SQRL Poised To Save Us From Password Hell

A few times every decade we get to witness the emergence of a truly revolutionary back-end technology breakthrough. I recall following OpenID in the mid-00’s, reading some of the early discussion groups and blog posts, eventually watching it become supplanted by OAuth. Which would go on to drastically simplify the way most people log in… Continue reading SQRL Poised To Save Us From Password Hell

DIY Internet: More on personal VPNs

A few followup thoughts regarding Monday’s post about setting up a personal VPN. Self-Sufficient, DIY Internet All the Facebook Cambridge Analytica nonsense has really emphasized how dependent we have become on third party services and social networks. As I thought about it, the idea of being self-sufficient online has really started to appeal to me.… Continue reading DIY Internet: More on personal VPNs

Huge Vulnerability in WordPress 4.8

Anthony Ferrara discovered a significant security vulnerability and an even more fundamental security flaw in WordPress.

The correct fix is to ditch this whole prepare mechanism (which returns a string SQL query). Do what basically everyone else does and return a statement/query object or execute the query directly. That way you can’t double-prepare a string.

It’s worth saying that this would be a major breaking change for WP. One that many other platforms have done successfully (PHPBB did this exact thing, and went from having massive SQL Injection vulnerabilities to almost none).

WordPress has made great strides in modernizing  and hardening core. I really had no idea WPDB was still in the dark ages! For shame!

Read his post for all the gory details.

Facebook Security Force

A neat little tidbit about Facebook security in this post from The Verge. Good Guy Facebook proactively scans lists of hijacked account and warns users if they appear on one of these lists.

Facebook cross references credential dumps with its entire database of user credentials, then alerts any users that match to change their passwords. By signing up for Facebook, you’ve inadvertently entered yourself into its witness protection program, of sorts. During events like the Gawker credentials leak or Playstation Network security breach last year, Facebook alerted users if their passwords were on the loose.

via The Verge