Here’s a snip from his June Crypto-Gram (you should subscribe to this!):

When I talk about “Liars and Outliers” to security audiences, one of the things I stress is our traditional security focus — on technical countermeasures — is much narrower than it could be. Leveraging moral, reputational, and institutional pressures are likely to be much more effective in motivating cooperative behavior. This story illustrates the point. It’s about the psychology of fraud, “why good people do bad things.”

Along similar lines, some years ago Ross Anderson made the suggestion that the webpages of people’s online bank accounts should include their photographs, based on the research that it’s harder to commit fraud against someone whom you identify with as a person. Two excellent papers on this topic: 1 2

This really resonates with me. I’d like to think, generally speaking, that there aren’t good guys and bad guys, just people with different perspectives on different situations and institutions, and that pretty much everyone has some form of moral code, even possibly overlapping in many areas. Isn’t that really our only hope as a species?

I love my websites and servers and applications. I expose a lot of my toys on the internet, because it’s FUN and USEFUL. I try to apply the 80/20 rule in getting things done, doing 20% of the security I should to achieve an 80% benefit. I don’t have time to “do it right”, if that’s even possible. I know this is a terrible approach to network security, but it is my conscious choice. There is fun to be had.

The approach burns me on occassion, but I get by. I’ve been hacked twice in 10 years, not a bad record considering my approach. The second hack occurred recently. Some poor bastard in backwoods Russia or God-knows-where has been scanning and hacking WordPress sites with a backdoor approach to adding admin accounts. Once the admin account is set up, they inject redirection scripts into the php template code.

I have not taken the time to install all the WordPress updates the moment they come out – classic example of my slacker approach to security. So at some point in time, I got hacked. The sad part is that I did not even notice it until much later, when Firefox’s automatic malware detection kicked in and Google and StopBadware.org started denying me access to my own site.

Apparently the injected code had the capacity to install malware – not that I would know, being a linux user. The cleanup involved purging all the injected php code, which was obfuscated with “eval(base64)” wrappers, and removing the hacked WordPress admin accounts.

The fact that I was potentially adding malware to the computers of people visiting my websites is enough to make me physically ill. Some of that paranoia and obsession required to achieve a moderate level of security has surfaced. My WordPress and Mediawiki sites are too rich and chock full of functionality for me to personally do any real level of guarantee of security – I have to rely on the popularity of their code base and assume issues get caught quickly. But the least I can do is upgrade them whenever a new stable release is available. Generally speaking, this is what keeps me on the internet, and it is no longer an optional activity.

The only other flaw in my setup of which I am painfully aware is due to virtual hosting restrictions. I do a LOT with my one little IP and my one little server (including truly free truly legit SSL), but I cannot host more than one SSL virtual site on port 443. Just “the way things are”. I need to be diligent about redirecting secure traffic through the one configured SSL domain. But this is never easy.

The silver lining: the WordPress iPhone app now works! The pace of blogging should now improve from glacial to very infrequently. :>

Peace out.