WordPress has readied release candidate 3 of 3.0 and what better way to announce than a haiku?
Last call; final bugs
Itch, scratch, contort; calmly wait
For now: RC3
Excellent imagery, as if developers are to bugs as dogs are to fleas.
Category Archives: Security
Fat is good for us, really
I am amazed by the low-fat marketing movement. People all around me in America seem obsessed with the idea that removing fat from your diet somehow makes you healthy. From a risk management perspective this makes no sense to me.
It should be common sense just from observing nature. Take the bear, for example. A bear that catches a fish will tear just the fat of the salmon off (with the skin) and then discard the rest. Birds of prey then take the meat from the bones left behind.
Would a bear target fat and skin if it was so unhealthy? We do not live like bears, of course, and there is no accounting for taste but observing them can give us a clue about how to live.
CBS news does a nice job making this point in a much more scientific manner in their article called Friendly Fats — and Fiendish Ones:
According to the National Institutes of Health, about 35 percent of the calories you eat per day should come from fat, as long as most are from healthy, plant-based foods. That’s about 60 grams a day for most of us, or roughly 15-20 per meal.
Note the reference to “healthy” foods. The irony is that fat has become bad because of the movement by the food industry to create artificial non-fat versions of fat. Follow me? Marketing fat as bad is what created demand for non-fat substances that turn out to be far worse than the fat itself. The industry telling you to buy non-fat, in other words, is the same industry that is making fat bad for you. Trans-fats are the perfect example:
There’s no good news here! Man-made trans-fats, found in foods like crackers, cookies, baked goods and fast food, is crafted from partially hydrogenated oil, which means liquid oil that had hydrogen added to it to make it solid. It’s been shown to boost weight gain and belly fat even when the exact same number of calories are consumed and the percentage of total fat is identical. Trans-fats have also been linked to an increased risk of infertility. One study found that infertility risk jumped by a whopping 73 percent with each 2 percent increase in trans-fat.
I will never forget a security product company where I worked that kept an unlimited and free supply of trans-fat filled products available for employees.
A whole cabinet full of boxed and bagged food products would disappear in just one day. I asked them if they were aware of the risks to their employees from the trans-fats to which they replied “we can not afford to buy the fancy food”. Save money? They paid for the insurance to treat all the employees who were affected by the bad fat in the cabinets. Moreover, productivity is surely impacted by the bad-fat. A risk management view would ban the artificial fats and bring in the good fats.
Let me make a finer point here about this company. It was a security product company. They had a marketing campaign to sell security products for unknown and unquantified risks. Their campaign was sometimes even based on just fear — buy this product or you could suffer the consequences. They were very successful and very proud of making hundreds of millions of dollars on this fear-based strategy. Yet, without any awareness of irony, when it came to evaluating risks for their own employee health they found it better to save money than reduce a clear and known danger.
Clear and known to whom? The risk of trans-fat, to be fair, has been mixed into deceptive marketing practices.
Unfortunately, food products can claim to provide zero grams of trans fat if the food contains less than 0.5 grams per serving (to identify this “hidden” trans fat, check the ingredient list for the words partially hydrogenated). And, a product can also be labeled trans-free if it’s made with FULLY hydrogenated instead of partially hydrogenated oil. Technically, fully-hydrogenated oils are trans-free, but they’re not risk-free. A Brandeis University study found that eating products made with fully hydrogenated oil, a trans-free alternative to partially hydrogenated oil) may lower HDL, the good cholesterol and cause a significant rise in blood sugar (about 20 percent).
The bottom line is that unprocessed food is increasingly found to be the source of nutrition with the least risk to health. A simple risk calculation should make fat the hero and non-fat the zero and the CBS report is a great sign of things turning in the right direction.
This trend could take a while. I believe the current chemical non-fat fascination is from as far back as the 1950s when the industry focused on making food sanitized to be healthy. The marketing has been so effective I hear some people say they would rather eat pesticides than see a worm or a blemish. Obviously those people have no idea about risk.
Those within the industry who are working against the grain have found things can get ugly.
“The tomatoes you find in the supermarket taste like cardboard,” [Joe Procacci] said. “We’ve come up with something consumers want. It tastes great. But they won’t let me market it.”
