There are innumerable plugins to stop this tracking occurring. Google needs to know what their users are clicking on, and by virtue are now in the business of changing their code so frequently as to thwart these privacy tools. It's a game of cat and mouse between the privacy tools and Google. Make sure to download addons/extensions that will update to reflect any changes in Google Search
Windows 10 and previous versions are known to be SIGINT enabled either by design, or by accident. It would be very cloak and dagger to say by design, but certainly more plausible to say by accident. There are numerous ways to harden Windows however, and depending on how much time and money you're willing to invest; you can get a pretty robust setup. Personally I use Zemana Antilogger (try to get an older copy - the new one is possibly backdoored). Download this: http://hardenwindows8forsecurity.com/ (Some of the settings still apply on Win10 I think). And buy the new version of Glasswire: https://www.glasswire.com/ (Super handy utility that stops all the phone behavior of Win10 that can get quite intrusive/invasive). There are many other hacks to harden Windows but I won't go into them here. But you can have those ones for free...
Here's Antilogger: https://www.zemana.com/AntiLoggerFree Please avoid the new version, as it's probably weakened by ICs. I'm sure an older copy is lying around the net somewhere.
I have a hard time trusting either Glasswire and Antilogger without seeing the source (especially since you mentioned possible backdoors in the same breath as your recommendation).
Your first link looks like it's just a pack of local policies, so I suppose there's some value, if that's the case, for people who don't want to go through with learning how to set that up.
It might be closed source, but that does not equate to 'bad'. It doesn't contain too many smaller parts it is easy to analyze what the binary is doing. It does attempt to update, but this behavior can be blocked. Binary blobs do not have to be a black box, and it is trivial to open up Antilogger in OllyDBG and see what it is doing under the hood. It might sound like I'm fumbling around in the dark here, and I admit I am; but Antilogger is one of the first ten programs I install on a fresh Windows install.
Regular electronics consumers are not going to buy a Thinkpad with FreeBSD on it, and then house the laptop in a Faraday cage to airgap it. It. Does. Not. Happen.
> Regular electronics consumers are not going to buy a Thinkpad with FreeBSD on it, and then house the laptop in a Faraday cage to airgap it. It. Does. Not. Happen.
Nobody said it would but "regular electronics consumers" also aren't reading this thread and don't have much to do with the post you're replying to.
Oh now I can finally install the OS that will try everything to unearth what I do on my computer... Oh wait, of course I wont.
This is such nonsense. It is like saying 'Hey, there is no problem with living in a glass house where everyone can see you go to the bathroom, you can just put up some curtains.'
I'm not defending M$ here at all. I'm just saying if people are going to use WinAll, there are rudimentary and basic things to install before using it. Otherwise it's like sex without a condom...
Why should I trust Zemana more than Microsoft? You're already suggesting at least the latest version is compromised. Then the other question becomes how I know the older copy I get is genuine and not also compromised.
Wordpress is awful on DO and many things can and do break. Trust me, I've been developing with Wordpress for over a decade, and WP on a VPS is a whole different kettle of fish. Whether it's hardening the VPS to avoid a DDOS, or auto-patching Ubuntu when OpenSSL gets another vulnerability. It's quite mightmarish. DO is good for things like Gitlab and VPNs and things like that, but good luck trying to get something bulletproof and high availability. It's a devops nightmare. It can be achieved, but it takes some time...
Why is Wordpress on a VPS a nightmare? You install nginx, php-fpm, mysql, enable unattended upgrades in Ubuntu, create a new user for Wordpress, run it, enable automatic updates, done.
It's a blog. It doesn't need to be bulletproof or run on a cluster.
I say this because so many peeps think using these pre-installed WP bundles is all kittens and unicorns; it is not. I am not singling out DO specifically, but any VPS provider that has pre-installed soft that does not respond to threat landscapes and it not hardened correctly. Users install without a care in the world for having their VPS naked and like a sitting duck. (Yes I monitor inbound traffic on VPSes and there are people who are interested in flooding if you don't practice throttling and load balancing, or PTR records which resolve the raw IP to other domains).
The performance of the out-of-the-box WordPress stack is terrible too. I maintain benchmarks for WordPress running on different company's platforms (http://reviewsignal.com/blog/2015/07/28/wordpress-hosting-pe...) and had to stop including Digital Ocean because it's just not in the same league. I get asked everytime why they aren't there though and have to explain, that's not really what Digital Ocean does. If you want high performance WordPress, lots of companies have built on top of DO's infrastructure to give you that. But DO doesn't give you that out of the box.
You are right it is difficult to keep self-managed installations secure vs. just using a SaaS provider, especially when some of the users only have basic admin skills. Having said that, we do our best to have secure settings by default, respond promptly to security issues (typically we release new images within hours of a new version being announced) and in particular in the case of WordPress we pre-configure everything out so automatic updates are enabled out of the box (which the user can also manage from the admin panel without touching the command line).
