Well, the Internet is broken again. It sucks to be us (and by “us” I mean “people whose income depends on a working Internet”).
I’ve been hacked a lot over the years. The first Unix machine I ever had root on was hacked within a week of me becoming responsible for it — because it was one of the few unmetered machines at the university where I was working my way through school.
And that made me paranoid, and paranoia made me take precautions.
The host to which I am posting this runs OpenBSD. And that means its webserver runs chroot by default. That means that, even if the webserver was vulnerable (and its not), the amount of damage that an attacker could do would be severely limited. I had to look pretty hard to find a hosting company that allowed OpenBSD, but it was worth it.
I also am using a statically generated blog, currently using OctoPress. No database, no PHP, no executed code. It’s much safer.
I missed the ability to post dynamically, so I wrote OctoPSI which I am using to edit this. I connect to it over localhost on my Mac, so it’s far more secure than the vast majority of blogs.
I understand that there are real applications that need to run real code on the Internet, and they are (hopefully) actively maintained, but for things like my blog, which I don’t have time to treat like a shipping product, some amount of security paranoia is important.
What I AM worried about—the BIG problem we’re going to have, is the number of Internet of Things devices that exhibit this bug. These devices aren’t actively maintained. Many of them CAN’T be actively maintained. There’s no excuse for them to be less securely designed than my blog.