Anthony Ferrara discovered a significant security vulnerability and an even more fundamental security flaw in WordPress.
The correct fix is to ditch this whole prepare mechanism (which returns a string SQL query). Do what basically everyone else does and return a statement/query object or execute the query directly. That way you can’t double-prepare a string.
It’s worth saying that this would be a major breaking change for WP. One that many other platforms have done successfully (PHPBB did this exact thing, and went from having massive SQL Injection vulnerabilities to almost none).
WordPress has made great strides in modernizing and hardening core. I really had no idea WPDB was still in the dark ages! For shame!
Read his post for all the gory details.
The Loop posted a great summary of Apple’s Face ID security whitepaper.
Two points about how the timeout works really baffled me. Face ID is disabled when:
- The device hasn’t been unlocked for more than 48 hours.
- The passcode hasn’t been used to unlock the device in the last 156 hours (six and a half days) and Face ID has not unlocked the device in the last 4 hours.
If the phone hasn’t been unlocked for 48hrs, it’s a good assumption that the phone has been lost or stolen. But why bother disabling Face ID? Is Apple nervous about it’s real-world effectiveness? Nervous that a thief may be able to unlock the phone with their face?
The second timeout seems more arbitrary. Why 156 hours? If I generally only use my phone once every 4hrs 5mins, then after 6.5days I will have to re-authenticate with my passcode? Why? It seems completely arbitrary.
Any smarter security minds out there have any thoughts?
Marco Arment just published a post on The ethics of modern web ad-blocking.
His opening position is pretty similar to my own, I’ve been a long time advocate of not blocking ads. In the past, I have also put food on the table via ad revenue. Until today, I have been morally opposed to blocking ads has until today.
Nobody could blame the users of yesteryear for killing pop-up ad rates, and nobody should blame the users of 2015 for blocking abusive, intrusive, misleading, and privacy-stealing ads and trackers, even if it’s inconvenient for publishers and web developers.
PS. Ghostery is great!
(This is not a political post. I don’t really do politics.)
The vast majority of people I follow on the social medias are having a very predictable knee-jerk reaction against Donald Trumps presidential campaign. My knee-jerk reaction to predictable, like-button-induced, knee-jerk reactions is to immediately take a contrarian view.
If I actually did politics, I’d continue this post by going on to describe that contrarian view. But, I’m not nearly well versed enough in US politics to make even the weakest coherent argument about why I think The Donald should be taken seriously.
Instead, I’d like to recommend Episode 295 of Dan Carlin’s Common Sense podcast. He’s far from a pro-Donald guy, however he’s got a very unique take on the man, that every single bandwagon jumper needs to hear.
Update, Dec 2015:
At some point between August and now, Donald Trump became completely indefensible. I stand by my podcast recommendation and I still believe people are being too quick to gobble up everything the media is feeding them with regard to Trump. However I want the record to be clear, I certainly do not support Donald Trump for president of our fine neighbours to the south.