It’s been a banner couple of weeks for exploits on the web. At the end of March it was reported that mysql.com was exploited by a blind sql injection. The results of that attack included the revelation that the dude at mysql in charge of product development for mysql’s WordPress account used a four digit number for this password. And these are the people who should know better. Speaking of WordPress, there was a very large DDoS attack against wordpress.com at the beginning of March. The speculation is that the attack originated in China and was politically motivated. On the heels of that, Matt Mullenweg reported on his blog a couple of days ago that Auttomatic’s servers had been exploited at root, and sensitive code liberated.
Those are high profile attacks, rooted in a variety of motivations. Beyond that, there are so many day-to-day exploits that occur. It’s very hard for the development communities of tools we like to use to keep ahead of the exploiters. If the experts at places like Auttomatic and mysql.com can get owned, what does it mean for the rest of us… who aren’t experts? At the beginning of this month, I discovered that my own wordpress installation was exploited by some criminals running phishing schemes to get peoples bank info. It makes me feel sick to my stomach knowing that my server was aiding inadvertently in that kind of activity. How did it happen? As best I can tell, the site was exploited via a third party plugin that allowed image uploading. But, there are apparently many ways that a wordpress installation can get exploited. In my case, it seems the code was injected many months ago, and only recently turned on, as it were. This makes for a problematic situation in re-building from backups, many of which are themselves compromised. Furthermore, I learned from a computer forensics grad student who contacted me, that her program at UAB identifies many thousands of sites a month that have been compromised for phishing.
So, what to do? We are very close to the end of the semester, and because I use these sites to run my classes, I’m faced with some long nights of rebuilding sites from scratch and the like. I love wordpress, have loved using it in the classroom. But, now I’m wondering if its worth it. I won’t be moving back to Blackboard, that’s for sure. But, my university’s OIT will not provide support for professors to do anything on their servers except roll a very simple UNIX account, use Blackboard, or maybe get someone to make a Sharepoint application (groan).
In thinking about the situation over recent days, I’m wondering what I really need for myself and for my classes. Much of the functionality of wordpress comes at a price — 1. third party plugins are inherently less safe than core features; 2. core features aren’t necessarily enough to do some of the nifty things I like doing (see, for example, feedwordpress); 3. dynamic sites are resource intensive, and require much more RAM server side; 4. it’s hard to imagine sql ever being safe; 5. I’m not sure how much my students really enjoy the spiffier side of things on my sites; 6. As this twitter status states so clearly, PHP is essentially a domain specific language for remote exploits.
A short list would include at least the following:
1. An attractive, well designed layout for each class, where page appearance is thematically consistent, but not identical to my main site/page.
2. The ability to distinguish between pages and posts.
3. The ability to feed student posts onto the site in some manner or form.
4. The ability to distribute readings- preferably with some password protection.
5. The ability to show video from lectures or in support of lectures.
6. The ability to show an updated calendar (something I don’t actually do right now, but would like to).
8. A minimal need for distributing any of these services.
My instinct right now is to move to a dynamically-generated static content site, where the site would be dynamically generated on my own machine as a set of static html pages that would then pushed via source control to a repository on the server. Flat files are fast, and the source control side of things is really attractive. There are a few different systems out there that offer this now– but require the effort of importing my old site in and making sure that url redirects and the like work. I’m looking into jekyll and hyde, which are ruby and python implementations respectively. There are a number of other options as well (nanoc, middleman, chisel, webgen, and aym-cms among many).
Another idea would be to run a wordpress install on localhost and produce static files from that using a tool like this one, use disqus for the comment system, and then using source control to push to the server.
Security issues are a real concern for the DIY professoriate. I’m wondering what others of you think.