Blog

  • WordPress Security: Seven Ways I Could Hack Into Your WordPress Site

    Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

    I’m getting emails from people who are interested in securing their WordPress blogs or websites. If I was going to hack your WordPress blog or website, here are the first seven things I would try and how you could prevent me from getting in:

    1. Upgrade to the newest version of WordPress

    I would look up known vulnerabilities in old versions of WordPress. Then I would scan the web looking for sites that are running an old version of WordPress that I know has a hole in it. I would automate the whole process. Once my automated script finds your blog running an old WordPress version, I would simply drop right in through the hole that security databases have known about for months or even years.

    You can stop me from doing this by upgrading to the latest version of WordPress which is version 3.2.1 at the time of this writing.

    2. Upgrade all your themes and plugins to their newest versions

    In case you’re running the newest WordPress, I would look at your themes and plugins. I would try to find an old version of a theme with a known hole in it. Then I would drop right in and have my evil way with your server.

    You can stop me by keeping all your themes and plugins up to date and upgrading immediately when a new version is released.

    3. Get rid of the ‘admin’ user

    If your WordPress core files, themes and plugins are up to date, I would try to guess your ‘admin’ password. I know the ‘admin’ user exists on most WordPress sites, so I would write a script that keeps trying to log-in using all the words in my dictionary.

    You can stop me by creating a new user with “administrator” privileges. Then delete the old admin user and make sure you assign all admin’s posts and pages to your new admin user.

    4. Make sure all your passwords are strong

    OK so your site is a little more secure than I thought. But I’m not out of tricks yet. When you publish a blog entry, I will look at the name of the user who published the post. Then I will use my good old automated password guessing script to throw a whole dictionary at your login page using the username that I saw authored your newest blog entry.

    You can stop me by making sure your password doesn’t exist in a dictionary and uses numbers and a mix of upper and lower-case letters.

    5. Know what other web applications you have installed

    Hmmm. You’re a tough customer. But I’m not done yet. WordPress isn’t the only application I could use to get in. Many websites also have forum software, helpdesk software and other applications installed. Security holes are regularly discovered in these applications, so I will scan your site and find out what other apps you have and see if any of them are old versions with known security problems.

    You can stop me by making sure all your other applications are up to date and don’t have any known security holes in them that the vendor may have released fixes for.

    6. Make sure all other public services running on your web server are secure

    Your site looks secure so I’m going to fight dirty. I will use a tool called ‘nmap’ to scan for open ports on the machine that runs your WordPress installation. Ah I see you have an email server running IMAP along with an FTP server. I’ll try to log in to your email server and FTP server by guessing your passwords. I’ll also check to see if the server software or the operating system is an old version that has known security holes I can exploit.

    You can stop me by making sure your blog host keeps your WordPress server secure and up to date. They should be running a new version of Linux or whichever operating system you are using. The operating system should have the latest patches and all services running on the machine should be known about, should be necessary and should have hard to guess passwords. Don’t be afraid to quiz your blog host about this.

    7. Make sure you don’t get social’d

    Well, your site seems too secure for me to hack in using my tech skills. So I’m going to use my charming personality. I’ll call you up, pretend I work for your hosting company and try to get any information from you that might be useful. Passwords would be first prize, but I’ll take anything I can get: Staff names, your favorite pet, internal phone numbers, products and services your company uses, your birthday, anything that might help me guess passwords or find juicy targets that give me a way in.

    You can stop me by making sure you never give out passwords over the phone and don’t give out information unless you’ve verified who you’re talking to. A good tactic if someone has called you is to simply ask them for a call-back number. Then verify who the company is, that the number belongs to them and call them back.

    Social engineering is the number #1 tactic hackers use to get into secure networks. Read the second comment on this recent Hacker News post (posted a week ago) for an example of how you might call up a company and get the last four digits of someone’s credit card. You might also find this story interest about how css-tricks almost lost their domain a few days ago.

    Now that you know most of my sneaky hacker ways, you might want to read this WordPress article on how to further secure your WordPress site and keep hackers out.

  • The value of Time

    From Lawrence of Arabia. Probably the finest film ever made.

    Sherif Ali: There is the railway. And that is the desert. From here until we reach the other side, no water but what we carry with us. For the camels, no water at all. If the camels die, we die. And in twenty days they will start to die.
    T.E. Lawrence: There’s no time to waste, then, is there?

  • Unemployment is lower? Bull.

    Last Friday and again today the DJIA got a nice bump from data showing unemployment has dropped from 9% to 8.6%. This number is known as U3 and only counts those actively looking for work. U4 is what the government should publish which counts U3 + those who have given up looking.

