I always loved this comic. I don’t know the artist’s name, anyone recognize them?

Dear friends who keep telling me ‘Congratulations‘, I do appreciate it but please realize that isn’t what I ‘need’ right now. To be honest with you, I’m more in the mood where I’d rather hear ‘Sorry you’re leaving‘ or even just ‘I know this is a hard time for you and just wanted to let you know that I’m wishing you well‘.

While I am excited about my new job, our new life in a new community etc,  right now it’s hard to see past the gloom and doom of leaving 13.5+ years of friends and community, spending way too much fixing up our house just to sell it, finding a rental home in a place we don’t know that will take 4 cats, 2 dogs and 2 kids that’s big enough for our stuff (and that’s near a good school district). Oy, even just writing that all out is depressing and scary.

We’re trying not to stress on the ‘OMG how can we afford this? What if our house doesn’t sell quickly? What if … ‘ angle of things and just hope that it’s a ‘Jump and the net will appear’ kind of moment. Net or not, we’ve already jumped (or perhaps a better metaphor here would be we were pushed) so… here’s hoping for a net, or at least a soft crash landing.

So when you bump into me and I’m not immediately perky and excited about chatting about where we’re moving to and the new job, I apologize, I know you mean well and that it’s easier to talk about ‘good stuff’ like new jobs & bright futures than it is to talk about the sad and the scary.

Sorry if I seem ‘glass half empty’ about things right now. I have been doing my best to push myself 180 degrees and smile and say thanks and talk about what I’m excited about, but I’m way too open about my feelings with friends to do that for too long. That’s just where my heart is these days so thus, certainly with friends, I don’t feel the need to put on a happy mask and not let you know what I’m really feeling.

For those of you who might have missed my facebook & twitter updates over the past few weeks, I am on the job market for the first time in over 11 years. This isn’t by choice, my position is being downsized due to a decrease in the grant funding for my department at The Jackson Laboratory. I, and the 3 others I share an office & responsibilities with, found out about this change on 3/21. Our positions officially end on 7/31/11. While I am sad about this, I really shouldn’t complain much since it could have been worse. 4 months notice is certainly nothing to complain about these days.

The good news is that this change wasn’t because of poor performance on my part and was outside my control. The bad news is that, despite hearing warnings for years that everyone should always have an up-to-date résumé and that no one should expect their job to be safe or expect their employer to show them any loyalty, I was not ‘ready’ for this at all and it’s thrown me, and my whole family, for quite the loop.

The scariest fact in all this is that it’s not looking likely we can stay in this area and will need to relocate. After living here for over 13.5 years this isn’t something we want to do, or had planned on.

Top it all off with the fact that while I know logically that this position being cut was outside of my control and is not a review about my skills or performance, my ‘gut’ reaction is still taking this as a failure on my part. The fact that this job ending may mean that not only will my 9-5 job be changing, but also quite possibly losing the entire community of friends we’ve built, is quite overwhelming. Suffice to say the past month or so has been a roller coaster. We’re still not quite fully grasping what relocating will entail logistically but at some point we may just have to decide to jump and make the best of it. I keep hoping somehow something local may work out, and there are a few possible leads on this front, with possible local jobs or telecommute jobs, but so far nothing definite so we can’t bank on anything.

What’s more, the whole résumé, cover letter & interview process requires one to be an energetic, peppy first person sales person about your skills & experience. This process ends up in direct contention with my more passive, mellow and humble personality. I’m very good at what I do, and I know that, though to make me have to write letters and speak to groups of strangers about it just eats at me. It’s difficult to explain this properly and I’m not sure I’m doing this justice, all I know is that this whole process has me burning the candle at both ends and is really eating at me. I want it done, I don’t like it, it hurts and it annoys me.

Part of me wants to detail more about my recent interview experiences and where we’re looking at possibly relocating to but that wouldn’t be very prudent, or professional. The good news is I’m finding possible job matches in the industry I’m most comfortable with and at locations that I think we’d be happy with, and my resume seems to be getting noticed by the right people so I’ve done some phone and in person interviews that I think went well. If we have to relocate I think we’ll end up somewhere nice <knock on wood>. Note, I am still actively looking so if anyone knows of any ‘System Administration’ &/or ‘Web Developer’ type positions, send them my way or point others my linked in page.

