
The Joy of Getting Hacked - kawera
http://waxy.org/2015/12/the_joy_of_getting_hacked/
======
ZenoArrow
Perhaps there are good reasons why this hasn't happened yet, but I'm surprised
that the bulk of Wordpress-based websites don't split the editing of content
from the display of content.

What do I mean by this? Imagine you have two servers. Server 1 has WordPress
installed, and is where you manage your website content. Server 2 does not
have WordPress installed, but instead displays a static copy of the WordPress
content, which is updated by a script on Server 1 whenever new content is
published.

What are the advantages? First of all, Server 1 can be very heavily locked
down. You can keep it accessible only over a VPN or ssh tunnel, you can keep
it unlisted off search engines, you don't even need to register a domain name
for it. Secondly, due to the static nature of the content served on Server 2,
site performance and scalability is going to be excellent, and it'd be easy to
manage a cluster of "Server 2's" if a single server isn't fast enough.

What are the disadvantages? You have to rely on a third party solution like
Disqus if you want to have comments on the content you create. Same for
shopping cart functionality. Also, you may not be able to have a Wiki. I can't
think of any other disadvantages.

~~~
crnm
This is how Octopress/Jekyll/Ghost/other platforms work.

You have a backend which when you create a post just regenerates static HTML
files, and then you just serve the static HTML Files.

There are obvious drawbacks like you mention.

Now that Wordpress is moving to node there is probably more opportunity for
these types of security optimizations.

~~~
nissehulth
Don't hold your breath while waiting for WordPress so be based on node. That
PHP code base will be around for most of our lifetime. :)

------
dijit
I suspect there will be quite a lot more stories like this now that businesses
are seeing "devops" as meaning a developer that must do operations/sysadmin
activities.

Not everyone can be versed in everything. And not every company can afford to
learn from this mistake, they must learn from others.

~~~
overgard
"devops" really terrifies me. I think the idea is that you have less friction
if you have an operations person that also understands development, or vice
versa. But! You're still asking one person to do two jobs. And they really are
two very distinct jobs. Are they being paid double? To me, it just seems like
cheaping out on having a proper operations person, which really is a full time
job. It's understandable if you're a cash strapped startup.. but lets not
pretend it isn't what it is.

~~~
olefoo
It's unfortunate but predictable that a movement that started off as an
attempt to find a way out of the swamp has been coopted into the service of
the standard ideology of extracting as much work from labor as possible.

Fixing the issues with both development and operations that result in bad,
insecure software and poor user experience all the way around is a worthwhile
goal.

Putting the team focus on delivering complete software systems that support
traceability, manageability and testability is the whole point of "devops" if
the term means anything at all.

It's not about running Ruby scripts as root, or containerising every last
script in your environment. It's about building better systems in a manner
that's more humane to all concerned.

~~~
dijit
Except now recruiters and hiring managers don not see it this way, they see it
as Devlopers can do Operations tasks. Which is what I was saying, and what the
parent was mentioning.

DevOps by itself is a noble cause, putting developers with operations in order
to smooth a pipeline, but invariably it just means 1 person with both
skills/disciplines.

And like they say, a jack of all trades is a master of none.

(but I suppose better than a master of one?)

~~~
olefoo
It's like every other broad movement in IT.

It starts with very smart people taking a look at the processes and outcomes
they are using and deciding they are broken.

They come up with some solutions and some tools to support their new processes
and start sharing them with their peers.

The new techniques have some notable successes and several members of the
original group find themselves drawn into teaching/evangelizing the new
methods. To make communication easier catchphrases and buzzwords intended to
be a shorthand for a suite of methods become popular.

Buzzword compliance becomes a checkbox feature for groups, companies and
individuals each of whom have varying levels of skill and understanding and
the buzzwords become diluted and more closely associated with specific
tooling.

At this point the original group is crowded out by people who are serial
evangelists, and enterprise sales become more important than sharing knowledge
with peers. Job descriptions start to lose contact with reality.

The movement becomes mainstream as a grotesque caricature of itself driven
mostly by the greed-fueled hype train.

At which point someone looks around and declares that the processes are
broken... and the whole cycle repeats.

See: object-orientation, agile, scrum, devops, etc.

------
zwetan
a bit surprised by the move to digital ocean as a magic silver bullet that
solve all the problems

no, you just moved the problem "away" to "oh it's a virtual instance, so if
anything goes wrong I can restore from backup"

I don't see how this protect from being hacked ?

if you run a server, not maintaining it is what make it hackable.

so yeah reading the digital ocean tutorials can be a good start, like reading
the ubuntu server guide
[https://help.ubuntu.com/lts/serverguide/](https://help.ubuntu.com/lts/serverguide/)
, but it will never replace the time you invest in your server, eg. doing
sysadmin.

It does not have to be hard it just have to be done and on a regular basis.

It's like a car, motorcycle, bicycle, etc. you need to spend the time to
change the oil, check the tire pressure, and all those little things that are
simple but necessary ... otherwise it get rotten with time.

~~~
3pt14159
What I like about Digital Ocean is that I can separate out my "risky" servers
(you know, when a client wants to use Wordpress, or when they mandate an out
of date version of a library because it works with some of their existing
codebase) onto $5 instances. I never put full Github keys on them and with
regular backups, the damage is mitigated.

When you go with a single server any one hack can take out your entire
database, like what happened here.

~~~
kawera
Same for me. The overhead of managing several instances is largely compensated
by the peace of mind (thanks Ansible!).

~~~
3pt14159
Also the Digital Ocean API is pretty awesome, although I wish they would
return the public key when you make a new droplet. I've had to resort to
stuffing one onto the server during a server creation script.

~~~
kawera
Libcloud is great and will solve your public key issues if I understood you
correctly.

[https://libcloud.apache.org/](https://libcloud.apache.org/)

[https://github.com/apache/libcloud](https://github.com/apache/libcloud)

------
kmfrk
I get less and less comfortable using my Fever RSS reader
(www.feedafever.com), which was made before FireSheep and HTTPS were part of
the public conversation.

I don't know of any services that come close, but although I don't have
anything particularly incriminating in my feed, it's still a shitty feeling to
know that you're a bored script kiddie away from all that getting owned.

It also reminds me of the self-hosted fad a while back (around the time Docker
came around) where people still didn't want to fork over the money to get SSL
for all their personal health data and whatnot.

~~~
dexterdog
There have been free ssl options for a long time. Now there is letsencrypt so
there is really no excuse.

------
deckar01
The same thing happened to me last week:

\- Giant shared server full of old PHP projects* gets owned.

\- Logs show an automated tool was brute forcing a vulnerable SQL injection
vector for weeks before getting through.

\- Backed up server for analysis and removed malicious content.

\- Setup new ModSecurity rules, fail2ban, and fixed vulnerable code.

\- Started moving stuff to Digital Ocean.

* Not my server or projects, but recently my responsibility.