    We “added 120,000 jobs in November” and have added over 100,000 jobs per month for the last 5 months.

    I found the birth, death and marriage rate on the CDC website. For December 2009 we had 344,000 live births per month, 216,000 deaths per month and 138,000 marriages per month.

    Our population is increasing by roughly 128,000 per month, which is 8000 more than the number of jobs we added. Looking at marriages per month gives you an indication of how many new couples are starting life and presumably expecting full employment. That’s 18,000 more than the maximum number of jobs we added per month in the last 5 months.

    I don’t think we’re ever going to get the jobs we lost back because the financial crisis of 2008 was a trigger that caused companies that have become more efficient to cut a workforce that is no longer needed. That is why corporate revenue has not declined even though unemployment has increased. The grey marks the recession, click the graph to go to ycharts for a live version.

    The only way to solve this is to bring our education syllabus up to date. The chinese have a few ideas how to do that: They’re cutting majors that produce unemployable graduates. 

  • The whining is reaching a crescendo

    Exec summary: There is a “burnout” meme that is gaining momentum in the valley. Scroll down for a not-insignificant collection of HN burnout posts. Startup employees choose startups for less job security and harder work because there’s the promise of a future reward. If the risk/reward/security/life balance doesn’t work for you then the Valley is filled with a rainbow of other options. Working very hard is not fun, but sometimes it’s necessary. These days we have the luxury of choosing whether or not we want to work hard.

    Preamble: Before you unleash on me what was unleashed on Arrington, know that I don’t invest in startups and I have no vested interest in Silicon Valley employees working harder.

    Full post:

    One of the early Netscapers wrote a scathing post responding to Michael Arrington’s claim that Silicon Valley startups are whining too much. While I disagree with much that Mike Arrington does and says, I do think he has a point.

    The debate raging on hacker news claims that “VC’s” are making “employees” work crazy hours to enrich themselves. It leaves founders and early employees who own large chunks of stock completely out of the picture. In most early stage startups, the people working 80 hour weeks actually own the company. So suggesting that they are being exploited is absurd. In fact, even after a Series A round of investment, the founders often still own more than 50% of the company’s stock.

    If you’re an employee in a startup, you have chosen a job with very little security, presumably because you are hoping for a large payday. If you don’t want to work long hours with high risk for the chance of a large reward, then you should choose a job that provides you with the work/life/risk/compensation balance that you want. If you’re in a startup and you didn’t make the conscious decision to work very hard for a company that could go bankrupt at any moment, then you weren’t thinking when you took the job. If you did make the conscious decision, then it’s because you wanted the chance of a large reward. In other words, you have a high appetite for risk and hard work and you’re greedy, and that’s OK.

    In case you feel you’re alone working long hours, medical residents work extremely long hours that were capped only recently to 80 hours a week after a class action lawsuit. And they don’t get stock. They’re simply hoping to earn a doctors salary.

    Arrington does not have the monopoly on imploring his countrymen to work harder and whine less. Christine Lagarde, the current head of the IMF implored her countrymen in 2007 when she was French finance minister to “think less and work harder”. She caught hell from a culture that works 9 to 5 with a 2 hour lunch break when almost the entire country shuts down.  Of course she was asking them to increase working hours from 35 to 40 hours a week.

    My advice to you is this: Working very hard is not fun, it doesn’t make you feel good and it is bad for your health. But sometimes in life it’s necessary. In our lifetimes with no world war raging, surrounded by prosperity, good health and free access to education and information, a little extra work won’t kill you. If you still feel like a victim and you’re in the Bay area, go take a tour of the USS Pampanito – a World War 2 submarine – and find out what “hard work” really means. [Make sure you check out the awesome KitchenAid mixer in the galley. I’m hatching a mission impossible plan to steal it.]

    The burnout meme has been gaining momentum in the last 4 months. These are a handful of burnout related HN posts that made it to the front page with their date and their front-page rank. One absurd post caught my eye that tries to parlay a passing comment by Linus Torvalds into proof that he too has had a burnout.

