Security

I got that message today, Drupal admins know the one:

Critical security update required! Please check available updates to ensure the security of your server.

(or something like that...)

It's all in red and stuff, looks really intimidating, like, "Oh my God, what if the hackers have discovered this vulnerability before the Drupal development community did!"

This is very interesting. I'm in my sixth week of not being able to type. While I have been out of the game, some enterprising person has taken it upon themselves to build a bunch of icky links to my sites. These are links from spammy Viagara pages, cigarette vendors and a couple of porn pages that even make me blush.

Do these unwanted "bad neighborhood" links hurt SEO? Yes, it seems. Combined with my inability to add fresh content, it may have been very mildly effective (search engine traffic across my sites is off by 14 percent from the monthly norm).

Some script kiddy's botnet is slamming the site again this morning. They're trying to make comments, trying to inject something, I guess. Maybe it's just a super-weak DoS attack. I don't know yet.

I think everything is pretty solid right now but I haven't looked at the server. If the site is slow or crashes, this is the reason.

All my websites were taken down momentarily by a cracker this morning (11-11-2009). Probably had something to do with the DoS attack the other day. They used that to find and open holes, I guess.

I'm not giving any details about what happened because I want to catch the SOB next time. All I can say is that it's pretty pathetic to waste everyone's time like that. You waste your time taking down the sites because of course I have them backed up and will bring them back up. You waste my time (more of yours than mine). You accomplish nothing, and you put yourself in severe legal jeopardy. What's the point?

Wouldn't it be nice to find easy protection for your Windows PC?

You've found it.

I did another post aimed at web surfers, helping people to protect themselves against xss already embedded in websites. Now I just want to quickly point out something to PHP coders, something that my travels around the web reveal is missing in a shocking number of sites: Basic security against this kind of attack being executed through form submissions in your website.

XSS (or cross-site scripting) attacks have been around for years, but they've been in vogue lately as more people administer websites. I myself was tricked into one that caused me a tremendous headache for a week. One can easily become over-confident and sloppy by doing most of what needs to be done to protect against this type of attack. The little bit left undone is what kills you.

A strong password is your first line of defense,

but can you remember it?

[a blast from the past, the existence of which I hope to remind the Great and Mighty Gods of Mount Googleplex]

There is no way around it: Any computer that is turned on is vulnerable. Having a strong password is not guaranteed protection since, once logged in, you can be tricked, and any programs you execute will be executed with all the permissions you have as a user.