Plugin Vulnerability

If you’re one of the 200,000+ users/clients of the ThemeGrill plugin, you should update yesterday.

Plugin vulnerabilities are not a new thing. The only novel thing about this one is the number of affected sites. It’d be like Askimet having a major remote control exploit. You can mitigate these issues by making sure your plugins are up-to-date. WordPress is not particularly hard to manage. There are lots of plugins and services that make it brainless (shoutout: Jetpack). So, this should be a non-issue.

While we’re talking about plugin vulnerabilities, you should go visit Marko Saric’s guide on securing your WordPress install. Lots of good advice in there. I personally like using Jetpack (with Askimet and Vaultpress), but there are lots of free tools that you can use to secure yourself.

FBI vs. Apple: Round 2

Ah, the good old false trade-off: Security or Letting the Terrorists Win and Kill Your Children. Once again, we have Apple being asked by the FBI to unlock or build back doors that “only law enforcement” (read: any bad guy) can use.

Look: I’m sympathetic to law enforcement. They have a tough enough time dealing with the literal worst of humanity and having to piece together the crimes that are comited by said. This is made more difficult when one of their suspects (or criminals) has encrypted some information. Because we have a codified right to privacy, it is reasonable to argue that giving up passcodes and other privacy stripping keys is not something we should have to do, no matter the case, as we’re all equal under the law (the Constitution being the “highest” of those laws).

This fight is further exacerbated by the fact that this is not the first time that Apple has reasonably denied these requests. It would damage their brand, their customer’s security and give an already powerful governmental department sweeping access to stuff it wouldn’t (and shouldn’t) have access to on it’s own. All in the name of “security”. The subtext of all of this is some what sadder: Despite all the massive surveillance that is being done on Americans, we still cannot stop domestic terrorism from happening. Giving the FBI or any entity, aside from the consumer, access to a device that has become the epicenter (for better or worse) of many people’s lives goes counter to our rights.

What about providing a sort of “key escrow” for law enforcement? It would be a semi-reasonable method of giving everything they want, in theory. Law enforcement would have the ability to decrypt data that they would presumably have proven their need to access. The user would still have encryption that is difficult to impossible to break in a reasonable manner and their rights are respected.

The main problems with this scenario are:

  • Who do you give these keys to?
  • What legal recourse do you have if they loose, leak or otherwise provide (willingly or not) keys to someone who should not have it?
  • How do you get millions of people, companies and devices to enroll in this system when free, strong and cryptographically secure code and systems exist in the wild and aren’t going anywhere?
  • Criminals are obviously not going to enroll, so it defeats the point.

Not to mention the massive organizational nightmare it would be to ensure keys are tied to the right person, device or organization. The whole idea is infeasible on any sizable scale.

I wish the general public would be more aware of the erosion of rights. All too often we just allow our government to trample over us because it’s convenient or we’re lead to believe that it’s “for the greater good”. When in actuality we could take some pointers from France, England and Italy where when their governments do wrong, people protest. We need some of that fire back in America, not this anesthetized complacency.

National Cyber-security Awareness Month

Note: I technically missed this post, but it’s still good.

October is National Cyber-security Awareness Month. While many people ignore it as something that they don’t need to learn about, even basic awareness can help you be massively more secure than the next person. Generally, low level attackers are just looking to get access to the easiest to targets, because anything more than that requires exponentially more investment from their already razor thin margins.


Love them, or more accurately: Hate them, they’re here to stay. There are methods to make them less of a pain and more secure at the same time. Many tools to secure passwords and implement second factor authentication are already freely available and easy to implement.

Use a Password Manager

By my current count, I have somewhere in the neighborhood of 400 accounts on various sites, services and tools. Some of these are defunct, some of them might still have my account information in them. The good news is, because I use a password manager, each one is unique. That means if the security for that site isn’t all that great and they have a data breach, my password can’t be used to exploit any other sites.

Both Android and Apple have built-in password managers in the form of iCloud Keychain and Google Passwords. Both can help you not only generate a strong password, but can store it securely online and sync it to other devices. They also offer features like auto-fill on sites and apps when you visit them. These features are usually enabled by default, so you actually have to ignore them to not use them.

If you’re not jazzed by the default tools, or want something more robust for secret keeping, Bitwarden is a fantastic tool for storing your passwords, second-factor tokens, notes, identities, licenses and more that can sync with pretty much any device that has access to the Internet. The software is open-source, and can be self-hosted, but their own hosting costs only $10 a year which is an amazing deal. Other options, like 1Password are also good choices due to their multi-platform efforts, more robust syncing and rigorous approach to security.

In short: Don’t keep reusing that password. Get a password manager and stop reusing your passwords.

Second-Factor (2FA)

When dealing with passwords, you’re putting a lot behind a single code. Why not add an additional layer of security? A 2FA or second-factor is usually a one-time code either text’d to you, emailed to you in the form of a special login link or in most cases, a code that your computer or phone generates in response to a key that the site generates for you. To set this up, check your account settings and see if there is an option. Many sites are beginning to offer this feature as it provides an additional hurdle for attackers to breach.

Setting it up is usually easy too. Generally you scan a QR code in your password manager, or setup a phone number to send the codes to. Once done, you’ll login and then be asked to type in an additional code. Most good password managers will already have queued up this code in your clipboard, so often you just have to paste the code. Nice!


