adir1

Word gets around on Internet quickly, but apparently not quickly enough for me. I do recall noticing somewhere a word about small security breach in Wordpress 2.8.2 few days ago, but it wasn’t clear to me that all earlier Wordpress versions were affected, so I did not rush and act right away.

Big mistake, after reading today what happened to Scobleizer (top of Techmeme, so thanks to both for heads up), I rushed to make the most recent backup of my blog and upgrade it to 2.8.4 wordpress. The upgrade itself was quick and painless (as usual with wordpress), and it actually much improved, as auto upgrade of plugins worked flawlessly in this latest edition (haven’t tried full upgrade yet).

I thought I was out of the woods, but reading people’s comments, they mentioned an Admin account, that hackers create for themselves. Not seeing anything in the Users list, I was not worried at first. But then, someone mentioned “hidden” in their comments. So I went to WordPress tables in mySQL and FOUND A HIDDEN ADMIN account created there! Complete, with evidence of crime! The darn trick is as simple as inserting malicious JavaScript which elevated the user to Admin, into their own First Name field!!! I promptly deleted the invader’s account, and hopefully this is the end of that (read below about other things I checked).

I must say I am disappointed with Wordpress security, although it remains the easiest to use and very fast/flexible framework for blog/site. But, haven’t we learned from all SQL injections in the past? Validate Field Lenghts on the Server Side!!! Especially for any input/fields or account registrations that are in World Visible unsecure area!

I know the hack was fixed in 2.8.4, and I haven’t taken the time to review how it was fixed. But, I truly hope this is something they go back and double check elsewhere, as much as possible.

I don’t know if this breach left any other backdoors on my blog, I certainly hope not. Here are some steps I took to review site integrity after following standard Wordpress Upgrade instructions:

• If you do find phantom Admin user in your wp_users table that you don’t recognize, check if that user has wp_user_level of 10 in the wp_usermeta table (same user_id) – Record the offending user_id or IDs (if you have multiple breaches). Promptly remove all records from both tables for that user_id, obviously.
• Review all other tables, especially wp_posts, for found user_id above (called post_author in the wp_posts table). It also helps to review any old posts and check their post_modified field, to check for any recent modifications that you didn’t perform yourself.
• Review your file system for any new files. I presume that you upgrade as per instructions and completely wipe your old wp-admin and wp-include directories before placing new ones there. But, what about wp-content with your Theme, plugins, widgets and uploads? Review these directories as much as possible!
• I have no idea how to review wp_options table and whether anything suspicious may be lurking there – If you have suggestions on this one, post in Comments!

Here are some more links to review from experts and fortify your site as much as possible. Of course, you may also reconsider moving into relative safety and simplicity of hosted blog, such as Wordpress.com and others.

Me, I prefer the “fun” of messing with my own site, and having complete control, seemingly.

UPDATE: Found another older post, but more good suggestions there. For example, I did review my .htaccess file and found it a bit suspicious, so I replaced it. I just forgot to explicitly mention it above. Better stay alert!

UPDATE2: I am still lurking around the Net and reading up on this. Seems that latest vulnerability could also allow someone to reset Admin password of the “default” initial Wordpress account. So, I also took the precaution of resetting that password to something new ASAP. Read up more here.

Yes, there, I am out in the open now, ready to admit it. For the longest time I’ve been watching Netbooks, saying to myself – it’s really a useless toy, why spend money even?

• Sure you could check your email on the tiny screen, but can you play online video from YouTube or Hulu? Well, not in HD, but works just fine as regular video!
• But surely it can’t even play local MP4 files full screen – Yes it can, aparently!
• But you won’t even be able to play any 3D games or run Vista! Well, 3D games work! I was shocked to discover that even World of Warcraft runs, on minimum settings, of course. Vista I haven’t tried (and don’t recommend to), but Windows 7 (RC) works nicely on this machine!

In fact, I decided to post this from my little Netbook! We picked it up for only $260 before recent family vacation, and it proved to be an integral part of the family during the trip. Sure I was waiting for some real 3D (will nVidia’s Ion platform ever materialize?), but with the trip on the horizon and this great Woot price, decided that this is a worthy investment, for now.

Overall we’ve been really happy. Family mostly used it to visit Facebook and watch online (and offline) videos. Did I mention that our model came with 160GB hard-drive and 6 hr battery life? Two really important characteristics, in my opinion, making it much more than a toy.  My only complaints are 10″ screen (really minimum), and keyboard size (but new 11″ models have bigger keyboard also). Oh, and be sure to always use Full Screen mode on your web browsers (key F11 on most).

In unrelated news, our Internet at home is back! Comcast tech came and delivered, as they say. It’s very fast and stable now, and we are happy. So, to celebrate, enjoy this fun music video! If you are not on Netbook, hop over to YouTube site and watch in HD.

I am back from vacation, and it was very rejuvenating. To totally relax this time I spent few free minutes between activities on some casual gaming, mostly on Facebook and Steam. I have been a long fan of Steam, but the improvements in Facebook games were a surprise for me. I love how Steam lets you purchase digitally and then just install and play on your different computers, as much as needed, with no discs to store or find.

