The New School blog will shortly be publishing a stunning expose of Anonymous, and before we do, we’re looking for security advice we should follow to ensure our cloud-hosted blog platform isn’t pwned out the wazoo. So, where’s the checklist of all best practices we should be following?
What’s that you say? There isn’t a checklist? Then how are we supposed to follow advice like this:
So there are clearly two lessons to be learned here. The first is that the standard advice is good advice. If all best practices had been followed then none of this would have happened. Even if the SQL injection error was still present, it wouldn’t have caused the cascade of failures that followed.
So please, if you’re going to advocate for best practice security, please provide a list so we can test what you say. Otherwise, I worry that someone, somewhere will have declared something else a best practice, and your hindsight will be 20/20.
Incidentally, the opening sentence is a lie. Attacking this blog is probably like kicking stoned puppies. Even though we do try to ensure it’s up to date with patches and use strong passwords, we selected the blog hosting company on a diverse set of criteria which included cost effectiveness for our hobby blog.
Previously on best practices:
- New Best Practice: Think and How to Use the “Think” Best Practice
- Alex wrote Are Security “Best Practices” Unethical?
- Torture is a Best Practice (at Emergent Chaos)
- Best Practices for Defeating the term “Best Practices”
Finally, there’s a little more context below the fold.
I should own up that the quote is taken somewhat out of context for rhetorical purposes. The very next paragraph alludes to what I’m saying:
The second lesson, however, is that the standard advice isn’t good enough. Even recognized security experts who should know better won’t follow it. What hope does that leave for the rest of us? (“Anonymous speaks: the inside story of the HBGary hack”
Ars Technica has had very good coverage, and so I’m using their offhanded comment to illustrate. As a writer, I know how hard it can be to write as much as they’ve written without a single annoying sentence, and that’s without the reporting effort they’re clearly putting in. I’ve bolded it, but included the fuller context. That coverage of the HB Gary Federal hack has included: How one man tracked down Anonymous—and paid a heavy price, Anonymous speaks: the inside story of the HBGary hack and Spy games: Inside the convoluted plot to bring down WikiLeaks