Yup, that old chestnut. However, you don’t have an excuse. Storage (especially online storage) so cheap in the current economy that often you’re paying fractional cents (USD) for gigabytes of storage. Combine that with some really excellent tools that all but automate the process for you, and backups are easier to get going than password management.

Don’t trust online storage, or you’re just strapped for cash? Check with a friend. You can encrypt data on a spare drive with VeraCrypt or similar and ask him to keep it in a cabinet at home. Better yet, do that with a couple of friends and now you have multiple offsite backups!

Seriously. Much of the botnet, malware and ransomware problems can be fixed with having a good backup system to restore from. Keeping important stuff encrypted and safe is also free and easy to do with little to no intervention on your behalf and storing data is cheaper than ever.

Scams, Phishing and Spam

You are the weakest link in your security. You’re vulnerable to persuasion and are the keeper of all the keys. Often attackers try to exploit this fact and trick you into providing secrets or data directly. These attacks will usually come through email, as it’s not time sensitive, but occasionally they’ll come through instant messaging or text services. No matter their origin, you should watch out for some tell tale signs:

  • Asking for information they should already have.
    Is the other end asking you for information they should already have, like a password, or personal information?
  • Misspellings and grammatical errors.
    I never understood this one, but I’m glad it’s here. Often attackers are not English speaking, or just have poor language skills, making their messages difficult to read or use mannerisms that don’t fit.
  • Weird looking links.
    Usually attackers will try to hide links by using HTML to mask them to look legitimate. One tactic you can use is to hover your mouse over the link, most tools will show you a tooltip of where the link actually points to. If any part of it looks off, don’t click on it.
  • When in doubt? Call them.
    Lots of attackers try to masquerade as official looking email. If you’re not expecting anything from them, or you’re suspicious, just call or reach out in another manner. Generally, if this information is needed, a person will be able to confirm or deny it.


I can’t believe I actually have to address this in 2019. So many devices now try and force updates, and so many people try and disable or ignore them. Honestly, this is the easiest issue to remedy. Keep your stuff up-to-date. If you hate the problematic time that updates present themselves, try and configure it to run at a time when you’re not going to be active, like overnight. iOS, as an example, will run updates and backups overnight so long as you’re connected to wifi and plugged into a power source. Something people do automatically before going to bed.

VPN for All the Wrong Reasons

I’m not a political dissident. Moreover, I’m pretty uninteresting. SSL-secured websites are more than encrypted enough for my purposes. So why would I want to start looking at VPN? Website filtering. I connect to some of my self-hosted solutions, which seem to be blocked or, at the very least, poorly peered on the WiFi at the locations I frequent.

Ideally, I’d like to use the “built-in” (at least, to NetworkManager) OpenVPN solution to make it easier. I do have a pfSense firewall that I could hook into, but it’s sitting on a Comcast/Xfinity consumer service. I guess I’ll have to do some investigation as to port usage.

There are lots of different VPN services out there. With the rise in the privacy awareness (the awareness of the lack of privacy online), there are really good and cheap options. Even the OpenVPN folks seem to have their own service, called PrivateTunnel, which is interesting and cheap. I’ve also been looking at NordVPN, because of their ties with the SomethingAwful forums, great ratings and decent popularity.

I guess I’m spoiled for choice. Any ideas for service? I’d like to not spend a huge amount on services. Month-to-month would be better than yearly pre-paid. Leave a comment below.

Bitwarden is Amazing

Bitwarden is awesome! Why didn’t anyone tell me before? Seriously, this is what 1Password felt like back in the day when they weren’t pushing their cloud-only versions of their tools.


Speaking of 1Password. It’s becoming harder and harder to recommend them due to the fact that getting versions of the tools that work with offline files, instead of their online service is near impossible, and something users had to beg for in the first place. The decision to nail everyone for either a monthly sub fee, or $60 a year for upgraded versions is getting tired.

What prompted me to change to Bitwarden was exactly this. My wife uses an older, but still compatible version of 1Password in her browser and on her computer. An update to the extension broke this and now it seems like the only solution is to buy the latest version, which is $50. Additionally, being a Linux user myself, I was pretty much left out in the cold. I either had to run it through Wine or just use my phone to manually enter the code. Because of that, I was lazy and just let my Firefox Account sync them. Not ideal, since it didn’t sync with anything else.

I do, still, respect them for upping the bar as far as password management goes. They introduced excellent browser plugins and are extremely open about their methods to secure your data. However, it’s been a while since they’ve done much to push the envelope, and the competition has largely caught up.

A New Challenger Approaches

I had heard about Bitwarden, and was a little skeptical. I love F/OSS software, but the password managers I had used, like pass and KeePass were great as stand-alone tools, but not exactly… fluid when trying to sync to multiple devices, let alone a family of them. Bitwarden solves that problem and is still open source.

The Bitwarden app for iOS looks and feels very similar to the desktop app which looks and feels similar to the browser plugin, the website, the Android app and so on. This is all amazing because it allows me to deploy this on my families devices and remain consistent. I don’t like that they’re all electron or similar apps, but it’s a small concession I’m willing to live with.

While I’ve opted to use their paid service for now ($10/yr is pretty crazy cheap), I do plan on self-hosting when I get into a more stable network environment (i.e. home). The fact that I can just do that is also pretty freaking awesome.


Passwords and security aren’t sexy. In fact, they’re the thing people think the least about until they have to deal with it (just like backups). Still, the F/OSS password/secret management systems are growing up nicely and provide excellent security, audit-ability and full control over your data, and I couldn’t be happier.