My main observation is that Facebook gaming finally starting to realize the social aspect. Some in pure competitive fashion (like highest score in Biggest Brain), while many others are all about socializing (YoVille) and sharing gifts and showing off Farms and Restaurants you built. It is good fun and a new way to “stay in touch” with people you care about.

Onto the main topic – Facebook gained major momentum for our family during this season’s family vacation. We met many family members in-person, and most of their kids already had Facebook (what’s with silly 13 years old limit on Facebook?). So my kids signed up and were able to connect to their relatives and stay in touch, even though they often meet in-person once a year or less!

But, with all the benefits, I got really worried today. Earlier I became a fan of Lily Allen on Facebook. I really love her fun and honest lyrics, combined excellent music style. So what do I see right after? “Love Lily Allen – Check This Out” Ad appearing on Facebook. Clearly targeted, no doubt and once I clicked it, it took me straight into iTunes to some singer’s album, I never heard of!

I haven’t decided if this a benefit or a burden? It is definitely strange how Facebook doesn’t use same common sense to stop pitching me “Dating” sites, since my profile clearly indicates “Married”!!!

If they approach this carefully, it can be real boon for Advertisers. Facebook knows my real location (home address, and sometimes mobile location via Facebook Mobile on iPhone), and my likes/dislikes. I am Papa Johns pizza fan on there also, how long before other pizzerias will start bombarding me with their best offers to win me over? Rather scary… A good short Sci-Fi story comes to mind. You can listen to it for free on the excellent EscapePod.org (warning, rated R). That’s where I heard it, along with Advertising Warfare concept mentioned.

In the future, there will be No More Files (and most likely No Folders either).

Have I completely lost it, you probably wonder just about now?

All modern Operating Systems, from latest Linux to upcoming Windows 7 or Mac OS Snow Leopard, still share this fundamental flaw. I think designers and engineers have long known that Computer Industry has a major trouble with how it gets our generation brought up and used on the concept of “Files”. Bill Gates was very bold to try and change this notion with a Database based file system, but it was too soon and the biggest issue of backwards compatibility couldn’t be properly solved at the time.

But What am I talking about, seriously!?!

“File” is a primitive concept that brings nothing but challenges as we start to realize that we live in the Ocean of people, places and devices. While many Corporations out there still struggle to figure out how to connect the TV with Internet, think about the future where all devices are ubiquitously connected to one big Net. Does it really seem natural for you to have to “transfer” your latest version of that document from your Central Home System, to iPhone 5.5 GSQ, to Office Presentation Board and back to home system, as you move about your busy day?

Simple limited “Files” as we know them today will have to evolve into interconnected and Live pieces of Content. From the simplest thing (think Corporate Slogan on that Sales Pitch email you sent out) to complex living documents (like Service Level Agreement between major service provider and large Corporation(s)), everything should be “alive”.

Of course it’s hard! We still can’t figure out something as simple as Photo or Video format that everyone can agree and standardize on. How can you expect that corporate board room to show your awesome presentation automatically when you stroll into that meeting, if there are hundreds of video codec standards?!

Ok, short summary – think Tags (same concept as XML and what used to be Categories on this blog), think timelines and collaborative work of many people. But the biggest thing I am waiting for? It’s for that “Ah Ha” moment when developers realize that their software should not come as “Files” or “Packages”, or even be Developed as “Files” or “Packages”.

Ok, now you can officially confirm that I lost my marbles

Related Post: Part 1 of the series.

I have decided to have a few posts focused on discussing what’s next in the world of computing. The idea is to look at progression thus far, and see what makes sense to be researched and improved next. This simple formula can be surprisingly effective, due to collective “creationism” that defines computing industry. In other words – we create our future (just like in real life) by focusing research efforts (aka: wishes) on particular things. Thus, we can foresee now what will the future bring, simply by assuming that our research pans out.

And now, the actual point – For a while now, everyone agreed that a lot of our collective progress was often hindered by the infamous “backwards compatibility” syndrome. The base dilemma thus, for engineers not just of operating systems, but of many core technologies, was “Do We Make It Faster and Break old software” or “Do We Keep it slow, but not Break anything”. Traditionally, Microsoft preferred not to simulate old software standards fully, probably because it would end up being too slow to properly run older software.

But now, with faster CPU’s and built-in virtualization on chip level, they can finally move forward and just run that old Windows XP stuff inside “Virtual PC” – a full computer simulator running a “real” copy of Windows XP SP3. This “magic” finally allows the developers to Revolutionize, as we often like to do.

This magic comes to Windows 7 officially now, though I used Virtual PC in Vista as you all know, happily running Windows 98 and some 1995 software in it, without a hitch. Even in Windows 7 it feels like an “add-on” to me, hopefully in Windows 8 and beyond, the engineers will fully realize the potential “simulating” past, and allow themselves to Rethink every layer of the Operating System! What will result is prettier, faster, better technology. But where would we want to take it? Stay tuned, we’ll discuss that in the next parts of the series!

[via Within Windows blog]