As I mentioned above, I realize I really shouldn’t complain about this too much. Yes it still ‘sucks’ on a number of levels but I’m reminded by many that working for a single employer for 13.5 years is an anomoly and there are worse things that could happen. As the Harvey Reid lyric goes, ‘Got no problems a dollar won’t cure’ so I guess I shouldn’t complain. Or since I seem to find a David Wilcox lyric for any occasion;

“Let me dive into the water,
leave behind all that I’ve worked for
except what I remember and believe,
and when I reach the farthest shore,
I will have all I need”

After rescuing some sites this past month I’ve been inspired me to make a list summarizing all the messes I’ve had to help cleanup over the years. I’ve written this as an advice column for any bad web hosts or designers who just haven’t quite perfected the art of truly sucking to the point of being the ‘worst ever’.

"What? You want to access your own site? Sorry, only I can make changes. I'll get to it as soon as possible but I'm really busy right now."

Account Access:

• Keep all account passwords to yourself, make your client has to contact you for any change (and charge them for 1/2 hour work for any changes)
• Host their site under an account where you host other sites so you can’t give them full ftp/shell access to their files. This ensures they can never download a full copy of their site without asking you first, and that they realize their entire internet presences exists at your whim and they should be grateful you’re providing these services for them.
• If you have to actually give a whiny client access to their own site;
  • Only give them the most minimal level of access possible so they can’t possibly mess up YOUR work.
  • Make sure you don’t explain how to do anything useful like add new items to their menus or how the site is organized so they are confused and have to contact you to make change even though they could have done it themselves.
  • A nice touch here is to give them their own account but make all the files in that account owned by root or another account, so they can just see the files but not actually use them.

Domain Names:

• Host their site on a domain you own and that has nothing to do with their site. On the internet no one cares about the actual domain names, people just click on links so the words in the domain don’t matter.
• If you actually have to get them their own domain;
  • Register the domain of their choice, but do it under your name.
  • Charge them more than what it cost you for the registration, hey they don’t know any better and it took you time to do it.
  • Be sure to encourage them to get as long a name as possible so it has lots of keywords but near impossible to remember or tell anyone over the phone.
  • Use a really expensive registrar like Network Solutions and register their domain(s) under your account so they can’t access it themselves.
  • Make sure they get domain ID protection and lots of other useless services that the domain registrar offers (and with domain protection they wont know it’s under your name. Tee Hee!)
  • Encourage them to get every possible variation of their domain (.net, .org, info, .cc) but then never actually point any of those to the site.
  • OR Better yet, point them all to the site and make each one work independently, that way google will crawl all of them and the site will show up multiple times in search results. I mean, what are the odds google would notice or care about duplicate content?
  • Set their domain to redirect or frame yours in it so they don’t ever actually have access to the account where it’s stored.
• When/if they ever wise up and want to move to another host hold this domain for ransom, you bought it, you own it! So what if it’s their business name, this domain is yours. If they don’t pay your ransom be sure to either keep renewing it so they can never get it back on their own, or better yet if they are ignorant about how domain registrations work let it expire and let spammers & domain vultures get a hold of it before they realize they could have gotten it back. This way not only is their domain gone but spammers will fill it with all sorts of unsavory content that will insult and scare away any of their clients who visit.

Other services & licenses:

• Sign up for all 3rd party services associated with this site using your own e-mail accounts & logins.
  

  "Great job team, we've fit every imaginable keyword in their domain name and we've filled every page with keyword heavy text that wont make sense to any humans, but google is gonna LOVE this. Pagerank #1 here we come!"

• Make sure they client pays you for all licenses and support contracts, but keep them all under your name, after all YOU’RE the one who has to support this site, not the owner.

Search Engine Optimization

• Be sure to Search Engine ‘De-optimize’ their site whenever possible (this way you can charge them more to do this part right later on)
• Don’t use any unique page titles, headines or tags. Use a plugin or other tool to block any external links from the site so no other sites even know you’re linking to them.
• Put as much text as possible on the site using images of that text (and without alt tags).
• Don’t turn on permalink/Search-Engine-Friendly link so all URLs look like ?page-id=123 
• If you do use a permalink/Search-Engine-Friendly link make sure to have it auto add the .htm or .html at the end of every URL because that way it looks ‘real’ and official like one of those fancy hand made html sites from the 90′s.
• Put every keyword possible into the text & title of your site. There’s lots of room for a nice long title so be sure to put as much as possible up there. If possible sprinkle these keywords as many times as possible all over your pages text too. Don’t worry if this makes your site unreadable by actual visitors, your search engine rankings will skyrocket!


"Don't worry, I put my name on the bottom of every page on your site. Now everyone will know what a top notch web designer you hired!"

