Archive for the ‘Security’ Category

2012w34

Sunday, August 26th, 2012

Society

Note to self: Never give United Airlines any of my business.

Control, or lack thereof

Steve Wozniak sees trouble in the cloud (that makes two of us) and doesn’t think that the Internet should have gatekeepers or regulators.

This hacker news thread contains a quote which perfectly sums up one aspect of what I feel is wrong with SAAS: SAAS means you’re vulnerable to vendor change with every pageload.

Privacy

Sociability’s value comes from privacy An essay by Kyro Beshay, via Cory Doctorow.

It is a poor grade upon humanity that sites like this need even exist.

Olympics and corporate greed

The Olympic games this year really made capitalism show its ugliest sides:

Case in point: VISA. Did they really think that hassling non-VISA-card holders would make them any new friends?

Case in point: London Olympics committee. I am not completely unreasonable, I understand that if too many people set up their own wireless hot-spots in close proximity to the “sanctioned” hot-spots, and on the same frequencies, bad things will happen, but at the same time I can’t shake the feeling that they just wanted a monopoly on providing connectivity, and forcing people to pay through the nose for it.

Good intentions and the road to hell

I understand the benefit to first responders, if we allowed for a government-controlled “emergency switch” to open up wireless routers for mesh-use in disaster areas, many people on Twitter recommended the inhabitants of Oslo to do just that after the attack, but I see the very real potential for abuse from the same government and since they get to define what is or isn’t an emergency, and when things are in people’s and society’s best interests, I give this idea a “thumbs down”-grade.

Drawing the wrong lessons from horrific events

Abuse of power

Case in point: VISA

DHS issuing take-down notices No free speech for you!

Security

A tutorial about off-the-record messaging courtesy of monkeyiq

Albeit not being anywhere near ready for primetime, cryptosphere still looks like a really interesting project

I am unsure as to whether Burner, the service which provides temporary phone numbers, will have a net positive or negative impact on society at large (if it has any impact at all). The concept is cool, and perhaps can be useful in certain settings, while it could probably be abused in others.

And I feel much the same way about Deadman. It could probably be awesome for hiking trips and the likes, for when you really don’t want to be disturbed, but if something were to happen it would be nice if emergency services knew roughly where to look.

Schneier on Security: $200 for a Fake Security System And as one commenter said: It’s all fun and games until your cat dies of exhaustion.

Development

The Best Programming Advice I Ever Got, a rather refreshing thought, it probably would be good to make ourselves a little less dependent on tools and have that grey matter exercise some more.

A jQuery extension called labelfor to associate labels with form input elements.

I’ve written before about this game, but I keep thinking about it and always forgetting what it’s called, so just a reminder to myself.
More than that however, is that I’ve also started taking an interest in Ren’Py the framework on which don’t take it personally, babe, it just ain’t your story is built.
I think that could be used in a plethora of ways, both for entertainment, but also education, if not both at once.

The shell

A blog post about steps to take to improve the performance of shell scripts. Really nice.

SSH

SSH forced commands pretty useful stuff.

Sorting on multiple columns

One of the previous weeks I needed to sort a bunch of lines, but I had concluded that it would be way too much work to transpose the columns in the file in a way that sort would magically work.

Which meant I needed to dig into the flags sort support. I was fairly certain that what I wanted done could be done, I just had to find the way. man sort got old real quick, so I hit duckduckgo instead and found this post which gave me everything I needed, and in a nicely formatted way :)

I can’t remember the actual data I needed sorting, but his example of sorting IP addresses was what helped me, specifically -k 2,2n -k4,4n (i.e. numeric sort by column 2 first, then by column 4)

Vim, autocmd and context-aware file headers

I don’t know when I picked it up, or from where (probably pesa’s Vim config, but for some time I’ve been using a filetype.vim file, in the root of my .vim directory, the contents of which is a bunch of lines, looking something like this:

au! BufRead,BufNewFile *.sh setfiletype sh
au! BufNewFile *.sh so ~/.vim/templates/sh_header

And this works like a charm, every new script I start writing on will get a shebang automatically inserted at the beginning of the file.

