surf to another site, it redirected me to another form on another site: scarcup.com, which has a self-signed cert, and which asked me to re-submit the form from their site. Highly suspicious behavior. I didn’t dare proceed any further. I don’t want to risk opening my computer to viruses and spyware.

I then took a look at the WHOIS for the domain and found that, voila, scarcup.com uses a private registration, in contrast to stupidcensorship.com and peacefire.org. Also, thefreecountry’s anonymous proxy list, which was where I learned of the proxy before, seems to have delisted stupidcensorship.

So, have they been hacked? Or were they always like this?

There seems to be an awful number of hacked sites these days.

Filed in Security.


Drupal 6.4 and 5.10: Another Security and Bug Fix Release

August 15, 2008

What’s going on with Drupal these days? Are they trying to compete with WordPress for the greatest number of new releases within a short period award? Actually WordPress seems to have slowed down a bit lately, which is good, because I’m tired of having to update my other blog which uses my own WordPress install.

Anyway, Drupal 6.4 and 5.10 have been released. The announcement says that upgrading is strongly recommended, and that it fixes several critical security vulnerabilities as well as other bugs.

Those running 6.3 or 5.9 can just patch their installs with the 6.4 patch and the 5.9 patch. But the patch leaves your install in an unversioned state, a matter that I complained about before.

Filed in Web Design, Software, Security.


DNS Poisoning Fixes: Are Your Country’s ISPs Still Vulnerable?

August 8, 2008

Following my posts on DNS testers to make sure that your ISP is not vulnerable to the DNS poisoning problem that is now in the wild, Dan Kaminsky has a video of the progress of the DNS fixes around the world. It’s embedded below.

The red spots are unpatched, yellow are patched but with the NAT causing problems, and green are the fully patched areas with properly working DNS servers.

If you have not checked whether your ISP’s DNS servers are fully patched, see my previous posts on DNS-Oarc’s DNS tester and Dan Kaminsky‚Äôs DNS server checker.

Filed in Security, News.


PlaceboAV: The Free Antivirus that Makes You Feel Good

August 6, 2008

Doxdesk’s joke antivirus, PlaceboAV, is making its rounds in a number of forums lately. Here’s what the author says:

Today’s AV is a dead loss. But you can’t simply not install any, or everyone will complain. That’s where PlaceboAV comes in! It’s the fantasic anti-virus solution that’s super-fast and absolutely reliable… because it does nothing at all.

It works fabulously because it has zero impact on your system performance, displays an icon in the system tray, updates its definitions blindingly fast, doesn’t need an internet connection for updating, and is only 56 KB.

It’s good for a laugh, though I think some people in the forums think the writer is making a point about the ineffectiveness of the current state of antivirus technology. I personally think it’s just a joke.

Anyway, if you want a real antivirus, there are many real free antivirus programs around.

Filed in Humor, Security.


Drupal 5.9 Released: Security Fix

July 29, 2008

Drupal 5.9 has just been released to fix a security hole introduced in 5.8. Sounds serious.

Filed in Web Design, Security.