Site Content

• Be sure to put a ‘This site designed by’ link at the bottom of every page. Don’t ask the client if they are ok with you doing this, just do it and imply that it’s standard practice, after all you deserve credit for your ‘art’. After all dogs mark their territory, shouldn’t you?
• If you have to include any code libraries to assist with various features on your site be sure to set it to load these from the source site instead of having them stored locally on your server. That way your site visitors can load stuff from another site and decrease the load on your server, so what if they have to wonder why their browser is connecting to yahoo etc when they visit your site.
• Put the entire site on one really long page and just have the links at the top jump to anchors later on. Sure it takes a while to load and you have to scroll for 5 minutes to reach the bottom but it’s REALLY fast after that!
• Images
  • Don’t make thumbnails of any images, just resize the whole 10 megapixel photo to be 200 x 300. Everyone has broadband now right, so what if it takes longer to load?
  • Along these same lines, be sure to set all graphics to load off the site you found them at, they won’t notice or mind the additional bandwidth to their site.
  • Make sure you ignore any copyright limitations when you link to other peoples art & photos, hey if it’s on the net it’s free game.
  • Use a Flash wrapper for all your photos so they cant be viewed at all on ipods & ipads or other smaller mobile devices.
  • If you make any images or logos for a client only give them the file for the size they need for the site. The original layout file is your art and they shouldn’t have access to that. That way when they need to use anything in a print publication later on it insures more business for you! K’ching!

Hey, holding out on previously promised work for more money at a critical moment really worked! Pleasure to coerce you!

• Do everything with poorly coded HTML and don’t test it in multiple browsers. It looked good on your machine, that’s all that matters.
• Alt tags take a long time, son don’t bother. Visually challenged people or those using text only browsers don’t visit your site anyways so why cater to them?
• Use lots of frames and tables within tables within tables so any hand editing of the HTML will drive folks nuts.
• When handcoding be sure to embed the CSS in each page instead of using a central shared one, that way you can bill more hours for any minor aesthetic changes.
• If your client demands a CMS (content management system), be sure to use something expensive, or something custom coded and proprietary instead of a free open source solution that they could use elsewhere. This way clients can never move their site elsewhere without completely rebuilding it with since they are bound to your software. Charge more per month for this privilege.
• Have contact forms go to you and then forward the e-mails to the client as appropriate. Claim this is because you are filtering spam on their behalf.  To be extra slick, charge them extra for this ‘service’.
• Stall finishing the site until it’s time critical and then ask for more money. If they refuse then stop responding to them, especially when they find a new web designer willing to help take over.
• Put things like mailing address and phone number on an obscure page buried deep in the menu heirarchy. Who needs a phone number or physical address when they are on the internet? If anyone really needs the phone number they can use the phone book or can call information. Extra nice touch here, do this all within an image so the data can’t easily be copied & pasted, or crawled by google.

RSS Feeds

• Remove all links & RSS features from the site since after all if you don’t understand what it is it must not be important.
• Point all unique RSS feeds on the site to a single RSS feed of just your main page. This will stop people from being able to follow or monitor a single category or tag. You don’t want people to easily find or follow what they care about, it’s all or nothing baby!
• Make sure your RSS feed only includes a very short summary of the post, after all you want people to visit the site, not actually read the content. If they read the content somewhere else that doesn’t help the webstats, and that’s all that matters.


How about we ignore RSS feeds and anything else we don't understand? Maybe they'll magically go away...

Other Suggestions

• If they are smart enough to leave you for another host/designer call & e-mail their new host and claim you own their site design and will sue them & your former client if they don’t remove it immediately. Google around and find some semi-legalese about copyright laws that may or not apply to this and paste references to them into your letter just so you sound more official and threatening. Be sure to cc a friend of yours and say in the letter you are cc-ing your lawyer.

About this post – In the past month I was asked to help rescue several different websites from bad webhosts &/or bad web designers. Dealing with helping them get things fixed and moved is tedious but also strangely satisfying. Why satisfying?

1. Folks are grateful someone is willing to help them in a fair and reasonable manner, even when they are in need and desparate and would probably pay extra.
2. They appreciate the personal service and ‘extra mile’ effort required and are likely to be long term customers. Sometimes they even blog about it and give us a great referral to their friends.
3. And mostly, somewhere out there on the net a really ill-informed or just plain mean webhost/designer just lost an income stream. Karma!

Dealing with these sites inspired me to make this list summarizing all the messes I’ve had to help cleanup over the years. I’ve written this as an advice column for any bad web hosts or designers who just haven’t quite perfected the art of truly sucking to the point of being the ‘worst ever’. However, even if you are just a mere website owner, you may want to read this list. If any of these procedures match your current web host or designers standard practice, well maybe you should ask them about that. OR, if you want an objective full audit of your site & setup Nicole @ Breaking Even Communications and I offer a ‘Website Audit Service‘ which covers a broad list of areas we check, and the best thing .. if we find anything that needs work and you choose to hire us to help clean it up (not required), then we’ll credit the cost of the audit towards the work. I didn’t intend for this post to be a sales pitch about this but it just fit naturally so, why not?

