Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Warns About Search-Spammer Site Hacking

Posted by CmdrTaco on from the secure-your-borders dept.

Al writes "The head of Google's Web-spam-fighting team, Matt Cutts, warned last week that spammers are hacking more and more poorly secured websites in order to 'game' search-engine results. At a conference on information retrieval, held in Boston, Cutts also discussed how Google deals with the growing problem of search spam. 'I've talked to some spammers who have large databases of websites with security holes,' Cutts said. 'You definitely see more Web pages getting linked from hacked sites these days. The trend has been going on for at least a year or so, and I do believe we'll see more of this [...] As operating systems become more secure and users become savvier in protecting their home machines, I would expect the hacking to shift to poorly secured Web servers.' Garth Bruen, creator of the Knujon software that keeps track of reported search spam, added that some campaigns involve creating up to 10,000 unique domain names."

59 comments

  1. wat by heptapod · · Score: 0

    Link to the original source at the bottom of the article goes to the same article near the beginning of the article.

  2. And what about search farms? by vintagepc · · Score: 5, Insightful

    I don't know about you, but something else that REALLY annoys me is pages that contain lists of words just so they come up on many searches... with no actual content. Or sites like "Buy *search term* at low prices" and they don't even sell what you're looking for. What's being done about those?

    --
    Evolution - Est. 4500000000 B.C. Don't piss in the gene pool.
    1. Re:And what about search farms? by Krneki · · Score: 1

      You have an "X" near the search result, if you don't like it, report the stupid web site.

      --
      Love many, trust a few, do harm to none.
    2. Re:And what about search farms? by Shakrai · · Score: 2, Interesting

      Does that actually "report" it or does it merely remove it from your search results?

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    3. Re:And what about search farms? by Yvan256 · · Score: 2, Informative

      I don't see any "X" (or any other icons) with my search results.

    4. Re:And what about search farms? by edalytical · · Score: 1

      That's not a "report" button, its a "customize my results for the future button" and it is really stupid. The elephant in the room is that Google is exploitable just like every other search engine. People are noticing the quality of their searches declining and there doesn't seem to be much Google can do or is willing to do. Most of the shitty sites that have no value are loaded with AdSense. Pretty much Google needs to start filtering results or they need to replace PageRank which is fundamentally the problem. Either that or someone else needs to build a better search engine.

      --
      Win a signed Stephen Carpenter ESP Guitar from the Deftones: http://def-tag.com/?r=0008781
    5. Re:And what about search farms? by Anonymous Coward · · Score: 1, Interesting

      What's being done about those?

      Google is making money off of them.

      I'm sorry, but you simply cannot offer a "service" like this and at the same time claim relevant search results are your top priority. These two things are inherently at odds with each other.

    6. Re:And what about search farms? by 0100010001010011 · · Score: 2, Informative

      CustomizeGoogle is a firefox plugin(which hasn't been updated for 3.5 yet) lets you ignore domains.

      I had a ton on there.

      http://www.fixya.com/ seems to have risen up now that I'm searching on how to fix some lawn equipment I inherited.
      "Yard Machines fix belt" and it comes back with http://www.fixya.com/tags/yard_machines_deck_diagram_belt

      Of course this is 100% useless.

      Those sites are fun to mess with friends. "Dude, did you know that there's an entire webpage on fixing your impotency?"

    7. Re:And what about search farms? by D-Cypell · · Score: 3, Insightful

      While I don't know for absolute certain, I *strongly* suspect that that data is collected and operated on. Most of the big sites are about so called 'collective intelligence', or collecting information about person A so that you can have a better idea of what you want to be providing to person B. This goes into what links are cicked, at which times of the day, how long people spend on a site or page etc etc. To have a function that is so incredibly explicit as 'This is crap, don't show me it again', and to *not* use that to refine future page generations would be deeply stupid, and stupid is one thing the guys at google aint.

    8. Re:And what about search farms? by Jurily · · Score: 1

      That's not a "report" button, its a "customize my results for the future button" and it is really stupid.

      Agreed. At least, I never found a use for it anyway. I just don't bother to filter my search results manually, and it's not my job anyway: if it gets too much, I'll give Bing a chance.

      People are noticing the quality of their searches declining and there doesn't seem to be much Google can do or is willing to do.

