TONIGHT - Live Webcast of "WordPress Security: Fact & Fiction"

Wordpress orgInterested in WordPress security and making your site as secure as possible? Tonight, June 18, 2013, at 7:00pm US Eastern time (about 2 hours from now), I just learned that tonight's WordPress NYC meetup will be livestreamed. The description sounds great:
D.K. Smith will present a comprehensive range of WordPress security best practices, including: Methods for repairing a hacked site; “Multiple Layers of Security” techniques that keep your site secure. There will also be a preliminary presentation by Austin Gunter on the distinctions between managed, shared and dedicated hosting.

Unfortunately I won't be able to attend live, but I will look to watch the archive of the event.

If any of you are able to watch this live, it will stream out of:

Looking forward to listening to it...

If you found this post interesting or useful, please consider either:

WordPress 3.3.2 Out With Security Fixes - Upgrade Now!

Wordpress orgIf you are a user of WordPress, as I am for several of my sites, you really should update your site to WordPress 3.3.2. If you take a look at the Codex page for the release:

You'll note that the release is pretty much all about security fixes to underlying libraries and other aspects of the software.

While yes, I'm a "security guy" who may care about these kind of things more than others, the reality is that I'm in the "content business" and I want my content always to be available. Having my site taken down by attackers is NOT a way to do that.

So I always upgrade WordPress - particularly when there are security issues involved.

The beautiful thing is that you should just be able to go into your site and click the "Update automatically" link to make it happen. Yes, backup your database first to be safe... but do go in and do the update.

Particularly because if the upgrade fixes "cross-site scripting attacks", you have to know that attackers are out there right now trying to exploit those attacks against sites that have NOT yet upgraded.

So don't be a target... upgrade!

If you found this post interesting or useful, please consider either:

Three Critical Reasons High Schoolers Should Restrict The Privacy Of Their Facebook Pages

Tonight purely by accident I stumbled upon the Facebook page of a student I know at one of our local high schools. I didn't know he was on Facebook but he had commented on a post in my NewsFeed by someone who turns out to be a mutual friend.

Curious to know if it was the person I thought it was, as his Facebook profile picture was not a photo of him, I clicked on the link to his name expecting to see the standard "basic info" you see for everyone and then the privacy message that usually greets you:


Instead, I saw everything...

Walls Wide Open

His Facebook "Wall" was wide open for all to see.  Anyone. I saw all his posts... all his photos... all the comments between him and his various friends. I clicked on the Info link and learned all about where he goes to school (which I knew), his musical tastes, the sports he likes, movies, television shows, games, religious views...

And I got to see all of his friends...

... probably a good half of whom ALSO had wide open walls.

In the course of maybe 10 or 15 minutes of flipping around, I learned a good bit about some of the region's high school age students, saw a whole bunch of photos, read a few conversations that probably weren't meant to be public (or at least to be read by 40+ year-old men sitting at home on their computers)...

...and generally got increasingly concerned about the amount of information these students were perhaps inadvertently disclosing about themselves and their lives.

Now, this is, after all, what Facebook seems to want. They generally default to public sharing, and so if you don't take active steps to protect your privacy, all your content will be shared with the world. And while some people are quite okay with that, I'm personally not.

If I could say anything to these high schoolers or their parents - and to all the others reading this post, it would be that there are three critical reasons why you might want to think about restricting your Facebook privacy a bit more.

1. Security

The most obvious one is the security angle. There are a lot of sickos out there. I've been online for now almost 30 years and I've seen all sorts of seriously warped stuff... information security has always wound up as part of what I've been involved with, and some of what I've had to do has taken me to seriously vile and heinous parts of the Internet.

There are warped people out there. There are thieves and scammers and fraudsters and perverts and others who prey on people online. They've always done this... Facebook just makes it ultra-easy to do. They can start commenting or "liking" your posts and photos. Striking up friendships. Sending you messages. Wanting to meet, etc., etc.

With your wall wide open, you are giving them all the info they need for "social engineering" to know exactly what to say to you. They know the music you like, the TV shows you like, etc. They've seen your photos, so they know what you look like, what you like to wear, etc. It's insanely easy for them to gain your confidence and trust.