I never thought about what else one could do with these autocommands though, until I stumbled over a reddit thread, which pointed me here.

If you look into step 2, you will see that the autocmds there does not only read a header into the new file, but also modifies dates etc.

That’s actually pretty sweet.

Data mirroring

Using duplicity as a stateful rsync

Git stuff

A whole bunch of (git) ignore-files for use in various projects

And uet another git feature I feel I really need to learn ;)

Misc

As this video will tell you it is pretty darn hard to understand the scales of stuff like planets. The video does however make a pretty good attempt at visualizing it.

In the past I have linked to a post which wasn’t all that impressed with the idea of hiding the concept of files from users, and here’s another post, this one not particularly impressed with hiding the concept of directories from the users.
For my part, I consider this to be pure idiocracy

Depending on how well executed it ends up being (in my case, light weight has precedence) reditr could be enormously useful.

I have been eyeing dwb as a potential firefox replacement. We’ll see what happens.

Syntactic parses text, and try to build an “understanding” about words, and how they fit together.

The Future is not Real-Time. Put that way, I too really hope it isn’t ;)

2012w29

Sunday, July 22nd, 2012
Copyright

So apparently just looking at an (web)article of a newspaper (or any web page containing copyrighted content) could mean you are infringing on that publishers copyright… do newspapers actually want to commit that kind of suicide?

I couldn’t decide whether to put this post under “Copyright” or “Censorship” since it involves the MAFIAA using the DMCA to silence things… in this particular case, it would seem, their members own marketing campaigns… With friends like the MAFIAA, who need enemies? :)

Patents

Portable electronic device, method, and graphical user interface for displaying electronic lists and documents now, how could this not apply to every type smartphone, pad, dumb-phone or, for that matter, laptop, in existence? How can such a patent even be granted?

Censorship

Censored by copyright for protesting being censored by copyright, somehow I don’t think that this was how laws were intended to be used when humanity first came up with the concept of rule of law…

Who would have thought that filtering the net may affect more than the specific group targeted by the filter? That’s impossible right?

Surveillance

Facebook is being creepy as hell as usual.

Apparently, Microsoft’s SkyDrive comes with some strings attached

Society

The European Commission intends to make open access all research findings funded by Horizon 2020. This is nice :)
Dunno if EC or UK was first, but UK is thinking along the same lines.

On the other side of the spectrum, i.e. not so nice, if things really are as dire as President Obama would have people believe, wouldn’t the responsible thing to do then, be to secure the infrastructure the hell up, instead of passing laws which any would-be imaginary-or-real terrorist would ignore?

I mean, one of the most idiotic plots in “24” was that nuclear power plants could be remote controlled over the internet. Or in Die Hard 4, that with a couple of taps on a keyboard, the bad guy could redirect a whole bunch of gas to go to the same place at the same time, building pressure, making big badaboom…

Now, if the infrastructure in fact support doing this, remotely, then those who put that in the specification, and those who produced it, and those who installed it, should all be found and tried for dangerously criminal negligence.

Of course, if the end game is to hollow out personal privacy and spy on your own citizens, then it would be better to nibble away on their rights through more new and ineffective laws, which can always be extended later when proven (through a real enemy, someone just being curious, or a false flag operation) not to work.

Justice Department sues telco for daring to challenge its secret demands for private information.

Activism

Targeting Shell with a fake PR campaign. I wonder how long it will be until lobbyists have bought an amendment to some law labeling this sort of activism as terrorism…

Join the Internet Defense League and make sure the internet never loses. Ever. Or, put another way, Rescue the lolcats from the evil clutches of the internet hate league!