    2011-10-04 09:40:01 Am I burnt out? Or just not suited for this job? – 4
    2011-11-21 11:30:01 Ask HN: How do you know if you’re burnt out or just being lazy? – 3
    2011-09-24 03:20:01 Burnout Prevention and Recovery (the MIT stance) – 8
    2011-11-29 05:50:01 Burnouts, VC Cons And Slave Labor: A Marxian Drama – 5
    2011-07-11 23:00:01 Hire me: a story of developer burnout and how I want to turn it around – 2
    2011-09-01 15:20:02 How I got a burnout – 1
    2011-09-01 08:50:01 Linus Torvalds and Others on Community Burnout – 3
    2011-09-02 08:50:01 Part 2: How I dealt with a burnout – 2
    2011-09-01 16:50:01 Startups: Live longer, don’t burnout – 16

    And here’s some stuff that did not make it to the home page:

    2011-07-08 17:50:01 Ask HN: Dealing with Burnout
    2011-07-15 20:30:01 The burnt-out generation
    2011-07-28 01:20:01 6 Ways to Battle Stress & Burn-Out On the Go
    2011-08-02 00:20:01 Burned out on programming?
    2011-09-01 23:30:01 Ask HN: Going Through a Crisis/Burnout – Advice
    2011-09-02 20:20:01 Burnout, Crunch, and the Games You Play
    2011-09-05 09:30:01 How a burnout changed my life
    2011-09-07 02:40:01 Fatigue and burnout: drop-outs, deprived, or the vanguard?
    2011-09-22 03:50:01 Solyndra’s burnout burdens other solar upstarts
    2011-10-21 16:00:02 Ask HN: Finding the perfect job for the burned-out developer
    2011-11-14 19:10:01 Why Millennial Women Are Burning Out At Work By 30
    2011-11-17 15:20:01 Burnout
    2011-11-23 02:40:01 CEOs: Burning bright or burning out?

     

     

     

  • The Net will not be bound or gagged

    I remember seeing Napster in 2000 when I worked for eToys.com and thinking “This isn’t going away. It has too much momentum and we always move forward.” I was wrong. Today I’m wondering about the free Web and whether it will ever go away. Our intuition tells us we always move forward and things will become better, faster, cheaper and more free. But the brief history of the Net has shown that is not always true.

    In 1990 the Internet was completely free. It was an academic network, run by universities with almost no commercial involvement. The Web wasn’t invented yet, Archie, FTP, Gopher, IRC and network news (NNTP) were how we got around. Piracy was of course alive and well in the form of files uuencoded, broken into parts and posted on NNTP servers. If you wanted porn, it was really, really hard work just to reassemble a GIF.

    When the Web came along, it was just another app layer protocol, like Archie or Gopher. But hyperlinks and the eventual embedding of images into HTML pages is what made it far better than any other app protocol.

    There is nothing that prevents us from creating as many protocols riding on TCP/IP as we would like. Gnutella has spent 10 years showing us that distributed content is feasible. Tor has shown us that online anonymity is there for the taking. The Web is just another app layer protocol. DNS is just a phonebook for IP addresses and the Net survived the first 13 years of its life without it.

    If governments ever decide to take control of basic Internet infrastructure like DNS, the Net will simply change form. The way we get content may stop being the Web and it may start being a new democratic protocol that provides client and server anonymity as well as massive redundancy against government or institutional interference.

    What we think of as the free and open Web today may become a place like CompuServe used to be. A place you go to access large incumbents like Facebook and Google. Then there will be that other place where only tech geeks and people in academia go to interact freely with the rest of the world. Initially bandwidth may be slow and connections may be few, but soon the new protocol will mature, become easier to use and will gradually become mainstream, sparking a firestorm of innovation in a new environment that allows truly free communication.

    DARPA built TCP/IP to survive a nuclear war. It may yet survive a worse attack by its creator.

    Footnote: This post was inspired by the South African Government passing the “Protection of State Information” act today. It restricts the press from publishing what the government deems a state secret with penalty of 25 years in jail for violating the law. Many journalists in my birth country will now have to choose between a lengthy jail term and doing what is in the public interest.

  • Most vendors lie, but not all

    I’ve been running a small software company for a while now and we are fastidious about reducing costs on hardware and software and getting the maximum bang for buck out of what we buy. Lets put it this way, Hell for a Dell server is spending eternity in our data center. We work them at 80% load until they simply drop dead and then we switch out the dead components and keep pushing them.

    During my roughly 20 year career in IT, Ops and software engineering there is one thing that has been universal and consistent. IT vendors lie through their teeth about ROI and how their product will save you money or make you more money.

