{"id":890,"date":"2007-10-31T23:30:46","date_gmt":"2007-11-01T07:30:46","guid":{"rendered":"\/?p=890"},"modified":"2007-11-06T11:52:10","modified_gmt":"2007-11-06T19:52:10","slug":"breached","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=890","title":{"rendered":"Breached"},"content":{"rendered":"

My blog was hacked over the weekend.  It was apparently a cross-site scripting attack carried out through a vulnerability in WordPress<\/a>.  WordPress has released a fix (Version 2.3.1) and I've now installed it.<\/p>\n

ZDNet broke the news<\/a> on Monday – I was awakened by PR people.  The headline read, “Microsoft privacy guru's site hacked”.  Fifteen minutes of fame:<\/p>\n

IdentityBlog.com, a Web site run by Microsoft\u00e2\u20ac\u2122s chief architect of identity and access, has been hacked and defaced.<\/p>\n

The site, which is used by Microsoft\u00e2\u20ac\u2122s Kim Cameron<\/font><\/a> to promote discussion around privacy, access and security issues, now contains an \u00e2\u20ac\u0153owned by me\u00e2\u20ac\u009d message and a link to a third-party site (see screenshot).<\/p>\n

<\/p><\/blockquote>\n

Naturally there were more than a few congratulatory messages like this one from “Living in Tension<\/a>” (whose tagline says he has “Christ in one hand, and the world in the other):<\/p>\n

Several years of working in the Information Technology world have unintentionally transformed me into a OSS , Linux, security zealot…<\/em><\/p>\n

… Tasty little tidbits like this are just too good to be true<\/p><\/blockquote>\n

I wonder if he would have put it this way had he known my blog is run by commercial hosters (TextDrive) <\/a>using Unix BSD, MySQL, PHP and WordPress – all OSS products.  There is no Microsoft software involved at the server end – just open source.  <\/p>\n

The discussion list at ZDNet <\/a>is amusing and sobering at the same time.  Of course it starts with a nice “ROTFLMAO” from someone called “Beyond the vista, a Leopard is stalking”: <\/p>\n

This one was priceless . How can Microsoft's Security Guru site get hacked ? Oh my all the MS fanboys claim that Microsoft products are so secure .<\/p>\n

<NOT!><\/p><\/blockquote>\n

But then “ye”, who checks his facts before opening his mouth, has a big ‘aha’:<\/p>\n

How can this be? It runs on UNIX<\/a>!<\/p>\n

<\/p>\n

FreeBSD Apache 29-Jun-2007<\/p>\n

Why it's the very same BSD UNIX upon which OS X is based. The very one we've heard makes OS X so ultra secure and hack proof.<\/p><\/blockquote>\n

This is too much for poor “Stalking Leopard” to bear:<\/p>\n

How about explaining as to what a Microsoft employee would be doing using a UNIX server ? I don't think microsoft would be too happy hearing about their employee using… more than their inherently safe IIS server.<\/p><\/blockquote>\n

Gosh, is the “Stalking Leopard”  caught in a reverse-borg timewarp?<\/p>\n

By this point “fredfarkwater” seems to have had enough:<\/p>\n

What kind of F-in idiots write in this blog? Apple this or MS that or Linux there….. What difference doesn't it make what OS\/platform you choose if it does the job you want it to? A computer is just a computer, a tool, you idiot brainless toads! A system is only as secure as you make it as stated here. You *ucking moron's need a life and to grow up and use these blogs for positive purposes rather than your childish jibbish!<\/p><\/blockquote>\n

But as passionate as Fred's advice might be, it doesn't seem to be able to save “Linux Geek”, who at this point proclaims:<\/p>\n

This is a shining example why you should host on Linux + Apache .<\/em><\/p>\n

For those who still don't get it, this shows the superiority of Linux and OSS against M$ products.<\/p><\/blockquote>\n

Back comes a salvo of “It's on Unix”, by mharr; “lol” by toadlife; and “Shut up Fool!” by John E. Wahd.<\/p>\n

“Ye” and marksashton are similarly incredulous:<\/p>\n

You do realize that you just made an idiot of yourself, right?<\/p>\n

Man you are just too much. I'm sure all of the people who use Linux are embarassed by you and people like you who spew such nonsense.<\/p><\/blockquote>\n

Insults fly fast and furious until “Linux User” tells “Linux Geek”:<\/p>\n

I really hope you know  just how idiotic you look with this post! What an ID10T.<\/p><\/blockquote>\n

It seems the last death rattle of the performance has sounded, but then there's a short “second breath” when “myOSX” has a brainwave:<\/p>\n

Maybe he moved the site after it got hacked ???<\/p><\/blockquote>\n

After that's nixed by “ye”, “Scrat” concludes:<\/p>\n

So it appears that dentityblog.com was being hosted by TextDrive, Inc<\/font><\/a> using Apache on FreeBSD.<\/p>\n

Bad Microsoft!<\/p><\/blockquote>\n

The truth of the matter is very simple.  I like WordPress, even if it has had some security problems, and I don't want to give it up.<\/p>\n

My site practices Data Rejection, so there is no “honeypot” to protect.  My main interest is in having an application I like to use and being part of the blogosphere conversation.  If I'm breached from time to time, it will raise a few eyebrows, as it has done this week, but hopefully even that can help propagate my main message:  always design systems on the basis they will be breached – and still be safe.<\/p>\n

Although in the past I have often hosted operational systems myself, in this project I have wanted to understand all the ins and outs and constraints of using a hosted service.  I'm pretty happy with TextDrive and think they're very professional.<\/p>\n

\"After
\nI accept that I'm a target.  Given the current state of blogging software I expect I'll be breached again (this is the second time my site has been hacked through a WordPress vulnerability). <\/p>\n

But,  I'm happy to work with WordPress and others to solve the problems, because there are no silver bullets when it comes to security, as I hope Linux Geek learns, especially in environments where there is a lot of innovation.<\/p>\n","protected":false},"excerpt":{"rendered":"

There's a lot of ideology to get past in teaching people about security <\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[12,13,40,42,11],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/890"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=890"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/890\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=890"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=890"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=890"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}