Services

Blooie lets you chat online with people who like what you like I am just a tad bit sceptical about this one…

On the one hand, getting in touch with people who like what I like, Free Software, Programming, vim, etc. etc. Great! Buuuuut, how is this not willfully and intentionally putting yourself inside a filter bubble, and only exposing yourself for the types of opinions you yourself already hold? If two people say the same thing, isn’t one of them redundant? I remain a little unconvinced.

Command line

At work this week I needed to get a file from server1 to server3, and the only connection between the two was through an intermediary server, server2. Oh yeah, the only way to communicate between the servers where ssh. Sure, a three step approach was possible (scp file server2: ; ssh server2; scp file server3: ) but the file on server1 could get updated at times, which would mean yet another upload, so a simpler process was needed, a shell script with something along the lines of this:

cat $file | ssh user@server2 "ssh user@server3 \"cat > $file\""

Thanks go to pesa for coming up with the solution.

Programs

TMSU is a program which allows you to tag your files, and then perform queries on the tags, filtering out all files not tagged according to the queried constraints. Neat!

ownCloud is getting more interesting with every passing day.

I never really thought about the fact that you could do lots of things with locate such as adding flags, or configuring directories or files to disregard.

I found an expect-like utility named empty. Funnily enough I found it by checking out the examples of the Zenity fork: Yad.

Cuttlefish: Execute actions when specific events are triggered.

I am also currently trying out this vim statusline.

Throught this question I learnt about fold.

Development

Really nice ELI5 article about how flood fill works, using Zombies and Cats, and Python.

Reading this post and seeing the example resume I agree that what catmoon ponders about would be pretty cool.

Of course, the program should know what skills I have, and only select the relevant out of that set, based on the skills extracted from the job listings. At least that’s how I’d design it, as there is no good reason to lie about what you know and don’t know.

And now I finally grasp how two create quines!

When you screw up, and commit sensitive data to a git repository, this seems like a rather good way to handle it.
Oh and of course, if that sensitive data was a password, CONSIDER THE PASSWORD COMPROMISED AND CHANGE IT!

I had heard about the “Rosetta Code” before, but never got around to checking it out until this weekend, which is when I found this rather intriguing piece of Perl code.

I have to admit to being rather impressed about what one can do with html/css/javascript and some javascript libraries these days.

And although very cool, I still have yet to find a personal use for PhantomJS :/

Text books used in education should be written like this.

Other news

RasPies can now be ordered in bulk.

Here’s to the misfits.

Dunno what it’s good for, but it is pretty.

Stochastic, nerdtastic restaurant bill splitting.

Astronomy Picture of the Day har a pretty sweet image this week.

:wq

2012w14

Sunday, April 8th, 2012

Not a whole lot to say this week, it has mostly been work, sleep, work, sleep, … well you get the picture.

Some noteworthy things however:

Just how, in their infinite wisdom, does the EU expect to test the security of their own servers and services if they are going to outlaw so-called “cyber-attack tools”. For that matter, how do they propose ANY manufacturer of ANY type of digital system perform ANY type of actual security testing worth a damn?

Social AND Private? Well… not quite yet, but if they get the p2p and encryption stuff working, then we’re in business :)

ENCRYPT ALL THE THINGS! ;)

And it wouldn’t be one of my hallmark blagposts if it didn’t have some random links which may or may not be of any value, no would it?

Dunno just what it might be useful for, but creating 3D graphics procedurally using Lua, like with Fugu seems like just the right approach for me. If I were to do 3D models that is.

Now this promises to be an interesting game.

And a rather interesting programming language.

:wq

2012w08

Sunday, February 26th, 2012

Hacks

A capture the flag game where the objective is to break into a computer system.

Commandline

I found myself needing to remove a couple (three) columns from a file containing about 15 columnts per line. And sure, I could have done something like awk '{ print $1 " " $2 " " $3 " " }' for the 12 columns I wanted, but that would have been tedious.

There just had to be a better way. And of course there was ;)

* * * * * *

I’ve been entertaining an idea which would need version controlled updates, and they’d also need to be trusted. So I’d need signed commits, and since I’m mostly using git nowadays, I needed to find out if this was possible. It is.