    • Buy our OS because it’s “enterprise” and “best of breed”. No thanks I’ll use Linux which is free and better.
    • Buy our database “solution” because it’s a new paradigm in “scaleability”. No thanks I’ll use MySQL because it’s better and it’s free and you know this which is why you bought them.
    • Use our translation service. Why translate once for a fixed low price when we can use it as an excuse to move your I18N pages into the cloud and charge you per page served. [Two companies have now pitched this exact service to me]
    • Why pay $12.99 for an SSL certificate when you can pay $1,499 for an EV SSL certificate that will quadruple your conversions.
    • Why buy 20 servers for $50k and lease your own rack for $3k per month when you could be in our “mission critical” cloudified data center spending $20K per month for the same thing.
    • Why use Nginx free for load balancing when you can get this dedicated hardware balancer hardware for $40K that can barely keep up.
    It goes on, and on, and on. I am so easy to sell. If you can make me more money or save me money, I’m interested. But few salespeople who pitch me have a product that can do that for real. The only possible explanation is that true innovation, the kind that helps deliver more value or improve efficiency, is rare.
    Companies that do deliver commercial products with real value or improved efficiency that I use:
    • Dell servers
    • *my hosting provider who shall remain nameless for security reasons* Email me if you’re interested.
    • Websitepulse for server monitoring. Super reliable and cost efficient.
    • Linode for small virtual servers for dev and little projects.
    • Apple for iMac workstations, iPad2, iPhone and their macbook and macbook pro – we have all of these and besides being pretty, we use every one of them every day.
    • Authorize.net for payment processing
    • Chase Bank. Their business banking is superb and if you’re a disciplined credit card user who has a history of not paying a cent in interest, get the Chase Saphire Preferred card – it’s Visa Signature so it has concierge and it has the best rewards in the biz. But beware if you aren’t highly organized because the interest can ratchet up to 29.99%. We’re considering ditching Amex rewards cards (biz and personal) for these. American Express you can contact me if you want to know why.
    • Intuit products including Quickbooks and Mint. Spectacular for biz and personal financial management.
    Post in the comments if you have a favorite vendor that has really come through for you.

     

  • Does your Representative oppose Job Creation and Support a Warrantless Gag Order? Ask them.

    SOPA is a bill (HR 3261) sponsored by Lamar Smith (R-VA), John Conyers (D-MI), Bob Goodlatte (R-VA), Howard Berman (D-CA) and several co-sponsors. The first hearings on this bill will begin in congress tomorrow, November 16th.

    If SOPA is passed, it will give the US Government control of the Domain Name System in order to allow them to “cut off” blacklisted websites. This is tantamount to giving the US government control of major newspapers at the printing press. If an edition is deemed unsuitable, it never leaves the press.

    The bill has been branded as a device to protect “our” intellectual property and something that is targeted at software pirates, thieves and criminals.

    The reality is that SOPA will give the government control over who has the right to speak.

    Print, radio and television are being replaced by Internet delivery systems from streaming music to video on demand, online newspapers and blogs. Every one of these relies on DNS to stay online. If our government has control over our DNS system, it has the ability to issue an instant warrantless gag order to any individual, corporation or organization if it doesn’t approve your message or content.

    The World has moved online. If this bill passes and is signed into law, it will go far beyond ending the Free Internet. It will remove the press freedoms we had before the Internet existed.

    SOPA’s effects are far reaching and go beyond government control of DNS. The effects will include harming businesses that rely on user generated content and preventing the creation of new businesses like Facebook, WordPress, Twitter, Google’s YouTube and many others. The bill will effectively kill a powerful job creation machine at a time when we need it most.

    Use this link to contact your congressman and express your view on SOPA.

    You can learn more about SOPA and the destruction it will wreak at:

  • Can you build a Big Business on Apple's App Store?

    A good friend refers to the Apple App Store as the California Lottery. So I thought I’d do some rough numbers on how feasible it is to build a big software business creating apps for iPad and iPhone and selling them in Apple’s App Store.

    The Apple App Store will still own three quarters of mobile app revenue by the end of 2011. It’s the place to be if you want to develop paid mobile applications.

    According to Apple, they had paid out developers $2.5 billion since the creation of the app store until July this year. I’m including this as a sanity check on my numbers below.

    According to this article, the combined revenue of all app stores will be $3.8B in 2011, with Apple owning 75% market share. That’s $2.85B total revenue for the app store in 2011 with 30% going to developers so total payout to devs will be approximately $1.995B for 2011 (which roughly gels with the total all time payout number above).