He speaks of the Florida Tomato Committee, an obscure but powerful group of tomato growers who regulate the quality of tomatoes shipped out of state. To some, many UglyRipes are the Frankenstein of the breed: misshapen, wrinkled and scarred tomatoes that look as though they’ve been to war.
Not the face many Florida tomato farmers want the world to see.
Quality? Who in their right mind would want to measure the quality of food by appearance alone? Yet that is exactly what has happened.
“Let’s take the Miss America pageant,” said Dan McClure, a member of the committee from Palmetto. “How often have you seen an ugly woman in the pageant? The same thing applies here.”
The committee to sell you tomatoes apparently just wants to win your business at the most superficial and least important level possible. After that, they do not care what happens to you. If that does not scream bad risk management, I am not sure what does.
Shelf-life is important. Cost is also important. However, they are not the most important and the non-fat movement should be put back into the box. A better measure of quality is taste as a short-term goal. An even better measure is health, as a long-term benefit, and from those two measures we should see that fat is good for us, really. So the next time you hear an American holding a non-fat drink and eating a non-fat muffin rant about how much they love/hate bacon just say “I agree *fat* is great but it is even better from healthy, plant-based foods”.
Logs, fish and whiskers
I remember hearing that to catch a fly you have to sneak up on it — it can not feel any movement of air. That is why fly-swatters are mesh instead of solid and why you should open your fingers instead of keeping them together.
A report in the BBC illustrates this concept in a report about seal whiskers. Whales and dolphins use echolocation, but seals use their whiskers to detect and analyze the flow of water around them. They have an impressive level of sensitivity:
The seal was able sense and indicate the direction in which the fin travelled up to 35 seconds after the movement had stopped.
[…]
“They seem to be able to discriminiate [sic] between different shapes, which might even mean they discriminate between different species of fish”
It is easy to see how survival has been the impetus to develop both echolocation and whisker sensitivity. Finding food and avoiding predators are the benefits to animals of collecting and analyzing the flow of air and water.
Might be interesting to reflect on this the next time a breeze touches your skin or a faint sound can be heard in the distance. Which way is the unknown object moving? How fast? How big?
More to the point, however, is that the story is a great analogy for log management. Organizations need to stay on top of opportunities and threats. Some of the richest sources of this information can be found in the logs generated by their systems.
While it is common for an organization to see many of the opportunities (e.g. web site clicks and hits) too often I find they do not see how the same information can be used to give a clear warning of threats. That is probably because executives today have an unclear concept of catastrophic network and system threats unlike the seal, apparently which has a very clear idea of shark-ness.
Perhaps the brain allocates food detection to one area and threat avoidance to another. Which one is dominant for the seal? Which one is dominant in your organization? Can you recognize a shark using your logs and tell its size, direction and speed?
WordPress Hack and Security Settings
Many hosted WordPress sites were hacked in April and May. GoDaddy in particular had a large number of sites affected. If you believe Slashdot the exploit triggers on traffic referred from Google.
No word yet on how exactly attackers are getting into sites, but several blogs such as here, here and here explain how to tell if you are hacked and how to clean up.
I have yet to see any official explanation from GoDaddy or any other hosting provider. Some sites speculate about brute force attacks on the admin account, but that is unlikely. It looks more like another flaw related to PHP and permissions, similar to the BUZUS attack in April. The result of that was the recommendation to change the wp-config.php permission to 0640 (instead of 0750). Some have suggested attacks come from shared/co-tenant systems where malicious users search for readable wp-config.php files to steal database credentials.
Nonetheless, assuming you have already hardened Apache and PHP and changed your file permissions (755 on directories wordpress, wp-includes, wp-content/themes, wp-content/plugins, wp-admin, wp-admin/js, wp-content and 644 on files .htaccess, wp-admin/index.php), here are a couple suggestions to better protect administrative access to a WordPress installation:
- Change the admin username: locate the user_login column in the user table of your database and change the admin row to something unique
- Create a .htaccess file in the wp-admin directory. You can either restrict admin by IP or by password. Here is an example that will force authentication by password:
AuthUserFile /etc/httpd/htpasswd
AuthType Basic
AuthName "restricted"
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any
You also should consider installing the SecureWordpress and WP Security Scan plugins.
In related news, WordPress itself was down today. Apparently over 9 million sites were affected by a network configuration error (spanning-tree).