      That's because they index everything ("Results 1 - 10 of about 15,280,000,000 for a. (0.07 seconds)") and then they try to rank the crap lower. A much better option would be to create a new search space on top of this one containing only sites recommended by humans, and rank those up automatically, like they did with wikipedia. Of course this would be slow to build up, since all the entries should be added manually by a Google employee, but it would be well worth it: judging content without humans is impossible until we have true AI. PageRank is nice, but like all algorithms, it's vulnerable to tweaked input designed to get a specific (class of) output.

    9. Re:And what about search farms? by Anonymous Coward · · Score: 0

      Try logging in.

    10. Re:And what about search farms? by sys.stdout.write · · Score: 2, Interesting

      Are you logged in to your Google account?

    11. Re:And what about search farms? by Anonymous Coward · · Score: 0

      Problem is if the results get more and more polluted with garbage, users won't use them then no one will give Google money.

    12. Re:And what about search farms? by ex0a · · Score: 2, Insightful

      CustomizeGoogle is a firefox plugin(which hasn't been updated for 3.5 yet) lets you ignore domains.

      From the CustomizeGoogle page the reported version allowed is up to 3.6a1pre for anyone reading this not checking into the addon because of the parent. This addon is really handy.

    13. Re:And what about search farms? by sabernet · · Score: 2, Informative

      If that really worked, I wouldn't still see so many damn "experts-exchange" results since I'm sure I've 'x'ed at least 5 dozen of them.

    14. Re:And what about search farms? by Krneki · · Score: 1

      I concur, this is the single most annoying site on the net.

      --
      Love many, trust a few, do harm to none.
    15. Re:And what about search farms? by Yvan256 · · Score: 1

      I find it funny that you assume that I have a Google account.

    16. Re:And what about search farms? by Magic5Ball · · Score: 1

      http://www.customizegoogle.com/ will filter out ExpertSexChange (and other useless sites) from your Google results.

      --
      There are 1.1... kinds of people.
    17. Re:And what about search farms? by skeeto · · Score: 1

      If it's a Google search, you can report the site here, though I don't think they look at these reports very often.

  3. Universal Authentication by ParticleGirl · · Score: 4, Insightful

    I found this pretty interesting: "Authentication [across the Web] would be really nice," says Tunkelang. "The anonymity of the Internet, as valuable as it is, is also the source of many of these ills." Having to register an e-mail before you can comment on a blog is a step in this direction, he says, as is Twitter's recent addition of a "verified" label next to profiles it has authenticated."

    The idea of universal authentication has been tossed around for a while. I feel like the biggest drawback is privacy (we'd have to trust some universal authentication system to hold onto some identifier even if posting anonymously) and the biggest obstacle is the need for universal participation. It's kind of too late to make an opt-in system. But I've liked the idea ever since early sci-fi interwebs (read: Ender's Game) had SOME kind of authentication.

    --
    Do something about world hunger. Click here
    1. Re:Universal Authentication by truthsearch · · Score: 2, Insightful

      Authentication would of course help for properly secured web sites. But many sites have content injected nefariously. One common method is to break into shared hosting servers via ftp or ssh and place javascript or html at the bottom of every html file.

      --
      Developers: We can use your help.
    2. Re:Universal Authentication by ComputerDruid · · Score: 1

      See OpenID: http://openid.net/

      Decentralized universal authentication.

    3. Re:Universal Authentication by Shakrai · · Score: 1

      One common method is to break into shared hosting servers via ftp or ssh

      Slightly off topic, but I've noticed that in the last year or two that brute force ssh attempts seem to have become so common that they should be considered part of the regular internet background noise. My servers were regularly being probed from multiple IP addresses (most of them in China), sometimes reaching 5-10 ssh attempts per second. They'd go through whole dictionaries of possible usernames and keep trying to hit the root account as well.