* * * * * *

Since starting my new job I’ve realized just how important it can be to write portable scripts (especially echo has bitten me in the ass a couple of times already) so this post was pretty useful to me.

Society

Now this was a pretty inspiring post.

* * * * * *

A pretty funny post about how truly sorry a state the TV is in.

2012w02

Sunday, January 15th, 2012

Update: Corrected link, thanks Ulf

This has been quite the busy week. Oodles and oodles of stuff happening, both nice and… less nice.

UEFI + SecureBoot

Microsoft up to no good again. Basically, on non-ARM systems Microsoft requires that a user can disable SecureBoot, but not on ARM systems (i.e. smartphones, tablets, and the upcoming ultrabooks). Anyone surprised?

Music Production

While I have no real interest in producing music myself—code and, to some extent, graphics have always come easier to me—I do have an interest in seeing tools like this come to GNU+Linux as well, since it means that’s one less category of creators not having the alternative to be creative in a free software environment :)

sshuttle

This project seems pretty cool, I haven’t tried it out yet, and the thing about uploading code to the server is something I’ll definitively look into before actually considering executing it, but all in all this looks like a pretty easy SSH tunneling/VPN mimicing proxy thingy solution which could be useful at times.

Especially if it means I can sit at an internet café or some such, and have all my traffic routed över SSH through my server at home, not having to worry about someone in that café sniffing it up.

tmux

I installed a local copy of tmux at work, and so far it has been a complement rather than a detriment to the way I work.

The one thing that I wasn’t pleased with at first, but which was trivially easy to fix, once I read a blogpost (also, don’t miss the second post), was that I wanted 11 shells all stacked on top / below eachother, with an even size (i.e. each should take up 1/11th of the tmux window height.

When splitting the window, to make room for another shell, it just divides the current shell height by two, and makes the one part the new shell, and the other part the old shell. For multiples of two I suppose this would work out fine, but with 11 shells?

So I went about it, and the tenth and eleventh shell were small.
But there are different preconfigured layouts, and you loop through them by repeatedly hitting the control sequence (I’ve mapped this to C^a) and space. One of those layouts proved to be just what I wanted :)

Raspberry Pi

Now this is a pretty cool project! For the condensed summary, read the wikipedia page. It is making the dream of a $100 computer a reality, and there are some pretty cool ideas already about how to put it to good use.

SOPA

Reddit doesn’t like SOPA, and Tim O’Reilly isn’t all that pleased either.

If you’re an Android user, and you don’t like SOPA either, there is an app for letting you know (by scanning barcodes) if a product is made by a pro-SOPA company so you can avoid supporting them.

There have been some advances which means that making a fuzz about it can pay off. Of course, it would be better to scrap those bills completely.

So, 2012-01-18 is still SOPA Blackout day and a whole lot of sites are participating, and you could join in as well (and if you want to join in, please be smart about it and host the javascript your own damn self so that the hosting server doesn’t go down… (which also means, get that javascript now, and not on tuesday evening when everyone else is going to try to get it))

Links

  • Privacy in social networks — not sure I understand how it is done, not sure that this implementation is optimal, but nice idea none the less
  • I read a post the other day, and the author of that post, while being in the right, just came off … I don’t know, but his post was a rant, and not the passionate kind, but the whiney kind, so I won’t be linking to his post, I have no wish to drive traffic to him. However, another person, with reasoning and values more aligned to my own, wrote a reaction post to his, which I feel was more constructive, and nicer, so here is the link to that post
  • Unfair advantages grow from irrational habits
  • Rikard tipped me off to a thoughtful TED talk video, which I liked alot, and through the speakers website I found, among others, this game—EVOKE—which seems to be pretty cool
  • I had the idea of building an image gallery a while ago, so when I came across this link I was a little interested in seeing how they’d approached it, but what I really took away from this site, is how much I liked their rather user-friendly step-by-step manual for getting it up and running
  • I wonder what he will create? :)
  • I don’t know if it’s just me, but non-flashy, low-requirements games make me all warm and fuzzy inside
  • I seem to recall that I wasn’t all that impressed with the unhosted project some time ago. This post (specifically the verification section) is exactly why I hesitate