• Disclaimer: In case any web designers/hosts I’ve cleaned up after when helping your former clients happen to read this post and think some of these apply to them – These are in no particular order and do not necessarily reflect any websites I or Svaha LLC host or have assisted with at any time (but between you and me, you know who you are, and shame on you!)
• All photos included here are from http://www.flickr.com/photos/hamptonroadspartnership and have been used under the Creative Commons license. Because another worst web designer thing to do is use someone else’s content without properly attributing it.
• Special thanks to Nicole @ Breaking Even Communications for her assistance with this entry (No seriously, as in actual help in writing it, not the “inspirational” help many other designers gave me when I encountered their messes).

It’s that sad date again. It’s now been 19 years since I woke up to a phone call hearing that one of my best friends at Antioch College had been killed late at night in a car accident on Dayton Yellow Springs road returning from renting movies in Xenia, a trip I had done with him countless times.

Karmynn Kimble called me from Staci & Mike’s house to share the news and I immediately walked down the hall and woke up another friend of Mike’s, Brian Jenkins, and chatted with him for a long while. The days after that, leading up to the funeral, are all a blur. I recall brief memories about his funeral, that his family had some of his favorite clothes they were going to cremate with him, including that airbrushed t-shirt with a thousand little smiley faces on it (that he always insisted there was one sad face in there though I never recall ever finding it). I so wanted to beg them to let me have that shirt but they clearly knew it meant a lot and had plans for it. Months later we ended up taking over the lease at the house in Yellow Springs that Mike & Staci had been renting and Staci had also left Mike’s unstartable car which I was never successful in getting the title to. It sat in the Science Building parking lot for a number of years and I eventually gave the keys to a plumber at Antioch who had plans for it. No idea if it ever rode again.

For a few years after the accident I would have vivid dreams of finding out he was alive and had faked his death to avoid paying Antioch money he owed for tuition (something I suspect if he could have pulled off without hurting anyone he would have ). Emily also reminded me that sometimes I’d wake up thinking he or his ghost was in our apartment though I don’t recall this specifically anymore. Maybe he was there, keeping an eye on me for a few years to make sure I turned out ok It’s been years since I’ve seen him in my dreams, at least as I recall.

I still think of him often, especially with all the Antioch turmoil going on these days I find myself wondering what he would think about all that’s going on. He’d either be part of the bunch of us fighting for the formerly tenured faculty etc, or he’d have washed his hands of anything Antioch and would be razzing me for still caring about it.

At some point I really should stop remembering this day and change these entries to February 23rd, his birthday but for now the 2-8-92 digits still haunt me.

So this is yet another virtual tip of the hat in his memory on this day.

Mike & Staci - 1991

Photo above is of Mike & Staci, I believe from about 1991 or so. Thanks to Mike’s brother, Mark, for sharing this photo with me a few years ago.

Here’s to you Mike. You are still missed. Wish you were here.

We live in sad times when websites ask for your website URL but only give a choice between FB, Twitter & Linkedin.

I wrote the following on the ACAN mailing list last night regarding the current state of Antioch College. For anyone reading this who isn’t neck deep in this struggle this probably isn’t worth your time reading since it likely won’t make sense out of context. I’m including portions of the e-mail I was responding to in here. If you feel so moved you can read the whole thread this part of saveantioch.org… . So that’s the disclaimer, this is long, boring, and not terribly relevant to most anyone reading this here but I wanted to save it here as a point in time snapshot on my feelings about Antioch.

>>Well, we do live in a market driven capitalistic society.

Doesn’t mean that all our decisions should be based on that though. If so then explain free open source software, community soup kitchens, community radio & tv stations, and basically a large percentage of non-profits. Explain why anyone would volunteer services instead of getting paid for their time. Clearly there are reasons other than the almighty dollar. If money’s our god, I want a new religion.

>>A manufacturer goes out of business, the employees are let go, the pension fund disappears.
>>It is seen as unfortunate, tragic even.  When a new company buys the former facilities,
>>even one that may make the same kind of product, even if it resurrects the name of the
>>former manufacturer, is there an obligation to rehire all the former employees or repay
>>the lost pensions?  Not by any business model in this country, nor any law of the land.
>>Is it fair or just? Hardly.