      I wouldn't run ssh these days without disabling password logins in favor of keyfiles and having some sort of rate-limit on the number of incoming connections. Here's two iptables rules that will do just that:

      iptables -A INPUT -i INTERNET-INTERFACE -p tcp --syn --dport 22 -m hashlimit --hashlimit 15/hour --hashlimit-burst 3 --hashlimit-htable-expire 600000 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT
      iptables -A INPUT -i INTERNET-INTERFACE -p tcp --syn --dport 22 -j DROP

      (Alternatively instead of "-j DROP" you can do "-j REJECT --reject-with tcp-reset" but I'd rather let their connection hang)

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    4. Re:Universal Authentication by truthsearch · · Score: 1

      I use denyhosts because I have the same problem. denyhosts watches for repeat failed attempts from the same IP and then blocks them. It's fully configurable (e.g. block after 5 failed attempts within one day, unblock an IP after 30 days, send email reports, etc.).

      --
      Developers: We can use your help.
    5. Re:Universal Authentication by Tony+Hoyle · · Score: 1

      Isn't hashlimit designed to limit bandwidth? I'd rather just drop the initial connection..

      -A public -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH
      -A public -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 5 --name SSH -j DROP
      -A public -p tcp -m tcp --dport 22 -j ACCEPT

      You should also be protecting DNS and ICMP in the same way of course.

    6. Re:Universal Authentication by Lumpy · · Score: 1

      I ran a script that watched the log files and added drop rules for ANYTHING that tried to ssh in using root.

      This was back in 2004-2005 and I was getting about 30-40 ip's banned a day from china and the former USSR. It's simply ramped up with a crapload of zombie machines out there doing it.

      My solution was to screw it all and use only VPN.

      --
      Do not look at laser with remaining good eye.
    7. Re:Universal Authentication by Shakrai · · Score: 1

      Isn't hashlimit designed to limit bandwidth? I'd rather just drop the initial connection..

      Umm, no? Its designed to limit the number of times it will match. It's based on number of packets seen in a defined interval. AFAIK it doesn't have anything to do with bandwidth or datarate. In fact, I've never seen iptables directly used to limit bandwidth, although I have seen it used to classify packets that then get shaped by the Linux traffic shaper.

      I do like the rules that you use though.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    8. Re:Universal Authentication by metaforest · · Score: 1

      Over a year ago: Using denyhosts I black holed IP addresses after two attempts and the entire subnet after 10 total attempts in 12 hours. I eventually gave up and took the host off port forwarding because I didn't need to access it remotely any more.

      I was quickly heading to the point that all of Russia, China and the Koreas were going to be completely black-holed. Interestingly some areas of the US, especially the mid-west and central canada were getting fairly dark too.

      If I ever need to put that host back on my PF.... I am going to use a "deny all except X" rule and avoid wasting all the extra electrons required to process 20+ freaking SSH auth attempts per second.

    9. Re:Universal Authentication by skeeto · · Score: 1

      I hate it when I read an article or a blog, want to leave a comment, but its locked behind some registration mechanism. Then I just don't bother. I'm not going to go through a tedious registration process just to leave one comment. Sometimes it's not even obvious how to register (I'm looking at you Wordpress). I imagine this costs these websites a lot of traffic. See The $300 Million Button.

      No, anonymous commenting is too important. Throw up a captcha or something that anonymous commenters have to fill out, but registered ones don't (like Slashdot).

      Not that I expect this kind of system, but if we did have some universal authentication I would want it to be cryptographically based rather than password login (like OpenID). Though managing keys would probably be too difficult for most people, and the system would be less flexible because users would need to carry their private keys around. With this system a user's identity is really just simply a public key, maybe with a "provider" attached to it like an email address. Once a website trusts your public key, due to a good comment, checking with some identity provider (like OpenID), or getting it from another trusted website, it doesn't need to do any more external verification. (This is how Freenet's forums work, for example.)

    10. Re:Universal Authentication by skeeto · · Score: 1

      This is an area of interest to me.

      My home computer gets pinged with ssh password guessing attempts all day. Not quite as hard as you, but a guess every few seconds. Key-only logins are a bit too inconvenient for me right now, so I take other measures. I have root logins disabled so they have to guess a password and a username, and they've never even guessed a correct username so far. I also used DenyHosts to mitigate attacks by instantly blocking anyone trying root logins, and block anyone else after 3 wrong guesses. (This would inevitably get myself blocked after a couple months, but adding my main IPs to hosts.allow fixed that).

