categories

archives

meta


"walls of the city" logo conceptualized by Oleg Volk and executed by Linoge. Logo is © "walls of the city".

gunblogging psa

In the past week, two major firearm-related weblogs, including Old NFO‘s, have been hacked and some/all of their data was temporarily/permanently deleted/lost.

Once is an accident, twice is coincidence, three times is enemy action… and whether or not you believe in coincidence is up to you.

In general, you should be in the habit of changing/updating your passwords at least once a year, but if it has been around that long (or longer) since you have done so, I would recommend going ahead and changing them at least for whatever firearm-related weblogs you might run yourself – I have no way of knowing if this is a targeted attack (in all likelihood, it probably is not), but changing passwords does not hurt. In fact, given Old NFO’s bank accounts and other password-protected data were hacked, go ahead and change all your passwords.

A lot of folks I know recommend LastPass, but I am still stuck in the stone ages with hand-generated passwords… but hand-generated passwords that abide by the XKCD theory of password entropy. Still, $12 a year – I do far too many things on my Android to be able to survive without supporting it, and they only offer mobile support through their "premium" plan – is a small price to pay for some pretty hardcore security; the encryption they use for the information they store on their servers and your local computers is, well, absurd. In fact, the more I read about it, the more I am inclined to at least give it a shot…

Additionally, I would strongly recommend creating and maintaining backups of your weblog. WordPress can supposedly do this internally, but I have never been able to successfully execute the onboard script and download the file due to either the backup generator or the download command timing out; instead, I have been experimenting with UpdraftPlus, which backs up your database, plugins, themes, and uploads (but only uploads in the WordPress-created upload directory), and then pushes them to a DropBox, Google Drive, or a file on your own server for you to download. Better, it can do all of this on a schedule, so you can pretty much set-and-forget.

The plugin is free (you can buy a full version that unlocks some additional functionality – the free version works fine as is, though), so there are no guarantees, but it seems to work just fine on my notoriously persnickety host (so persnickety that their SQL admin panel cannot reliably create, save, and allow me to download an export of a <100MB database… go figure).

In parallel with the database backup, though, I would strongly recommend running a plugin like Better WP Security as well; this plugin watches for things like people attempting to brute-force your blog’s usernames, or repeatedly load bad pages (apparently this can be exploited in some way I do not fully comprehend), and then blocks those IPs.  Obviously, the hackers can spoof IPs, but this cuts down on the attempts, even a little bit. 

Yeah, all this sounds like a lot of work, but it beats the pants off losing over seven years’ worth of work (in my case). Think about it.

11 comments to gunblogging psa

  • Matt in FL

    I’ve often wondered about the relationship between how big a fan of xkcd someone is, and the likelihood of them using “correct horse battery staple” as a password somewhere in their life. I may or may not use it myself (but probably do).

  • Honestly, I am somewhat surprised that phrase has not yet made it into the “top X passwords” list yet…

  • i hate to admit i often use the random generated initial password and let FF remember it. But mostly on lesser sites and my junk email. I wont divulge my better methods but they are similar to xkcd’s.

  • SouthernKahrCarrier

    I’ve been using a free password manager called KeePass for many years. My wife, who is not tech savvy, has no problem with it. It is not a plug in, but a separate program that can be installed, or run on a flashdrive. It’s on all my computers, my Droid, and my flashdrives.

  • Ted N

    I had no idea about the password programs, think I’ll look into them, since most of my security is just keeping a low profile. Dumb luckis not the best of security ideas anymore.

  • Thanks for the pointer to UpDraft. That’s exactly what I’ve been looking for; just set it up on several sites and it’s working beautifully.

  • Keepass is free, has an android app, chrome and firefox integration, and runs in linux.

    Problem solved. (Also if you have an SSH server on your shell hosing you can keep your key file in your personally controlled cloud.)

    The wife and I both use it and love it.

  • @ dave w: Yeah, there are all kinds of methods for generating secure passwords, but the problem is that I have 100+ sites that all require passwords, and I cannot remember 100+ passwords myself. Then, how do you group them together, knowing that if one site in that group gets compromised, they all do?

    Password storage systems seem to be the only alternative…

    @ SouthernKahrCarrier and @ Barron Barnett: So I have been tinkering around with KeePass as well, and I think LastPass is superior to it on three points.

    First, no web interface. KeePass does offer their no-install, standalone executable that can happily live on a flashdrive or whatnot, but that assumes you have the flashdrive with you, or are on a machine where you can download something to it.

    Second, you have to have somewhere to synchronize your password database to. Like Barron mentions, you can FTP them yourself, or if you have Dropbox, you just generate the database in your Dropbox folder and call it a day (the database is encrypted, heavily, so who cares?), but it is still another layer of abstraction, and complicates using the password manager on non-every-day machines.

    Third and finally, while there is technically Chrome integration, it is a bit… concerning. The KeePass site indicates you need to download the ChromeIPass plugin for Chrome, which you do, and it is available from the Chrome plugin library Google maintains… But then ChromeIPass indicates you need to download KeePassHTTP in order to make it work, and the latter plugin is mentioned nowhere on the KeePass site. Given KeePass is open source, everyone can make plugins for it easily, but the more things that are touching my passwords, the less sanguine I get.

    In short, I dunno. Specifically, I dunno if $12 a year is worth not having to deal with all of that…

    @ Ted N: Security through obscurity is a good start, but when it fails, it fails hard.

    @ Nick: Not a problem! WP’s built in export/import functionality frankly sucks for larger/older sites, so an alternative that can actually deal with server loading and upload problems is definitely a good thing.

  • The CSS on my site was effed up over the evening. I wasn’t hacked, I just installed a plugin that messed everything up. :)

  • Sucks indeed. I was using a sub-optimal thing I wrote in Perl to do the DB backup and shuttle it to my home machine through a somewhat unstable SSH tunnel. You know what I call WP -> Google Drive -> my machine via Drive sync? WINNING.

  • @ ExurbanKevin: Was more referring to NFO’s and Caleb’s blog. The former did not lose anything. The latter lost about a year’s worth of posts.

    @ Nick: Bingo. Drive / Dropbox can part out downloads/uploads, so even if you do time out, it will pick up right where it left off. Standard webservers doing whatever it is they do? Not so much.