Category Archives: security

Facebook At Work? No!

In a news report from the BBC today the Trades Union Congress reckons that social networking sites such as FaceBook, MySpace and Bebo should be allowed at work:

Employees should have access to social networking websites such as Facebook during office hours, the TUC has said.

This is utter utter crap. These sites have the “social network” tag for a reason. They are SOCIAL sites, not WORK sites. I don’t know about you, but the only friends I have on Facebook are friends, no work colleagues.

When you are at work, you are there to WORK. If you are surfing Facebook you aren’t working. You are not doing your work, you are reducing productivity and effectively costing the company money.

Some firms have blocked workers’ access to the sites, or disciplined staff for misuse of the internet.

However, the union organisation says it is unreasonable to try to stop staff from having a life outside work and suggests setting guidelines instead.

My employer blocks all the social sites, including Face Book and MySpace, they even block eBay. It’s no bad thing. Since blocking these sites we saw a reduction in internet usage. We also installed monitoring software which has had a similar result. Allowing users to to access non-work related sites simply adversely affects performance.

Stopping staff having a life outside work? What utter crap. The organisation is trying to get the time back that the employee is paid for. Thankfully there is some sense in all this:

Employment Law Advisory Services, which provides advice for employers, said access should be for business use only.

Personally I believe that many more sites should be banned too. The shopping sites like Amazon and play.com would be a good start!

Does your employer block any sites? If they do, what do you think of the ban?

Broadcasting Security Vulnerabilities

Why do people do it? Over at Blog Security there are regularly reports of people finding and publishing on their blogs security vulnerabilities in WordPress.

Do not get me wrong. I like the fact that there are people working to discover the vulnerabilities. At the end of the day it means that WordPress will become more secure. Obviously, the limited time and resources of the application’s developers means that they can’t test every single element of what is a huge and powerful application.

Hell, Microsoft do it all the time. Look at Windows XP. MS released the OS and within three months Service Pack 1 was released.

The problem with people doing this work is that rather than tell the developers (there are various methods outlined at WordPress.org), they will shout about it on their blogs.

What does this mean? Think about it. There are a hell of a lot of unscrupulous “users”, hackers, spammers and script kiddies out there who are quite happy to hack your blog and use it for nefarious purposes. Be it Google Juice for their own AdSense promotion or inserting spamming scripts into your code. And if the person that finds the vulnerability shouts about it on their blog, gets it linked by other people and then it’s all over the ‘net before developers have a chance to fix it. WordPress gets a reputation as an insecure application and we all lose the best blogging application on the market.

If you DO find a vulnerability, whether it’s in core code, a theme or a plugin, please please please let the developer of that piece of code know. Certainly shout about it, but wait until later, after it’s fixed!

If you are interested at all in the security of your blog then Blog Security is a must read.

As well as alerts to the latest vulnerabilities, they have posts such as Top 11 WordPress Plugins (It’s unfortunate that one of the 11 is the Adsense plugin - That’s a completely separate rant!) and Top 10 Vulnerable WP Themes.

The results of the theme vulnerability shows that out of 1000 blogs tested, 220 had obvious vulnerabilities. Including the default Kubrick theme and Connections!

They also offer an excellent WP Scanner Tool which (with a plugin downloaded from the Site) will scan your blog for vulnerabilities. You can then (with not much effort) figure out what you can do to sort them.