      Even with DenyHosts I would still nervously scan my authlogs regularly. So I recently moved ssh to a different port, not even a high numbered one (below 1024), and the attacks completely stopped. 100% gone. Soon after I also threw up a home-crafted* ssh honeypot on port 22 so not only do they not go looking for my real ssh port, but I get them to waste their time as they try to do things in the honeypot.

      Wasting time is important, because that's less time they can spend finding and exploiting a real vulnerable system. I think of this as one of my contributions to the Internet.

      The honeypot is a very unprivileged user running Qemu running OpenBSD with most of the filesystem flagged schg or sappnd (not even root can modify files), with all outbound networking blocked. Only ssh in is allowed. Qemu is running at nice 20. And it's running in "snapshot" mode, so all writes to disk are temporary. Restart Qemu and it goes back to a fresh honeypot. I haven't done this yet but I will have a cron job restart Qemu every couple hours to wipe it clean (I want to work out better logging first).

      I'm still a bit nervous about the honeypot, so I keep a close eye on it. There may something I might have missed that could let them get more control. To help my confidence I have had friends log in and try to break it, or trash it up. So far so good.

      So far the attackers that have logged in haven't even tried to do anything. They just log in, and log out. It's really strange. Maybe they'll come back someday and try to send spam or something. Maybe it's an obvious honeypot?

      But here's the best part: the password for root is "password" (OpenBSD's passwd was not very happy when I did this) and very few bots ever guess this. What are they guessing? I've even seen bots that properly guess "password", log in, log out, then continue guessing more root passwords (maybe checking if it's a honeypot?). So far these random attackers don't seem very bright.

      *Yes, I've heard of Kojoney but I haven't been able to get it working. And I like mine better.

  4. Confirmation by Drakkenmensch · · Score: 4, Interesting

    Anyone who frequently uses google knows this already. Plug in any kind of search and you're bound to get a slew of crap results along the lines of:

    Download [term] full version

    Torrent [term] keygen

    Torrent [term] latest version

    Torrent [term] hacked no-cd

    You'll get those even when searching for books.

    1. Re:Confirmation by IBBoard · · Score: 4, Informative

      Except that that's not what the summary mentions. The summary is talking about people hacking websites to get more "good" links to their site, rather than having to rely on standard link farms that are then blacklisted. It's like comment spam, only with hacking of servers instead.

    2. Re:Confirmation by Ihmhi · · Score: 1

      I was always a bit puzzled by "Coheed & Cambria Latest CD no-cd"...

      --
      Random Thoughts From A Diseased Mind (Not For Dummies)
    3. Re:Confirmation by Anonymous Coward · · Score: 1, Interesting

      I've had my webpages up for years, but hadn't actually added anything new for a while so hadn't felt the need to stop by my site and do maintenance. This spring, Google sent me an email warning me that they were taking my site off their search engine for spamming. (Though they did suggest it had probably been hacked.)

      It was horrible. My pages had indeed been hacked and had "invisible" links written all over them. Some of them actually had all their real content deleted in favor of what looked like nothingness. New pages and directories had been added, sometimes imitating my own pages and sometimes not bothering, all filled with these spam links. And even better, none of the links actually led to the spammers' site! They all led to hundreds of other dormant websites, all on my own ISP, so I couldn't even block traffic. Sickening. They'd even come back in various months and added new layers of spam links. Brazen. And my own inattention had made it possible.

      What I didn't realize was that my ISP had made some supposedly "user-friendly" modifications in settings that had opened up pretty much everything on my account to any little annoyance who came knocking. I complained to them, explained how many other pages were affected that they were hosting, and pretty much got nothing in return.

      I could clean things up and change that, and I did. I could get Google to put me back on the search engine, and I did. I can resolve to leave my ISP next time I'm up for renewal, and I will. But the nuisance and violation of it all was horrible. Also, there's no guarantee that the spammers won't come back, with better cracking software, and mess up my pages again. One less bit of peace of mind for me, and no trouble at all for them.

      We don't need more authentification. We need to catch the people who do this and throw them in prison; and if they're in foreign countries, we need to get them extradited or convicted where they live. And nations ought to cooperate over this. On their own scale, and without any motive but profit, these sorts of spammers are destroyers of all they touch and enemies of all mankind. (After all, they are seriously messing up everybody's results and traffic, not just being an annoyance at my site.) If there was no profit and much loss in doing this, I think this sort of person would leave everybody's webpages alone.