    The app store just passed 500,000 approved apps in May 2011. (Edit: fixed a typo. Apps, not developers)

    In May of this year:

    • $3.64 was the average price for paid apps.
    • There were 244,720 paid apps.
    • There were 85,569 unique developers.
    If those paid apps split Apple’s projected 2011 revenue to developers of $1.995B between them, they each earn $8152.17 per year. There will be more paid apps by the end of 2011 than there were in May, so the same calculation for 2010 revenue to developers gives us: $2.1 total sector revenue X 75% apple’s market share X 70% developer share gives us $1.1025B / 244,720 paid apps = $4505 per app in 2010.
    I’ve calculated both 2010 and 2011 revenue per app because the only data I have on total paid apps is from May.
    So total revenue per app now is roughly between $4K and $8K per year based on my back of the envelope calculations.
    While app store revenue is increasing, so is the number of developers in the app store, exponentially:
    Lets say you create a startup producing Apple App Store apps. You manage to completely dominate the app store in 2011 and capture 1% of the total 2011 app store revenue of around $2 billion that Apple will pay out to developers.  That’s $20 million in annual revenue. Remember, you’ve just owned 85,560 other unique developers and a quarter million other paid apps, which is not impossible.
    To put this in perspective, here is the 2010 annual revenue from a collection of well known software companies, leaving out the eye watering revenue from companies like Oracle, Microsoft, Apple, Google and the like.
    Sources:

    Food for thought.

  • WordPress Security: Have you been hacked?

    Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

    I’m reposting this again because many of the emails I’m getting say “if you’re still interested”. Please contact me at mmaunder at gmail.com if your wordpress installation has been hacked. I need you to send me any files the hacker left on your system. To return the favor I will include you in a free beta program we’ll be launching within weeks that will solve your WP security problems for the forseeable future.

    Email any compromised WordPress files, malware, WordPress backdoors or trojans to mmaunder at gmail.com. Thanks.

  • Your Vision May be Clouded

    I took a lot of crap when I decided to vertically integrate our business four years ago and I invested around $40,000 with Dell to buy our own server cluster. Right then THE CLOUD was the hot new thing, and still is and I was not getting on board. I leased a rack at a respectable Seattle based hosting facility and my wife added the ability to unbox and rack Dell 2950 servers to her long list of talents. The hosting facility team would have done it for us, but we like to get our hands dirty.

    That was the most work we did to set up our own server cluster. Four years later we have a 99.9% uptime record and we run a profitable company with an ad network, real-time analytics product and a free virally distributed service off our cluster of 20 machines. When we mail our customers we send over half a million emails in less than 24 hours off our own email server. We serve between 400 and 800 application requests per second all day long.

    During the last four years I’ve watched friends and acquaintances get burned by the cloud either due to down time or cost. We pay $3400 per month to host our 20 dedicated machines in a single rack. We have a gigabit connection to the Net and our average bandwidth throughput is around 125 megabits per second constantly.

    I’m tired of the Wired Magazine crowd giving me crap for not “being in the cloud” or “getting with the cloud” or whatever. So I’m throwing this down: During the last 4 years I’ve had 99.9% uptime and I’ve spent a total of $190,000 during those 4 years on hosting, which includes the capital investment in the servers. We’ve had a constant throughput of 80 to 120 megabits per second (increasing over time) and roughly 40% avg CPU usage on 20 dual CPU machines (with dedicated Intel E5410 CPU’s each with 4 cores).  As I mentioned we do 400 to 800 app requests per second and we also have an average of 25,000 concurrent connections on our front-end server. I’ll bet anyone who reads this a beer that you won’t find a cloud provider who can do this for you for less than 3X what I’ve paid. [That works out to $3,958 per month.]

    If you think having your own dedicated servers in a colocation facility ties you geographically to one place, it doesn’t. I work wherever I want. For 3 out of the last 4 years I was in Seattle. The last year I’ve been in Colorado. I spent 3 weeks in France this month and while I was there I diagnosed a failing drive in one of our servers, ordered the replacement from Dell which will arrive today and be racked by the support team at our hosting facility. We’ve done hardware replacements or upgrades like this many times, including ordering new servers, upgrading memory, upgrading Ubuntu versions and it’s no big deal. A local support person with an anti-static strap and a basic knowledge of linux shell commands can resolve 99% of issues that come up.

    I encourage everyone reading this to challenge the marketing hype around THE CLOUD. Go to Dell’s site, get a feel for price/performance, call your local colo provider and get prices on a full rack with a gigabit connection. You will almost certainly be surprised at the bang you’ll get for your buck and how easy it is to manage your own physical machines.

    Understand that THE CLOUD exists as a buzzword to help software companies sell more software as a service. It’s sad when software startups who should be using the buzzword to sell more service get taken in by the marketing and outsource their core infrastructure.