I don’t think this is quite a fair analogy though to follow it I’ll take some local examples up here in Maine where some more blue collar businesses go through the exact changes you mention. But while the new owners are not be obligated to rehire all the former employees the local communities pretty much expect that and to purposely not do so would be a huge PR nightmare. Certainly it happens, but should it? And should those observing and ostensibly advising/participating in things express their opinions and offer alternative solutions (and in some cases withhold support until this issue is resolved to their satisfaction)? Certainly (IMHO)

Basically I think this is what the college is debating internally right now behind closed doors. On one hand they want to be able to boast they have a ‘world class faculty’ and clearly some of them think the only way to get this is to do a national search..sure they can interview and hire one or two of the former faculty to give the illusion of continuity and ‘fairness’. The folks following this train of thought also will use following logic, ‘If the former faculty at Antioch were so good how come they haven’t gotten jobs elsewhere?’. I’m not even going to respond to this logic since clearly the idea of liking &/or having dedication to an institution & community isn’t of value to those that ask this.

On the other hand they could take the AAUP’s advice and rehire the formerly tenured faculty available in YS when positions become available that match their areas. If they just rehired them w/o a national search then this wouldn’t be the ‘new college’ they are trying to market, they’d have to defend these faculty’s qualifications and experiences. They’d have to.. shudder.. stand with and support and honor the former faculty and students of the college prior to closing and defend it’s merits publicly, instead of being able to imply that everything from 1970 on was ‘turmoil and decline’ (see www.clubrunner.ca/CPrg/Bulletin/SendBulletinEmail.aspx?cid=4742… … Thanks Lee (for the record I already e-mailed Lee regarding this and he apologized that he was being ‘too flip’  and that he defends students from all eras regularly ). If you imply the faculty of 2007 were inferior then you devalue the entire tenure granting & review procedure at Antioch, and how far back do you go
once you head down this path? 5 years? 10? 20? more?

It’s ‘easier’ for them to do the national search since that fits better with their marketing and spin that this is a ‘new’ college based on proud traditions. This statement is buzzword compliant, fits nicely on website headlines and admissions posters. If they hired the ‘old used faculty’ they have to be ready to defend the ‘old Antioch’ and that takes effort. After all, the university already set the stage thanks to Toni & Art Zucker having seeded all the press with insulting summaries of how bad the Antioch prior to closure was. Up until recently we’ve been providing counter narratives to this spin but at some point the gears seemed to have switched internally and we’re not hearing folks defend the ‘old Antioch’ anymore, instead they’re saying that we’re building the ‘new and improved’ version. Having the ‘old faculty’ around doesn’t fit with that spin. It’s easier for them to just say ‘Yup things sucked then, it died but we salvaged the good stuff and added some new specia
l sauce’. Having to stand in support of the former faculty, and readmitting the handful of former students who have bravely hung around waiting for a chance for an Antioch education would take extra effort and explanation.

I’m still completely confused how we went from having the first ACCC group being close to ‘winning’ in April 2008 where we would have kept all the faculty, staff and students to where we are now. What changed? Why did we (effectively) drop Nonstop instead of immediately merging it back into the college the day we got the keys back? Imagine if that had happened… that we pulled the ‘life raft’ back on board the moment the ship was back in our control? Imagine if the former faculty and nonstop students were around on campus and involved in the rebuilding & planning process. Imagine what would be happening on campus right now if they were there helping plan and organize events ? Imagine if the new college had a functioning equivalent of Adcil where major decisions were discussed and voted on. Imagine if our new curriculum was created in the open with a chance for all alumni who were interested to give feedback and suggestions. Heck, imagine it wasn’t 10/21/10 and the new curric
ulum wasn’t still a secret that hasn’t been shared with the alumni yet (but is being show at admission’s fairs etc)

But no.. none of this has (or likely will) happen.. instead we hire a few Morgan Fellows, not as faculty but as temporary hires to help us build a curriculum that meets the specs as prescribed by large donors, board members and college admins. This curriculum has been created behind closed doors and while some alumni helped with this it’s been by invitation only. Major decisions like what handful of majors to offer when we restart are made without any public discussion or explanation to date. To my knowledge, and mind you very little has been said about this, but former faculty & students weren’t even asked to participate in the curriculum planning process whereas alumni & emeritus faculty were. There is no ‘community’ on campus or in YS, outside of the handful of overworked and overburdened staff

But … Outside of all the ‘logic’ above they are trying to weigh how pissed off, vocal and annoying the alumni who care about this issue, the AAUP and the former faculty themselves are going to be on this issue. What I don’t think they realized is that younger alumni, heck even somewhat non-young alumni would care so passionately about their former teachers. I really am quite confused why there’s even a discussion or debate on this issue, it just seems terribly obvious to me what we should be doing right now.