    4. Re:Confirmation by Anonymous Coward · · Score: 0

      what were you looking, again? for crap?
      no wonder you got plenty of it!

  5. Only a year now? by Nick · · Score: 1, Interesting

    Or perhaps he meant it's only been popular in the last year or so. I've seen this going on for the last three years at the least.

    --
    Fuck Ajit Pai
  6. PageRank is a bullseye by spyrochaete · · Score: 2, Insightful

    If your website's front page has a PageRank score of 3/10 or higher it is a prime candidate for hijacking. Google gives extra clout to hyperlinks from sites with a high PageRank (aka "link juice"), so it's easiest for a malicious party to hijack a small number of high-ranking sites than a large number of low-ranking sites. The higher your PageRank the greater your risk.

    1. Re:PageRank is a bullseye by Dullstar · · Score: 1

      My website is probably a PageRank 1 or something. Just to get it to appear in the results you have to put the name in quotes. However, I think that's just a problem with the name considering the results you do get, so I'm going to redesign the whole site and give it a new name.

      What you said about PageRank reminds me of the April Fool's joke they did once (PigeonRank).

  7. Easy to spot? by T+Murphy · · Score: 1

    I am assuming you can produce a list of candidate sites that may be benefitting from this by tracking for sudden rapid growth in links. From there you should be able to come up with an algorithm that looks at what the beneficiary site is about and what the linking sites are about. I would assume the hacked sites will have a random distribution of topics and sources- or a highly clustered distribution if a certain type of site is most often hacked. Regardless the distribution should be markedly different from a typical site.

    NB: I am not very familiar with search engine algorithms so there is sure to be room for +5 comments whether you explain why this can work or can't work.

    --
    My webcomic
    1. Re:Easy to spot? by Shadow-isoHunt · · Score: 2, Insightful

      That doesn't work, because you can't possibly determine whether they're legitimate links or not(if the linking is done properly). For example, how do you differentiate inbetween something that starts as a result of an independently reported news event(or a slashdotting...), or something that starts as the result of hacking? If you want to waste the cycles, you can start mapping the event to find it's potential point of origin to see if it's a news site or something, but it's still going to hurt the little guys.

      --
      www.isoHunt.com
  8. Google needs to look at their financial stock page by Dan667 · · Score: 1

    If you look at the discussion for almost any stock, they are all stock scam span. Having seen Google catch most of my email spam and news groups are pretty clean so this is a bit surprising.

  9. Flying pigs by demachina · · Score: 1

    "and users become savvier in protecting their home machines"

    And when pigs fly...

    --
    @de_machina
    1. Re:Flying pigs by vintagepc · · Score: 1

      +1 optimistic. I think pigs will fly long before that happens.

      --
      Evolution - Est. 4500000000 B.C. Don't piss in the gene pool.
    2. Re:Flying pigs by goofyspouse · · Score: 1

      Dammit...I was just going to post that gem.

  10. Google could stop this, but.. by moon3 · · Score: 1

    The funniest part of this is that Google itself seams to fund them and has the ability to stop this MFA sites, link fraud sites -- this is a connected issue, but for some (very obvious) reason keeps it quiet.

  11. Google needs web spam to profit. by Animats · · Score: 3, Informative

    Google can't solve this problem because their business model requires web spam.

    Google is in the advertising business, not the search business. Search is a traffic builder for the ads. Google's customers are their advertisers, not their search users. They have to maximize ad revenue. The problem is that more than a third of Google's advertisers are web spammers, broadly defined. All those "landing pages", typosquatters, spam blogs, and similar junk full of Google ads are revenue generators for Google. Every time someone clicks on an AdWords ad, Google makes money, no matter what slimeball is running the ad. Google can't crack down too hard, or their revenue will drop substantially. Google does have some standards, but they're low.

    Google went over to the dark side around 2006. In 2004 and 2005, Google sponsored the Web Spam Summit, devoted to killing off web spammers. From 2006, Google sponsored the Search Engine Strategies conference, where the "search engine optimization" people meet. That was a big switch in direction, and a sad one.