WordPress security revisited

Wednesday, December 23rd, 2009

Yesterday I decided to attempt setting up a local Etherpad of my own, for use within the network/family. That meant upgrading my local server from Ubuntu Hardy to Karmic (well, I could’ve added the Karmic repositories to my installation, but a re-install was due anyway so…). I got Etherpad up and running locally (i.e. as long as I connect to it through elinks and 127.0.0.1:9000) but that doesn’t really help me as I want it available throughout the entire network. I will have to tinker more with that later.

There were, however, other services to get back online as well, such as WordPress. And it just so happens that while I was installing and tinkering with it, I happened to notice that there have appeared some rather cool (security-wise) plugins:

Antivirus

The antivirus plugin simply scans your current theme for malicious code, such as base64 encoded payloads, which apparently has been added to freely downloadable themes from various sites around the net.

I use the default theme, so I don’t really worry about the source for this theme ;) but that just assures me that the theme is clean from the beginning. A security weakness could change that in a matter of seconds.

Invalidate logged out cookies

I don’t imagine I will get much use of this plugin as I normally only log on through my own computer, but should I find myself sitting in an internet café logging on, it is comforting to know that I won’t have to remember to physically destroy the auth-cookie which WordPress sets up on login.

Limit login attempts

This is a so called “speed bump”. This won’t create perfect security (there isn’t such a thing anyway) but it will slow an attacker down substantially, to the point where s/he gives up and goes after some other poor sap with more pathetic defenses.

It is a rather simple concept really: If the blog receives more than A erroneous login attempts in a row, ignore any further attempts from that IP for B minutes. If there are more than C * A attempts in a row, ignore any further attempts from that IP for D minutes/hours/days (where A, B, C and D are all fully configurable integers)

One time passwords

I will have to ask my webhost if they plan on upgrading to PHP5 any time soon, because this plugin requires it. What it does is to create a number of disposable (one time) passwords, which can be used instead of your regular password (which would be awesome to use for instance at an internet café, no risk that keyloggers or other eavesdroppers get hold of anything valuable).

Safer cookies

The original WordPress auth cookie implementation just checks that there is an authentication token in the cookie which correspond to an identical token in the database. Which opens up for man-in-the-middle attacks. Safer cookies adds your IP adress to the mix (well hash, I suppose) and thus makes it a bit harder for a session hijacking to take place.

Secure WordPress

I have to admit, this is my favorite of them all. It disables any information leakage at the login form (such as “sorry the password is incorrect”) An attacker, upon seeing that message immediately thinks “ah, so the username was correct”.

Furthermore, it removes the WordPress version from the html-source, which makes it harder for automated tools to know what attacks to apply.

(These are incidently the exact things I have been doing manually after every update, and hated every second of it since I don’t find mucking about in WordPress’ internals all that thrilling)

WordPress firewall

This one blocks a whole lot of badness which otherwise could be inserted through what the plugin calls “application parameters”. Examples of which are disallowing directory traversing (../../etc/passwd) and SQL queries.

The only thing left for me to do now is to continue to hack away at the Etherpad installation and wish you all a Merry Christmas :)

Update: Although good in theory, I all of the sudden started experiencing problems with the Invalidate logged out cookies plugin. The sort of problems which meant that I was being redirected to the login-page after a successful login… And since the plugin logs me out upon activation, I can only assume that there is some interference between that plugin and some other plugin. It is entirely possible that there is some configuration which could be done to get it all working, but since I get logged out on activation I can’t check that, and it isn’t all that important to me, I just chose to disable it instead. #HolidayLazinessFTW

Forkbombs

Tuesday, March 3rd, 2009

I’ve been going through my bookmarks and trying to organize them (that stumbleupon fed the firefox bookmarks every time I upvoted something hasn’t helped), and among the bookmarks I found this little gem, about how you can thwart forkbombs before they are able to do any serious damage.