I’m still.. desperately.. holding on to some hope that we can still fix things and build a ‘new college’ based on more than just proud traditions but built from the PEOPLE who lived, ate and breathed the college community and traditions prior to closing.that should be part of it. And yes, Mark, before you ask, I believe this includes the non-union and union staff too wherever possible. Antioch College is just a place, just a name associated with buildings and dirt. It’s the community and the people that matter here.. if the Antioch campus sank into a giant sinkhole tomorrow (but with no casualties) I’d still love and support Antioch College. But if you take the campus and shake all the people out and then start a ‘new’ college, well.. I’m gonna stand with the discard pile instead of the new deck. (ok the analogy needs work but it’s 2 AM and it’s all I got at this point)

So college is (finally) at a point where a major decision needs to take place… Two roads diverge in the woods, one involves embracing the former faculty and by doing so embrace the old Antioch and it’s more recent graduates, the other path leads to a ‘new’ college that’s been sterilized and quarantined.

I am pretty sure I know what path they are leaning towards, but I also know which one I’m standing on.

-Matt ’92

This post initially began as a post about securing WordPress but since it got so big I broke it into this one about website security & hacking prevention in general and I’ll put the wordpress specific information in a separate post. (coming soon). This post is just a quick overview of basic website security concepts and practices. I realize this is incomplete, there are books , blogs and entire businesses focused on this issue but I’m hoping it might help some folks. Here goes;

Background

I’ve been running a small web hosting & design business with some other geeky friends for over 15 years. Since day one we’ve been working on keeping server secure and it’s an ongoing challenge. Also, In my day job I am a Unix System Adminstrator at a research lab and thus I deal with network security as well as problems users encounter on the internet. Basically a big part of my job is thinking about and implementing access control, security, disaster recovery and troubleshooting… so I’m a paranoid kinda guy when it comes to the internet since I’m kind of on the front lines for various nasty internet stuff.

“Why keep your website software up to date? If it ain’t broke don’t fix it, right?”

I have been using WordPress for websites for about 5 years now and I love it and swear by it as one of the best free tools for small websites available. However, I’ve also seen more than my share of hacked installs. Almost always these are from people who have an old install of some website software they’ve left sitting around.. after all “it runs fine, if it ain’t broke don’t fix it right?” Wrong. I’ve seen this with phpBB , SMF, MediaWiki, AWStats and other common website applications too. So I cannot stress enough how important it is to keep all your website software up to date and also have OFF SITE backups. My friend Dan, who is a professional IT Security expert suggested this analogy for this topic “Do you wait to change your oil until your engine seizes up?”

If you don’t care about that old web site anymore, TAKE IT DOWN. Even if you don’t care about what happens to it a single hacked site can cause huge problems on a shared server, not to mention be used to send tens of thousands of spam messages, virii etc. You know the old saying ‘Idle hands are the devils playground’ … well an unmaintained website is a hackers / spammers paradise.

“Why would hackers attack little ‘ol me? Why do bad things happen to good websites?”

Also, and I’ve heard this dozens of times from folks who think I’m too paranoid, it doesn’t matter if your blog or site is something so innocent, small, innocuous or obscure that you think no hacker in the world would ever attack you. They will find you and attack your site. Why? Well hell if I know, I can’t understand the motive on wanting to damage someones site randomly, but really what it boils down to is BECAUSE THEY CAN. They have programs that crawl the net looking for vulnerable sites 24/7/365. This doesn’t cost them anything or take any time, they just let it rip, probably on someone else’s hacked machine and it sends them nice reports of all the juicy sites it’s found and then they run other scripts to hack into and infect those sites.

Once again my security expert friend Dan had a great comment on this issue:

The answer to “Why would hackers attack little ol’ me?” is “Because you run your shit on a computer, and they want to use that computer to run their shit.”  Part of the problem is that people think of their content as their only asset, and don’t realize that the system itself is an attractive asset.  You’d (well, maybe not you) be surprised by how many of these attacks originate on PCs in kindergarten classrooms across the world because someone figured “Why bother maintaining a PC in a kindergarten?  Who could possibly want anything on it?”

“Who are these people?”

I heard the saying once that sites are usually hacked by ‘Script Kiddies’. Imagine some 13 year old who really knows very little about computers but they have a nice program & instruction book telling them what to do so they follow recipe and boom, they are in. They didn’t write this software, some very smart and very ethically challenged person wrote it and did a great job at it.. and then they sent it out into the public where eager teens, apparently often in Brazil and China, happily use them and make your life hell.