You are also giving them your location. You are letting them know where you are, what you are doing. It's a wonderful way that your friends can know where to meet you (and it is. I personally use it that way.)... it's unfortunately also a way for a stalker to find you. And sure, it may not ever happen in your town/city, but why give out all this info when you don't really need to?

You also give away where you are not. Believe it or not, people's homes have been robbed after they were posting publicly about going away from their homes.

Location info... and really all this personal information... is really best shared only with those you trust.

2. Employers Check Facebook

The second reason to restrict your info is because if you are a high school student looking for even a part-time job, guess what that potential employer is going to do?

Yes, they (or at least the smart ones) are going to search for you on Google and Facebook and see what turns up.

In 2012, you're pretty crazy as an employer if you are NOT doing background checks on the Internet. Who needs to call references when you can just go to a search engine and learn more about potential employees than you probably ever wanted to know? (including all the "stupid sh__" they did last weekend?)

It's real. It happens. And stuff lives on in Google's caches far longer than you would ever think.

3. Colleges Check Facebook

In a similar way, college admission officials check Facebook. (Another article claims 80% of colleges use Facebook in recruiting.) Need I say more?

If you are in the process of applying to colleges, you probably don't want admissions officials reading your wall conversation with a friend where you are trashing one potential college and talking about another. Nor do you potentially want them seeing your writing, spelling, photos, etc. (unless, of course, it's awesome and might help you get into a school).

Managing your "online reputation" is something that you have to start thinking about NOW.

How To Close The Walls

To start, the best thing to do is to go into Facebook's "Privacy Settings" that, today, anyway, are found in the drop-down arrow next to your name in the upper right corner of the web version of Facebook:


Facebook unfortunately has a way of changing these settings around from time to time. But if you go down to "Privacy Settings" you'll get the window you see below, where you can make two important changes:

  1. Set your default privacy to "Friends".
  2. Change all past posts to be set to "Friends".


Note that when you click that "Manage Past Post Visibility" you'll see a window pop up that warns you that all posts shared with friends or the public in the past will be restricted. Then you'll get ANOTHER window just confirming that you really, really want to do this and warning you that you can't undo it and will have to manually change it on each post if you want to share those posts publicly again. Finally, you'll be able to change the setting.

You may also want to click "Edit Settings" next to "How You Connect" and restrict who can find your profile, who can send you messages, who can write on your timeline, etc. Here are my settings, which I have changed from whatever Facebook sets as the default settings (probably "Everyone" for all of them):


If you do these three steps,

nothing will really change for you on Facebook!

You'll still be able to interact with your friends. You'll still be able to write on each other's walls. You can still tag each other in photos, send each other messages, etc.

It's just that now when anyone who isn't your friend goes to see your Facebook profile... whether they are other students who aren't your "friend", parents of other students, potential employers, college admission officials... or sick creeps... or just random people out on the Internet... all they will see is this:


All that other personal information stays within the circle of the people you have accepted as "Friends" on Facebook.

And YOU are in control of what employers, college admission officials and everyone else sees.


  1. These privacy settings do not completely remove the chance your info can be publicly disclosed. Your info and photos go out to your Friends' Newsfeeds, and they can then in turn "share" your info out to other people... and somewhere along the way may be someone whose settings are more public. However, you are greatly restricting the potential of that with these settings.
  2. There's a separate conversation that could be had about how you could selectively post certain items publicly to create a public profile that would actually be positive for employers/colleges to see.  For instance, notes about awards you've won, volunteer activities you've accomplished, great photos you've taken or articles you've written, etc.  But again, you are in control of that information.

If you found this post interesting or useful, please consider either:

Pondering All The Strange (Chinese?) Accounts Joining My Email Newsletter List...

Has anyone else operating an email mailing list noticed subscriptions pouring in over the past few months from strange email accounts?

I have been amazed - and I can't for the life of me understand WHY this is going on.