    As we demonstrate with SiteTruth, it's not that hard to get rid of most web spam if you're willing to be a hardass about requiring a legit business behind each commercial web site. Google can't afford to do that. It would hurt their bottom line.

    However, cleaning up web search results with browser plug-ins is a viable option. Stay tuned.

    1. Re:Google needs web spam to profit. by Anonymous Coward · · Score: 0

      Haha, searching for google in SiteTruth is all negative.....are you getting paid for searches on that site!

      Yo Grark

  12. I've seen one of these hacked sites by maccallr · · Score: 2, Informative

    I saw this in the wild a few weeks ago. I had a google email alert running for my bank, which pointed me to a page which was blog-like but when you looked closer it was completely auto-generated gibberish. They had built the whole thing based on a list of banks and insurance companies. As it was under envsci.rutgers.edu I guessed they had been compromised.

    I reported it to the webmaster and I see that it is gone (both from Google's index and the server). Not a word of thanks though. How long does that take...

    Maybe someone here will give me a medal instead?

    1. Re:I've seen one of these hacked sites by Anonymous Coward · · Score: 0

      Nope.

    2. Re:I've seen one of these hacked sites by Anonymous Coward · · Score: 0

      If you're helping others hoping for a reward, you're thinking about it wrong.
      Check your motivation :)

    3. Re:I've seen one of these hacked sites by Anonymous Coward · · Score: 0

      I'll give you a free hug!

    4. Re:I've seen one of these hacked sites by maccallr · · Score: 1

      Thanks Anonymous Cowardon! (as rendered in FF 3.0.x)

    5. Re:I've seen one of these hacked sites by Anonymous Coward · · Score: 0

      Maybe someone here will give me a medal instead?

      FUCK YOU!

    6. Re:I've seen one of these hacked sites by skeeto · · Score: 1

      I've give you a coupon for one free internets, but I can't find the image.

  13. greasemonkey by Anonymous Coward · · Score: 0

    theres a greasemonkey script for that // ==UserScript== // @name No Experts Exchange // @namespace userscripts.org // @description Hide Expets-Exchange.com Results From Google // @version 0.1 // @include http://google.com/search?* // @include http://www.google.com/search?* // @include http://*.google.com/search?* // ==/UserScript==

    var url = document.URL;
    if(!url.match('-site%3Aexperts-exchange.com')){
            var urlArray = document.location.toString().split("q=");
            var queryArray = urlArray[1].split('&',1);
            var newQuery = queryArray[0] + '+-site%3Aexperts-exchange.com&';
            window.location.replace(url.replace('q=' + queryArray[0],'q=' + newQuery));
    }

  14. Rampant hijacking of .edu domains by Anonymous Coward · · Score: 1, Interesting

    This is particularly bad at the .edu domains. It is shocking and inexplicable that the IT departments at these universities don't know what's going on with their own servers and in their own zone files. There are literally thousands of hijacked subdomains under valid .edu domains. How can the network administrators not know what's going on? Don't they check their logs? Don't they see the google referrers for this spammy content? Could they be responsible for it themselves, or maybe getting a payoff for looking the other way? Just look at the results of this google search and see just how bad it is:

    http://www.google.com/search?hl=en&safe=off&q=%22low+cost+payday+loans%22+site%3A.edu&aq=f&oq=&aqi=

    These schools are required by law and regulation to protect their student's private information. If their servers are so badly compromised, how can their students and employees trust them with their personal and financial information? It displays shocking disregard for security or utter incomptence, or perhaps even corruption on the part of the IT staff, and seriously needs to be investigated, and corrected, without delay!

  15. I'll admit to being hacked before... by WoTG · · Score: 1

    IMHO, it's mostly script kiddies doing this "hacking". Over the years I have had a few sites developed and largely left to sit for posterity. Unfortunately, the ones that were running off-the-shelf packages such as phpNuke (CMS) or WordPress (blog) or phpBB (forum) have been hacked, or overrun by spammers, at least once. All of those packages had security flaws over the years... some worse than others.

    Yes, I should have keep them up to date, but, no I didn't and lot's of people don't.

    I want to keep the blog for a crazy project up for kicks, I don't want to keep updating WordPress on every release just to have that privilege.

    Anyway, it's getting better these days, all the major packages are much more security aware.