“Well my server doesn’t get attacked”

So suffice to say, be afraid; your website and your web hosts server(s) are under attack EVERY DAY. No really. Ask them. Most web hosts use a variety of techniques to monitor and prevent this including firewalls, brute force detection, and just plain old watching logs and traffic. No one is perfect and no one is completely secure.

“Assess Your Risks”

Mind you, I’m guilty of not updating and securing things as diligently as I should for some of my own sites, but usually these are ones that I wouldn’t be heartbroken about losing, so as my friend Dan talks about in ‘The Defense Rests‘, his excellent (but sadly not-recently-updated) blog about security, I’ve assessed the value of my data vs the potential risks and made decisions based on that. Really though there’s no excuse for not locking things down, I do ‘know better’ after all.

The overall message here is that you should be paranoid about anything you have hosted out on the internet.

“Well I don’t use web applications so I’m safe, right?”

Even if you just have a plain old HTML site, don’t be cocky. Here’s a list of questions for you to consider;

• Passwords
  • How complex is your account password? Gone are the days where there was an 8 character limit for passwords, see this recent article about “Super Passwords” on CNN. Oh and when was the last time you changed it? Do other family members/co-workers know it? Passwords should be like toothbrushes, only used by you and changed often.
  • Do you use that same password on other websites (facebook, ebay, paypal?) Is your e-mail password the same as your account/FTP password? If it is, it shouldn’t be. Ask your webhost about how to have your e-mail come into a separate account if possible
• Wireless / Network Security
  • Do you check your mail or login to update your site from a laptop / iPhone / etc. over public wireless spots? How secure are your connections to your server (do you use SSL for e-mail, SFTP or SCP for file transfers)? Sad fact of life, there are jerks out there with programs that ‘sniff packets’ and can monitor & record wireless traffic. I’ve been to geeky conferences where people have posted a list of names and e-mail addresses of peoples accounts that have been sniffed during the conference… and it’s usually a long list, and this is a conference consisting of geeky people who should know better. Imagine how much one jerk in a Starbucks could collect in a few hours?
  • Along the same lines as the above, if your web host allows Telnet or FTP connections (as opposed to just SSH and SFTP) then that login information is exposed on networks too.
• Website Scripts
  • Do you have any CGI scripts for e-mail forms or perform any other tasks for your site? If yes, when’s the last time you checked that you have the latest version? If a vulnerability was found for it, how would you find out?
• Backups
  • Does your webhost have backups? How often? Are they stored offsite? What I mean here is are they stored on a different server, ideally in a different data center so in the event of a server wide hack or catastrophic event where the entire server and all it’s contents are lost, how screwed would you be? Also, are these backups just for their own use in case of a server-wide emergency, or can you get things restored just for your account? Can you do this restore yourself? How much will it cost you to restore just your files?

Basically… Either be sure you are aware and comfortable with what your webhost’s backup policies are or make regular backups yourself and store them offsite, or hire someone else to be paranoid and maintain your site on your behalf if you can’t do this or don’t want to. You know the quote “If you’re not angry you’re not paying attention”. Well.. in this case, if you’re not paranoid then you’re not paying attention.

What do hackers do when they get control of a site?

The first thing I’ve seen happen when someone gets into a site is they install other back doors. The vulnerability that got them in often just lets them do one minor thing, like use a mysql buffer overflow to issue a single command on the server

I’ve seen 4 different uses of hacked websites over the years;

• 1) Spam Relay - They setup the site to run mass e-mail scripts using a random from address, random message body with various keyword hotlinks like viagra, cialis etc and a random destination address. They can push out thousands of messages an hour this way and you wont know until you notice that your site is slow and/or your webhost calls you or sends you a scary letter. This type of hack, if not caught quickly will cause your IP address to be blacklisted by a number of mail hosts including comcast, verizon, earthlink, AOL and even gmail. Getting unblocked is tedious and can often take days/weeks. In fact right now it’s been more than 3 months since one client’s site was hacked and used for spam relay and complaints about those messages from May are still causing problems for our server.
• 2) Large File Transfer – There have been a few times that all the hackers did is put one or many HUGE files in the website and then shared the link to it so hundreds of people were downloading it. These large files are most often porn or pirated software (warez), though it could be any number of other unsavory things that you really don’t want your website associated with (list of spam e-mail addresses, hacking software, credit card numbers, etc.)
• 3) Link Farming – The most recent hack I discovered was this type, they had left the existing site alone but had created hundreds of directories with files in them that contained various random keywords and hyperlinks to places, I’m guessing in an effort to increase search engine rank. Other hacks have involved editing the site itself to hide these links in the content so a human wouldn’t notice them but search engine would.
• 4) Malice / Graffiti – Curiously in recent years this is the rarest type of hack but sometimes they’ll zap your entire website and replace it with photos and logos and often non-english text boasting about what great hackers they are.
• 5) Remote Attack /BotNet – I haven’t seen this recently myself on any site I manage but I know this happens often. In this scenario they use your server to attack other systems, making it look like you’re the bad guy and shielding themselves from any repercussions. Using your server to hack other sites may cause your ISP to take your entire site offline if they get a call from a remote site or the police.

