BlogSecurity, brings up an interesting point about blogs, and security. As vulnerabilities are found, patches are issued, but how does one educate the end user about these patches? I recently found an old old site of mine which I had put up to test a shared hosting provider, defaced. The reason? A vulnerable version of wordpress. I was able to patch the hole and fix the problem relatively easily, but what about joe blogger? He’s more passionate about politics than the blogging tool he uses, more than likely, he doesn’t even log in to the administrative interface, but uses a third party app to post to the blog. How do we let this person know that he’s vulnerable? Operating Systems have some version of “software update”. Desktop applications have a way of checking for “newer versions”, which can then help you decide if you want to upgrade or not.. but web based software normally doesn’t have anything like this.
SugarCRM seems to be the only thing that can check for newer version of itself, and then try to patch itself. So.. should non technical people be forced to use a hosted/managed service? (This is a dumb question.. please don’t answer it).. or should there be a standard way of letting package users about updates?
Example: Wordpress.
Everytime you post, when WP hits pingomatic, it should also hit automattic, and do a version check. Automattic should ping back by saying, your version is
a: current
b: old
c: Critically vulnerable
Based on these responses, the user is notified via email, for answer b. But for version C, wordpress goes into read only mode.. no new posts, no comments, until the user acknowledges the threat, and does something about it.
To make it extra annoying, we allow the user to say “OK, I’m aware of the bug, but I want to post anyway”, but right after the post, we go back to read only mode. So, the user can continue to use the software, but we now have a web version of the shareware snag screen. I’m not sure how well this will work, or if it’s even a good idea.
It would be impossible to implement this idea on the already insecure installs out there, so it would address the needs of the future, but not the existing vulnerable installations. I don’t think this alone will solve the problem, except maybe create a new one, until we figure out a sane way of doing this..
So.. I guess I’ll ask you guys what you think.. I have no clue, I’m going to go back to my corner now..:)
2 users commented in " Secure is, as Secure does. "
Follow-up comment rss or Leave a TrackbackI think you’re right, both about this being a good-sense way to handle things and about the futility of automagically patching existing installs.
I’m sure, however, that the companies or communities around existing packages with histories of problems in the past (*cough* WordPress *cough*) could throw together a Google mashup to (hypothetically) go find all Google-visible instances of FubarBlog before version X.Y, grab the blogger’s email address (either through metainfo or screen-scrape, since they know what they’re looking at), and slap him upside the electronic head. Of course, that has two problems:
1) it annoys the guy who is just using his host provider’s installed service, over which he has no control;
2) if the Good Guys can do it, the Bad Guys can too - and fully automate defacement of vulnerable blogs. *shudder*
Sticking our heads under the collective sand will NOT do anything for Problem 2. Problem 1 may be beneficial; if Loser-ISP.biz won’t fix their systems after customers complain, then there are always other hosting providers out there, and people will (eventually) vote with their feet and their kopecks.
Wasn’t this sort of how the Morris Worm got started?
The “I’m Alive” Entry
Things have been quiet around here in terms of entries so to keep things rolling here are a few interesting links I’ve discovered over the past few days . . .
Florian posted a comment over on the msn contact grab entry highlighting a warning error…
Leave A Reply