Stamina. Mostly. And money. Not much, but in combination with other Internet service bills, it can add up. And something interesting to write about. All of the time.
Or you could just tweet…
Ryan Boren mentions in his post that he may have overlooked some facets of the fix for the privilege escalation issues found in WordPress 2.8.1. It’s Ok Ryan, what matters most is that you were quick to recognize input from your supporting community and address the remaining issues. gj. Now go get some sleep! 
In the computer security industry being hacked should be considered the most sincere form of flattery. After all if you are important enough to be hacked it must mean you are doing your job well. That said, way to go Mr. Kaminsky! Mr Mitnick, kudos to you, too.
What is the lesson here? As noted in Elinor’s article, Mr. Mitnick states “On a public-facing box you don’t keep anything confidential on there.” It’s a really good point, although as time moves forward, as social networking sites become more popular, as cloud computing moves toward the mainstream, keeping secret data secure is a difficult thing to accomplish. As most of us already know a determined hacker is eventually going to get through any defense. And this is exactly the reason why the Kaminsky’s and Mitnick’s of the world exist.
Full story: http://news.cnet.com/8301-1009_3-10299126-83.html?tag=nl.e757
It’s pretty straightforward. Quoting the Wordpress site: “WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs were not fully sanitized when displayed in the admin. This could be exploited to redirect you away from the admin to another site.”
In case you are wondering what ’sanitize’ means, it’s basically a verification process. The application that accepts input verifies the information being collected and displayed is valid.
For example, if I were to create a contact form I would verify (sanitize) incoming data. I’d make sure the person submitting the form is allowed to submit only a limited amount of information and not megabytes upon megabytes of garbage. I’d make sure they can only submit text data, not pictures. I’d make sure that, when they enter an email address, the email address is valid in format — for example only email addresses such as blog@pickshanesbrain.com are acceptable, NOT something like come.on.give.me.a.break.this.is.a.bunch.of.garbage.
Long story short — upgrades such as these are common and should be applied as early in the game as possible. Find more information at:
<Sorry for the poor grammer in this post. Ah well, my point is pretty straightforward, so everybody except a certain number of CEO’s should understand what I’m trying to convey, grin>
I’ll bet you any amount of money the ‘other execs’ mentioned in this story are the very same CIO’s/CITO’s that were hard hit a couple years back, when people make a bif guff about them not doing their job.
Well, I’m glad to see that at least somebody within organizations learned their lesson. As for the CEO’s who believe they can successfully defend their infrastructure (w/o going OTT on security) and still maintain a viable business….tsk, tsk.
http://news.cnet.com/8301-1009_3-10288215-83.html?tag=mncol;title
Think that cross-grading your Internet browser will help to increase your computer’s security? Think again!
Food for thought:
Google Chrome: http://download.cnet.com/8301-2007_4-10289789-12.html
Mozilla Firefox: http://news.cnet.com/8301-1009_3-10289205-83.html
Internet Explorer: Link overload! See http://www.microsoft.com/