Saturday, September 26, 2009

Protect Your Blog - Install Third Party Code, Carefully

Have any of you seen this sort of offer, when looking at third party accessories, and contemplating installation?
You don't do a thing! For Blogger blogs, we offer "EZ Install"! Just give us the blog URL, and an account name and password, sit back, and let us do the work!
and maybe later, you're posting in BHF: Something Is Broken
Somebody is posting spam posts on my blog!
or
Where did these ads come from? I didn't put them there!
or worse yet
Why is my blog deleted? I don't post malicious script!
All of these concerns have been noted, in real problem reports, and were caused by real mistakes.


Not everybody will note a connection between "EZ Install", and the malicious content. With some, reputable, third party software, this won't be the case, at all - there's a lot of reliable third party code that only wants to provide their product, and make the install easy for you, just as claimed. But, it's always a possibility, and you would do well to consider the possibility.

Always install third party code with care. If you're going to have the third party code installed for you, do this with greater care.

If I was going to use an "EZ Install" process, here's how I would protect myself.
  1. Setup an "EZ Install" Blogger account, made a member of the blog in question.
  2. Make my "EZ Install" member an administrator.
  3. Run the "EZ Install" process, and check out the software carefully.
  4. When satisfied that the new accessory is working properly, revoke Administrative status of the "EZ Install" member.


If I was really paranoid (no, just a small bit paranoid), I would add a precaution:
  1. Setup an "EZ Install" Blogger account, made a member of the blog in question.
  2. Upgrade the "EZ Install" member to administrative status.
  3. Backup the template.
  4. Run the "EZ Install" process, and check out the software carefully.
  5. When satisfied that the new accessory is working properly, revoke Administrative status of the "EZ Install" member.
  6. Backup the template again.
  7. Compare the two backup copies, and consider carefully each change.


What the heck, you should backup the template, anyway! Comparing the two backups is just a small extra step.

It's your blog, and you are responsible for its content, both visual (what the readers see), and non visual (what only you see). It's your decision, too.

>> Top

5 comments:

Dudel said...

Couldn't people export their blog (assuming template download already) before this and simply "try again" if things got "too wrong"?

Assuming they didn't listen to you, here, they should at least export their "normal/most active" blog often.

Another thing, my brain sends up HUGE RED FLAGS when people start asking about usernames, passwords and becoming admins on the blog.... or being able to "join it" all together.

Guess I'm saying don't trust anyone saying "I'll do it for you" unless you actually know the person... and then still not truest them. That's just me, maybe?

Chuck said...

Dudel,

Good thinking. Unfortunately, you can only export comments and posts - and template - separately. We're still waiting for Blogger to give us some ability to export gadgets, and until we have that ability, you're sort of out of luck there.

But such a script doesn't explicitly ask for becoming admin, it typically just asks you to input your current account information, and sit back. It doesn't point out that they are trapping the account name / password. And the sheep, who fall for this, don't think twice.

z-vet said...

Give us account name and password? Excuse me? How stupid one has to be to do such a thing?

Chuck said...

LOL, Z,

Hang around BHF: Something Is Broken, and see for yourself.

Dorothea said...

You are right. We can never be too careful. Better have one less widget than a lots of problems!