For my VERY infrequently issued email newsletter, A View From The Crow's Nest, I've seen probably 50 subscriptions over the last month from email accounts with very bizarre names - both names of email address and also the first and last names of the users. They pretty much all have come from accounts at:


Now, in looking at those sites... outside of, they are all Chinese-language sites.

Did my (English-only!) blogs get on some list for people to read in China?

... and some % of those people decided to actually subscribe to my (again, English-only) email newsletter?

I find this hard to believe, particularly when Google Analytics shows NO increased visitation to any of my sites from China or Chinese-language browsers.

Is something else going on here? The IT security part of my brain was spiked into high paranoia by the patterns in the last names that were entered into the subscription form. The vast majority of these "last names" were either:

  • andeson
  • aifseng
  • billaa
  • John

And the "first names" make no sense as an English name. Here's a screenshot showing some recent subscriptions (with, yes, some info deliberately hidden):


This pattern continues for several more pages.

Now, I have no real knowledge of the Chinese language. Is this perhaps a translation of Chinese characters into Roman letters by the iContact email service I use? i.e. are these perhaps legitimate subscription requests where the info is getting lost in translation?

My first thought before I realized all the sites (sans were Chinese was that this was spammers subscribing to my newsletter from free email services.

But why?

I couldn't (and still can't) figure that out. What good would it do for a spammer (or other attacker) to subscribe to my email newsletter list?

Or are the subscription records bogus anyway? Are they the byproduct of attackers trying to probe the security of the signup forms? To see if they could exploit a SQL injection attack or something like that?

Or is something more widespread going on? A Google search on "aifseng", for instance, shows that "word" paired with other nonsensical (in English) "words" on a host of other sites.

Did I miss a memo about some security issue going on? Or is this the case where something is getting lost in translation?

Any ideas or info out there?

Image credit: maddercarmine on Flickr

If you found this post interesting or useful, please consider either: Hacked - Time To Change Your Passwords - and the Positive Side of Transparency

Broken Lock
In a blog post titled simply "Security Incident", Matt Mullenweg stated:
Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.


We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.

While there was no specific mention of impacts to users in the post, Matt did reply in the comments:

We don’t have evidence of passwords being taken, and even if they had they’d be difficult to crack. However it’s never a bad idea to update your password, especially if you used the same password in two places.

He later went on to assert that credit card info and other personal info was NOT exposed and also verified this incident affected only the hosting service and not WordPress software itself.

The incident has now been widely reported throughout much of the online tech world, with TechCrunch noting the size of currently serves 18 million publishers, including VIPs like us, TED, CBS and is responsible for 10% of all websites in the world. itself sees about 300 million unique visits monthly.

It's good to see Automattic's openness about the security issue, even when they are still investigating and don't honestly have the answers. Kudos to Matt Mullenweg for diving into the comments and responding as he has been.

The effect of that transparency is certainly visible in the many other comments to the post - including ones like this:

Thanks for letting us know Matt. Admire the transparency so much I’m signing up for a paid account.

Well done!

Image credit: brotherM on Flickr

If you found this post interesting or useful, please consider either:

Facebook for iPhone 3.1 - ALL your *iPhone* contacts belong to us! (HUH???)

facebookforiphone.jpgAfter installing the brand-new version 3.1 of the Facebook for iPhone application, I started to enable the "Sync" feature to sync my Facebook contacts with my iPhone contacts, when I was VERY put off by this warning screen shown on right:

If you enable this feature, contacts from your device will be sent to Facebook and your friends' names, photos and other info from Facebook will be added to your iPhone address book. Please make sure your friends are comfortable with any use you make of their information.


Obviously the app has to send my iPhone contacts up to Facebook so that Facebook can match up the contact info with the names of my friends in Facebook.

But then what?

Does Facebook then ignore my contacts? Are they stored in Facebook's giant databases? Will they all be spammed with info about joining Facebook? ("Dan York is on Facebook, why don't you join?")

I looked for some kind of privacy policy or other info in the Facebook app... on the iTunes page, on the page for the Facebook for iPhone app. I can't find one anywhere.

