CISA Is Coming

By the end of the week CISA will be passed into law. Have you read it? There’s really not much to it, as it’s designed like Obamacare — granting a  government department  the ability to develop its own policies, procedures, rules and exceptions, as long as they follow  rather generic rules about collection and disclosure.

CISA provides businesses immunity from  all liability and antitrust laws if they share “automated” data — even if doing so is in direct violation of their own terms of service or contracts.

The “immunity” is written rather interestingly. Not only does it immunize businesses that share information about their customers, but it also provides immunity to any individual hacker that actually performs attacks against any US individual or business as long as they share “some” of their results with the government. The government essentially provides free reign for the creation of a new class of American trespasser/digital B&E, as long as they tithe the State.

CISA allows the federal government to collect  all digital data, permanently, to “fight terrorism.”

It allows this data to be used to “regulate” the  lawful activities of ordinary Americans, as long as the data isn’t collected “only” for that purpose (and since it’s collected to “fight terror”, it gets an immediate green light). This means they can create a database collecting every email relationship to ferret out personal details. For example, collecting political leanings and use that information to create lists of gun owners, gays, and foodies. The information can then be used to target them the same way the IRS targeted conservatives or Hitler targeted Jews.

One of my main concerns is that this will eventually lead to a US-based equivalent of the Great Firewall of China. The last thing the US needs as we head to war with Russia, and inevitably China, is any real or perceived  cap on our ability to obtain legitimate news from the rest of the world. We’re sure not going to get it at home.

The most terrifying aspect of the law is that it only requires the new government department to report to congress every two years, while the security implications of pretty much all digital activity changes, literally, from minute  to minute. Most tech security automation today is designed to auto-expire attack and hack filters within 24 hours. This means that by the time congress is able to act on specific implementations or changes, years may have passed.

Just remember: when Rand and Bernie agree, something is very wrong.

Happy Independence Day!

Happy Independence Day, everyone! Please take a moment to remember what this day represents: standing up to oppression and a statement of freedom.

Declaration of IndependenceThis day is not about the formation of the United States, but of the dissolution of the bonds the American  colonists had with England, a remote entity who didn’t share their values, interests or goals. England imposed  her will on the colonists without proper representation — deciding  their fates based on grand self-interest.

The current administration usually adorns these types of declarations with one of the adorable phrases “we can’t wait” or “for the children.” Nevertheless, these are abuses on their face and no amount of decorative wording can justify these actions.

The great men we call the Signers and Founders did not start by creating a new government to replace what they had, but first agreed that whatever may happen, what they had was severely broken, and knowing that regardless of what MIGHT come in the future, that what they were already subjected to was simply unacceptable.

The Signers had no way of knowing that several years in the future their efforts would eventually lead to a functional democratic republic.

As a developer I believe in having a true understanding of all inputs and potential complications before opening up an IDE, but when your life and liberty are on the line it’s all too often important to act impulsively. Remember this the next time you’re treated like a war criminal for refusing to submit to bogus “authority,” are threatened with force if you dare step outside  your “free speech zone”  or are declared an enemy combatant simply for disagreeing with Dear Leader.

Bald Eagle by Águila calva CC BY-SA 3.0The Declaration of Independence, for which this holiday is named, identifies twenty-seven (27) distinct classes of violations against the colonists. Fully twenty-two (22) of these are being actively repeated by the current administration and other recent administrations.  Of the remaining five, three are likely already happening as well — the incomprehensible lack of government transparency shrouds far too many of their actions. Moreover, there are plenty of additional offenses against us taking place each and every day, such as the gross invasion of our privacy by the NSA. Are we really supposed to believe that “person, papers and effects” doesn’t include our computers, telephones or travel?

Since the passage of the 16th amendment, which provided the federal government with it’s very own wishing well, our nation has gone to hell in a hand-basket. The last hundred years our nation has decayed more and more, providing a roost for some of  the worst mankind has to offer. From war profiteering to false flags to backroom deals for lobbyists…our elected representatives would do well to wear the logos for the brands and companies who sponsor each of their activities, for so rarely are they truly representing the interests of their actual  constituents. We can no longer stand idle while these people perform their ghastly deeds in secret, in our names. Sadly, “voting the bums out” when the only alternatives proffered are two sides of the same coin isn’t a realistic solution.