In /etc/security/ there is a file called limits.conf, which can be made to control a whole host of different settings. With the hardware of today I find a hard kill limit of 150 processes to be on the cheap side (on the other hand, executing ps aux | wc -l on my system reveals that right now, 117 processes are running, 32 of which are owned by “me”, 71 by root and 16 by various other system users (cupsys, ntp, mysql etc).

On a side note, I love pipes and grep.

$ ps aux | grep root | wc -l
71
$ ps aux | grep patrik | wc -l
32
$ ps aux | grep -v patrik | grep -v root | wc -l
16

It might not be necessary to allow more than 150 processes, but on the other hand I would find it irritating hitting this limit (although hitting it would probably indicate that I have to much crap running at the same time) and the real use for this limit on a single-user system would most likely be to ward off the effects of unwittingly doing something stupid (executing a forkbomb is stupid), so one can probably afford to raise this limit a bit higher, to 200-300 processes.

UPDATE:

After having forwarded tuss’ brilliant idea of having hesa incorporate this little tip in his C class (preferably before teaching about the fork(); function), hesa shot it down *mumble*platform specific solution*mumble*. This is of course true, and should serve as just another good reason to switch from Windows ;D

In any case, it got me thinking. Ubuntu, which inherits from Debian, seem to be identical in the important things. /etc/security/limits.conf does indeed seem to exist in Debian as well. And Red Hat, so presumably in Fedora as well.

Slackware however, seem to store this data in the file “limits” directly under /etc/ (i.e. /etc/limits). It is by no means an exhaustive search, but Googling for “[your_favorite_distro]” and “limits.conf” or “limits” or “limiting processes” should hopefully reward you.

UPDATE2:

I spell like a douche…

Disposable email services

Wednesday, February 18th, 2009

I came across another one of these “disposable email services” (DES) yesterday. It had a pretty slick interface, and the front page had all the right texts (like “sticking it to the spamMAN” etc.) It all seem very good, except for one thing. They don’t tell you about when NOT to use their service.

That is also an interesting thing, a “service”. They are providing a functionality, for free. So how exactly are they making money? I didn’t see any ads on that particular site, so just how do they finance it? I wonder…

But returning to my original thought, they entice users with slogans, trying to come off as “one of the people”… “Sticking it to the MAN”… yeah…

The problem with these things are that sometimes people don’t think things through. “I want to sign up for this site XYZ, but what if it turns out that they will spam my inbox? I know, disposable email services!!!” Here’s the thing. You sign up for this service, they send an activation email, you respond to it, and now you have your new account at XYZ. If XYZ sends you spam, you won’t notice, because the DES eats the spam. However, your account now has a DES email bound to it (you can’t change it since then the threat of spam to your inbox surfaces) and that is bad. Really bad.

Playing the red team

Let’s for a second pretend that you are a person of lesser moral quality. And you wish to get hold of various user data (maybe even birth dates and credit card numbers). So you set up “disposable email service” and people start using it. On the front page you make sure to identify with the users (we all hate spam) and you solemnly swear that the email account will be disabled after 24 hours*.

*This particular site had a different system, you didn’t sign up for an account, you just entered [anything]@DES.example.org as the email address on site XYZ, and then on DES.example.org entered [anything]@DES.example.org which presented you with an inbox. (I tried entering asdf@DES.example.org and was rewarded with no less than 18 mails in that inbox, which means that not only are users possibly being frauded by DES.example.org, but all that stuff is also publicly visible to everyone else as well.)

However, being of lesser moral quality, you betray the users, you scan every email which has arrived to see which are spam (of course you also hate spam but hey, what’s a guy gonna do, right?) and which are activation emails. You let the users activate their accounts, and you wait a day or two (of course after 24 hours you pull the emails down, making them seem removed, as promised, while in reality they are still safe and sound on your server) you have a script go to site XYZ, find the “reset password” feature, and activate it. Boom!