> there are people who are interested in flooding if you don't practice throttling and load balancing
perhaps someone is out to get you. never experienced this in my life. been running dedicated server with over a hundred installs for 2 years. sure you have script kiddies that might send a bot to try to brute force passwords. But Nginx can easily handle that load.
Spammers, phishers and other criminals are _always_ out to get _everyone_. It's typically done by robots - if your VPS is insecure, it's a matter of when, not if, and when is usually sooner than you think.
I meant DDOS, nobody cares enough to deny access to your little site unless there is something else which is going on. Other stuff, nothing much to worry about. Just follow best practices: use a password keeper, keep your site updated, disable comments, etc.
The way that typically goes is first your VPS gets exploited somehow and used to serve illegal content, send spam or scan other hosts. Then it gets DDOS-ed by someone who doesn't like the content or attacks initiated from the VPS.
Yeah the list goes on. Even for the pros, there are an insane amount of steps to get the install perfect. And it has to be perfect, as one overlooked thing can mean the box can be taken offline by net-hooligans. Things like Commando are handy for this and I frequently use recipes when I spin up a new server: https://commando.io/
I think the actual meaning being lost in translation here is "self-managing things is awful"—which it is, if you are a dev and don't want to be burdened with ops.
Indeed. First thing that blew my mind is that it checks to see if its files are owned by the uid of the php process. Why? Why can't we just +w on uploads, themes, plugins etc using group permissions?
This is why I'm ditching it and going back to static HTML for my corporate site. As a small consulting shop, we just don't have the time or resources to worry about "WTF is wrong now?"
Static site generators are definitely making a comeback... With the number of vulnerabilities and automated attacks on older versions of WP, and other frameworks, it's not an entirely bad idea...
Generate the site, push to S3 or Azure, then put CloudFlare (or another CDN/Cache) in front of it... Easy peasy.
I think WordPress is great on DigitalOcean. With EasyEngine you can be up and running - cached - and seconds with a handful of CLI commands. I've had great luck with running WP on DO.
I'm curious why you think it's awful? I used the one-click Wordpress install on DO and put up a custom-coded theme. The site gets around .5m visits a month and I've never run into any problems.
WP was not designed for modern deployment for a number or reasons. Wordpress is definitely not a 12 factor app. And there is nothing that can be really fixed by plugins. to fix this, one has to break WP core apis. WP is "a deploy once with ftp/sftp" cms.
I think a lot of developers--myself included, for a long time--don't really appreciate why this is the reason WordPress is as popular as it is. The vast majority of the criticisms people make of WP are valid, but good luck finding something else as easy for a non-developer to not just install and configure, but to actually maintain in a relatively secure fashion. (I also don't think developers appreciate how good modern WordPress is as this -- not to say that it's perfect, by any stretch, but once it's set up correctly the damn thing is self-updating. As long as you stick to popular, actively-developed plugins and put effort into keeping them updated -- which is frankly a pretty low bar, since it's about three clicks on the dashboard -- WordPress isn't likely to be a serious security concern.
I don't see how WordPress's general audience would be in the least concerned about its failure to be a "twelve-factor app," do you?
You have to run your own install script. It is more involved than deploying other things. I usually run a script to prepare the server first (for a generic secure setup, including LAMP) and then run the WP installing script (which is mostly Python working through sftp). It has taken a bit of time to figure this one out, because the generic secure setup requires constant upkeep. Its not something that you set and forget.
aptitude update sure is part of maintaining things up to date. One cannot rely on it exclusively due to how those updates sometimes require other changes. Plus it doesn't cover all packages. Using docker just adds another layer of complexity and possible vector of attack. For standalone wordpress installs docker is not required. Wordpress security is more of a continuous process rather than a set and forget thing due to how it's a constant target.
I actually run a few wordpress blogs on Cloudways - which sets up a managed host on top of DO or AWS. It's pretty good - I think there is value for managed "applications" on top of VPS.
Think of it as Cloudformation for the rest of the world !
Worth watching Haroon Meer's keynote at TroopersCon if you feel like fixing a few things. There are hard problems that do infact need solving: https://www.youtube.com/watch?v=rarpym8JJXQ
Hacking for me was always about pushing the envelope, and if that meant getting the right tools for the job, then that also meant working for old industrial monopolists and building out my crystal palace in my own free time. After work I would come home, switch on my Pandora's box, and use my paycheck to have fun. The problem with doing this for extended periods of one's life is that you see all your peers getting stinking rich, and you almost feel left behind, like a lone wolf hacker who missed the proverbial boat of investor money. On one hand this can feel miserable because Fear of Missing Out (F.O.M.O) feels like a legitimate thing to be concerned about. On the other hand, the hacking escapades are exhilarating and quickly drown out F.O.M.O because those same people that are getting rich are missing out on the joys of low level disk hacking, and twitter bots that can disrupt markets and sway the stock market any way one wants. The F.O.M.O is quickly drenched by fun. Let fun precede every other activity. This is the hacker way.