I do have people in my iPhone address book who have given me private/unpublished numbers. I'm not really comfortable having all that data sent up to Facebook if I have no idea what they are doing with it.

What's the deal, Facebook?

If you found this post interesting or useful, please consider either subscribing to the RSS feed or following me on Twitter or

The Incredible Danger of Facebook's New Privacy Policy - And How to Protect Yourself

facebook.jpgLet's be very clear. No matter what the blog post or letter from Mark Zuckerberg may say (or update blog posts), Facebook's new privacy settings have far less to do with "making privacy simpler" than they do with one simple fact:
Facebook has "Twitter-envy".

Twitter is essentially the center of the public "real-time web" and is getting all the attention, hype and buzz. Facebook is not getting that attention and wants to be your single portal to the Internet.

Facebook wants you to share your information PUBLICLY.

The new "Privacy Policy" is not so much about protecting your privacy as it is about getting you to make more information public.

Let's be clear. THAT is the goal. If Facebook were serious about making it easier to protect your privacy, the recommendations would be different. The "making privacy strong" theme is spin. And judging by articles I'm seeing in the mainstream media, it's working. Now, to be fair, there are some improvements, like the ability to change the privacy settings of each post you make, but that improvement is overshadowed by the larger danger.


The fundamental issue is that when you are brought into the new "privacy transition tool", the "recommended settings" are that you share all your status updates, links, photos, videos and notes publicly. Not just with other Facebook users, but with the entire Internet. By accepting the recommended settings, you are agreeing to make all the info you put into Facebook accessible through search via Google, etc.:


So all those silly status updates you wrote? Found in Google. All those "private" photos of your family that you previously just shared with friends? Found in Google. All those longer notes that you were sharing with your friends? Found in Google. Whether or not you are single or married? Found in Google.

It is a fundamental shift in information sharing from being inside a private walled space to being in an open public space.

Everything you publish - available to everyone on the Internet.

The danger I see is that many, if not most, people will simply accept the recommended settings. And suddenly information they thought was kept more private will be shared with the world.


My recommendations are very simple:

1. Do NOT accept the recommended settings. Choose "Old Settings" in the Transition Tool.

2. Go into the Privacy settings and examine all settings. Click the "Privacy" link at the very bottom of a Facebook page or going into "Settings" in the upper right corner and then click on "Privacy".


3. Change who can see your profile information. Click on "Profile Information" to decide who you want to see information about you.


4. Change you can see your contact information. Click on "Contact Information" to decide who can see your contact info:


5. CHANGE WHAT YOUR FRIENDS SHARE ABOUT YOU! This is a critical one. Whenever your friends go off and play one of those games like Mafia Wars or Farmville, or take one of those zillion quizzes, they are sharing information about you, including with "game developers" who have questionable backgrounds. Everytime any friend of yours adds any Facebook "application", they are sharing info about you.

Click on "Applications and Websites" to see where you can turn it all off:


Personally, I've unchecked all of these items. If one of my "friends" on Facebook decides to start interacting with a new Facebook application, that is their choice. But I don't necessarily want that external company or organization to get all this information about me.

I admit that I find it rather annoying that Facebook provides no way in its new "Privacy Transition Tool" to change these settings. You have to go into these settings to change it.

6. Change what information is accessible via search. Click on "Search" to change whether you want your information to be found via a Google Search:


If you go through each of these panels and make sure the changes reflect how you want your information shared, you'll wind up in a much better space with regard to privacy.


There is an even greater danger to privacy lurking in the fine print:


Facebook has reclassified what is "publicly available information". Your name... profile photo... and friend list are now "visible to everyone". And guess what?

There's nothing you can do about that (except, perhaps to not use any applications).

It's just the price of using a walled garden service like Facebook where a single company is in charge.


I understand Facebook's business need to push people to share more information. They feel they need to be the center of the "real-time web"... and they feel that Twitter is in a better place to be that. But I find it annoying and frustrating that so many users are now going to find their "private" information publicly accessible out on the public Internet simply because they accepted the "recommended" settings.

Bad move, Facebook.