A new mail arrives containing a notice that the password has been reset and a link to go to the site and change it. You go to the site, you change the password, and while you’re at it you jot down any user information.

The solution

I’m not saying that I know of any DES which does this (which is also why I am not printing the address of the site I was forwarded yesterday, no slander-charges for me thank you), all I’m saying is that there is indeed a time and a place for DES, but people usually don’t stop long enough to consider if it is wise to use a DES for all their needs. For sites which offer “free content” but demand that you sign up (if they don’t do this to harvest emails, to sell to spammers, I don’t know why they continue this idiocracy) a DES is excellent. For any service where you will want to insert your own personal information… well of course if you are worried about a site spamming up your inbox you shouldn’t put your personal information there to begin with, DES is not the way to go.

But then what? What if you’re unsure about whether XYZ will sell your email, but still want to sign up and still want to use personal information, then what?

Simple. Create a second email account. One which you don’t really care about, but which you have ultimate control over. If you notice a significant increase in spam after signing up for a new service, you keep that service to that “throw-away” email account. On the other hand, if there is no activity after having signed up, you could change the email in that account on XYZ to point to your real email. Easy.

WordPress security continued

Wednesday, January 28th, 2009

Of course, not two seconds after publishing my previous post, while talking about it with a friend, he realized that it is not only the WordPress log-in form which has clear security implications (as in providing which of the two login-data was erroneous), but that WordPress could potentially leak information through the lost password retrieval / reset feature.

Don’t get me wrong, I love WordPress, but I am beginning to suspect that the immense popularity it has attracted, is due to its ease of use, and usability have never been known to often go hand in hand with security. And indeed, WordPress, with all the security “flaws” one can find in it, seem to have chosen ease of use over security.

It was, however, rather easy to fix this too, although it meant diving head first into some PHP code. The affected lines of code which we wish to disable is inside a switch-statement far down in wp-login.php.

It ended up looking like this:

case 'lostpassword' :
case 'retrievepassword' :
        $redirect_to = 'wp-login.php';
        wp_safe_redirect($redirect_to);
        exit();
break;

case 'resetpass' :
case 'rp' :
        wp_redirect('wp-login.php');
        exit();
break;

case 'register' :
        wp_redirect('wp-login.php?registration=disabled');
        exit();
break;

Not everyone can use this approach of course, since your blog might wish to let users retrieve their password, or to register, or whatever, but for this blog, with me as the sole author, it works quite nicely.

WordPress security

Tuesday, January 27th, 2009

I subscribe to Smashing Magazine, and just finished reading this article. Most of their articles does not appeal to me (mostly because I have no Photoshop skills, and don’t work with Photoshop at all) but there is the odd piece of gold there even for me.

Today it was in the form of summarizing things you can do to harden your WordPress installation. Sometimes though, funny little discrepancies sneak through. Like for instance, if you follow tip #8 (Suppress error feedback on the log-in page) your installation won’t leak whether it was the username or password which was erroneous. It does however leave an ugly red field (in which said error feedback used to live).

Then along comes tip #9 (Restrict erroneous log-in attempts) and suggest two plug-ins to thwart brute-force login attempts. Like Limit Login Attempts. It actually overrides the default WordPress error feedback, instead reporting something about “username or password” being wrong.

These types of solutions usually come with a real drawback, namely that if you try to access an account too many times, the account is locked and unuseable. Which allows for a malicious person to deny the author access to the blog.

I just tested this plugin, which seems to base the restriction on IP-adress instead of actually locking the account. While this makes it possible for an attacker to simply switch IP and continue the attack, the purpose of this kind of security measure is of course not to make an attack impossible, just infeasible, in the same way that a speed bump doesn’t make it impossible to drive down a street at high speed, but it can make it really uncomfortable.