The worst part of it is that this has been in the works for so very long. Our nation flounders because we are so easily divided. The last several Presidents, while on television during (and I use this term in protest) “debates”  they portrayed their actions and positions as heatedly different, each performed in exactly the same ways. Taken as a whole, there has been nothing done by any of them to distinguish them from one another.  You would be hard-pressed to look at the individual actions of any of them and be able to identify exactly which person, or which political party, had done.

Not to be outdone, congress alternates between doing nothing at all and doing everything wrong. Personally, I would rather survive without  the added oppression imposed by “look-busy legislators”, so I pray for stalemate rather than compromise. My darling wife is very fond of saying, “when both houses of congress agree — you can be sure there’s a greater-than-normal conspiracy underway.” Some of the greatest offenses against the American public have been at the hands of a united and near-unanimous majority. Sigh.

This month I’m going to write about each of the reasons the Signers declared independence from England and how that applies to our lives today.  After 238 years, are we falling into the same trap?  Come back and visit. And tell a friend.


Sneaky Tricks Hackers Use to Target WordPress

Security is on everyone mind these days, but be careful where you’re getting your information from. Be sure your getting expert advice before you proceed or you could find yourself in trouble.

3 Sneaky Tricks Hackers Use to Target WordPress Sites

The open source nature of WordPress has one downside, and if you’re not careful it could ruin your online business. I know this because it happened to me. Just a few months ago, I had a hacker hijack a WordPress site that was consistently earning me several hundred dollars a month.

The hacker:

  • Blocked all logins from my IP address
  • Deleted 217 pages of content, including over 50 pages of premium membership content.
  • Posted 182 spam articles on my site, all which were visible from the home page and which tanked my search engine rankings.
  • Changed the admin account to their email so that I could not update my password OR get back into the site

English: The logo of the blogging software Wor...

Brute force authentication attacks are pretty simple to avoid – at the server level. If your host doesn’t already provide some form of brute force protection, talk to them about it or get a new host.

If an attacker has the ability to gain control of your site thru a vulnerability on another site on the same server, your permissions are setup *very* wrong. Get a new host.

MD5 and SHA are *hash* methods, not encryption methods. There’s an enormous difference between the purpose, function and operation of these techniques. Notably, hashes are not reversible. WordPress “salts” these hashes to make it more secure. On this point, it would be better for users to ensure they’ve properly created their keys and salts in wp-config.
@3 – You can’t completely control username exposure on multisite, and even on regular wordpress some themes render the username within the output.

@5 – Domain privacy offers NO protection whatsoever. It takes all of a few minutes to file a request with the registrar for the actual data and in many cases they’re obliged to provide it. And most registrars (notably godaddy) that provide domain privacy do so at the cost of not effectively relaying domain contact attempts. This is important because it means that an attacker can send (and they do) fraudulent DMCA takedown notices to the registered “private” domain email address, CC
the registrar and webhost, and since you don’t receive or respond to the message in a timely fashion, your host and/or registrar will disable the site. This is just as bad as getting hacked.

Even if domain privacy did protect your contact information, your site could not operate if your name servers were not exposed, which is how visitors are able to find out the IP address, which is what your point here is really about. There’s no way (outside of perhaps setting up your domain behind a proxy) to prevent direct access to your content.

@6 – If you aren’t familiar with managing wordpress, you probably shouldn’t be responsible for an entire server, and all the other services and applications you would need to maintain for it, either. It would be better to look into a “managed” provider.

@8 – While updating plugins and themes is important, blindly installing updates is not good either. Several times in the past have updated plugins or themes included exploits or security regressions (si-captcha, addthis, w3tc and wptouch for example). If you’re a security-minded coder, review the code before you install updates. If you’re not, you should probably find someone that can help keep an eye out for you.

@9 – The implication here is that just because a theme or plugin is “paid” that it’ll be of higher quality. Sadly, that’s not the case. had an article on this very topic only last year.

While you’ve included some good advice here, too, I’m afraid you’re mixing too much myth and misunderstanding in to be ultimately good for the typical user.



Enhanced by Zemanta