“Have you been hacked?”

Here’s a slap of reality, You may have been hacked months ago and not know it. There have been many times I’ve gone to help someone with their site only to find it’s been compromised sometime months before. Sometimes hackers blow up the site they’ve hijacked, other times they hardly touch it and do things behind the scenes.

Quick Checks to see if you’ve been hacked:

• View HTML Source – Does your site seem to take a really long time to load or seems really slow? Even if it doesn’t load your main page and then choose (if in Firefox VIEW and then PAGE SOURCE) and just skim through and see if anything looks like a long list of links to strange external websites). If HTML scares you, ask a geeky friend to skim your source for you.
• Check for strange links or unexpected traffic increases- Try doing a google search for any pages hosted under your domain i.e. search for site:yourdomainname.com and see if you see any pages that aren’t content you’d expect on your site. You might also see these strange pages in your website traffic statistics reports (Webalizer, AWstats, Google Analytics)
• Mail Problems - Is mail from your server bouncing from places like earthlink, comcast, AOL ? If so it could be that your site is spamming and your IP address is blocked because of it. Check your IP address against real-time blacklists (See links for 2 of these below, as suggested by Earthlink). You will probably need to figure out your server’s IP address to do this lookup. The best way to get the correct information here is to contact your web host and ask them. If that doesn’t work you can try doing a lookup on your domain via http://www.kloth.net/services/nslookup.php . Searching for your domain here will tell you what IP address is associated with it, however this may not give you the IP that your server is using for outgoing e-mail. The only way to find this out is to check the headers of an outgoing message or, as I mention above, just ask your host what IP addresses are used for what.
  • The CBL - This is a list of IPs that may be currently infected and sending spam unknowingly.
  • Spamhaus - From their website you will be able to query your IP to see if it listed in any of their 3 lists that track dynamic IPs, zombied IPs, and IPs that are known to purposely send spam.  A number of major e-mail providers, including EarthLink, block IPs known to be dynamic, zombied, and purposely sending spam.

  This post is really just the tip of the iceberg but I wanted to write it out since I find myself explaining these ideas fairly often. If there’s one thing you take away from this let it be that having a full backup of your site, including any databases associated with it, ‘off site’ (as in stored outside of the server where your site is hosted) is very important. Everything after that is secondary since so long as you have a backup you can recover from even a fatal hack or system crash. I’m willing to bet that for most of you you are ASSUMING that someone else is doing this for you. Are you sure? Perhaps you should check, like… right now.

  More Coming Soon - I have another big followup post about what I do in regards to WordPress, including securing and repairing after a hack but I’m still working on that. I’ll post a link to it here when it’s ready.

  Comments for suggested edits for this are welcome. Thanks for reading this far, I hope it helped.

Below are two long long long and possibly very dull notes about Antioch College that I wrote recently. These are probably very boring to just about anyone, including other Antioch alumni, but I meant well when I wrote them and care alot about the ideas contained therein. Really.. don’t read these unless you’re an Antiochian, and even then, only if you want to know more about what one slightly disgruntled 1992 grad thinks.

-Matt

Original Post Located Here: lists.antiochians.org…

I sent this to the mailing lists and to some folks directly several weeks ago. Posting it, and another letter I just wrote on the ACAN mailing list here in hopes that maybe it will spur some discussion.

I don’t have any new stories or thoughts on this really, it’s been 18 years. I still think of him often. So this is yet another virtual tip of the hat in his memory on this day.

There is a facebook page ‘Antioch Remembers‘ where people are posting photos & memories of their late friends from Antioch College over the years. I put a copy of this photo up there and a brief note about Michael.  A few people posted comments after that entry, so if you’re reading this and have some Mike memories to share, that might be worth a visit.

Mike & Staci - 1991

Photo above is of Mike & Staci, I believe from about 1991 or so. Thanks to Mike’s brother, Mark, for sharing this with me a few years ago.

Here’s to you Mike.