I just finished reading 'Prey' by Michael Crichton. This stuff scares me now. Of course who would ever be stupid enough to make bad decisions in order to meet big deadlines? Nobody ever does that!
I have been working as a full-time PHP developer for nearly 3 years now, and was a casual developer in the pre-PHP4 days. I will be the first to admit that I haven't always taken all of the necessary security precautions, but now I feel that I do pretty well in that area.
Just today I came across a huge flaw in the design of PHP as a language. I wrote some PHP4 code this past summer to encrypt credit card numbers and other sensitive data for secure storage. Since then we migrated the system to PHP5 and I was able to make use of the MUCH better implemented public/private/protected attributes of data members in classes to protect the key I was using for the encryption/decryption. I have been using ioncube to encode the PHP source to hide my key from prying eyes, but I discovered that the key is made visible by doing a simple print_r or var_dump on $GLOBALS.
I realize that the private/protected attributes aren't intended to keep data like this secure, but the point of this long post is to say that there isn't any way provided of securely keeping sensitive data secure.
So my opinion to the question asked is this: uneducated PHP developers cause most of the security problems in PHP applications, but the language itself could definitely use some extra security consideration.
Did anyone catch that detail? Why do I get the feeling that SCO is going to keep adding more and more claims to the lawsuit before then?
My friend's view of the case:
SCO: "Okay, please just show us what you did against us."
IBM: "No. We didn't do anything."
SCO: "You sure?"
IBM: "Positive."
SCO: "You didn't even make fun of Darl's tan?"
IBM: "Nope."
SCO: "But we have proof!"
IBM: "Where? Show us."
SCO: "First, you have to give it to us!"
Judge: "Case adjourned."
bleh! Yes, I live in Utah. In fact, I live about a mile from his Provo office. I generally don't mind him, but I think that the fact that he would consider supporting anything that suggests willful destruction of property is idiotic, not to mention pointless. I wonder how they even intend to distribute this software that destroys your computer. I suppose that if they embedded viral code in media files that spawns when the file is opened then that's one way to do it. If they name it to match the name of a copyrighted file, then you really aren't downloading copyrighted materials. That means you'd have to distribute the actual file to make it legal. As we all know, there's a way around everything. Someone could create a patch for Anti-Virus programs to search for the "destructive code" as a part of the virus definitions. That means we clean the file, and get the copyrighted materials. I dunno.. maybe they have some other grand plan. It's all pointless if you ask me. If they really do get their way, they'll kill the PC component industry since people will have no use for bigger hard drives, broadband, cd & dvd burners, recordable media, etc. The list goes on.
Looks like it's back to the drawing boards Orrin.
:P
Microsoft has a reputation for creating their own technologies (ie: WMA, WMV) so it _really_ wouldn't surprise me if we see a WMG sometime soon. Then when we ask about PNG, they will probably say something stupid like "We feel that WMG is a sufficient replacement for preceding technologies . . . etc"
I'll have to admit, I think that I'm going to have nightmares tonight. After seeing the spirits possess that soldier.. I know I'm a wuss, but I can't wait until the game comes out!
amen. now that microsoft has given in, i hope that more countries follow suit, especially the US. (Maybe it's too bad that this didn't happen before the ruling of the anti-trust case?)
Slashdot Mirror
I just finished reading 'Prey' by Michael Crichton. This stuff scares me now. Of course who would ever be stupid enough to make bad decisions in order to meet big deadlines? Nobody ever does that!
I have been working as a full-time PHP developer for nearly 3 years now, and was a casual developer in the pre-PHP4 days. I will be the first to admit that I haven't always taken all of the necessary security precautions, but now I feel that I do pretty well in that area.
Just today I came across a huge flaw in the design of PHP as a language. I wrote some PHP4 code this past summer to encrypt credit card numbers and other sensitive data for secure storage. Since then we migrated the system to PHP5 and I was able to make use of the MUCH better implemented public/private/protected attributes of data members in classes to protect the key I was using for the encryption/decryption. I have been using ioncube to encode the PHP source to hide my key from prying eyes, but I discovered that the key is made visible by doing a simple print_r or var_dump on $GLOBALS.
I realize that the private/protected attributes aren't intended to keep data like this secure, but the point of this long post is to say that there isn't any way provided of securely keeping sensitive data secure.
So my opinion to the question asked is this: uneducated PHP developers cause most of the security problems in PHP applications, but the language itself could definitely use some extra security consideration.
bleh! Yes, I live in Utah. In fact, I live about a mile from his Provo office. I generally don't mind him, but I think that the fact that he would consider supporting anything that suggests willful destruction of property is idiotic, not to mention pointless. I wonder how they even intend to distribute this software that destroys your computer. I suppose that if they embedded viral code in media files that spawns when the file is opened then that's one way to do it. If they name it to match the name of a copyrighted file, then you really aren't downloading copyrighted materials. That means you'd have to distribute the actual file to make it legal. As we all know, there's a way around everything. Someone could create a patch for Anti-Virus programs to search for the "destructive code" as a part of the virus definitions. That means we clean the file, and get the copyrighted materials. I dunno.. maybe they have some other grand plan. It's all pointless if you ask me. If they really do get their way, they'll kill the PC component industry since people will have no use for bigger hard drives, broadband, cd & dvd burners, recordable media, etc. The list goes on. Looks like it's back to the drawing boards Orrin.
:P Microsoft has a reputation for creating their own technologies (ie: WMA, WMV) so it _really_ wouldn't surprise me if we see a WMG sometime soon. Then when we ask about PNG, they will probably say something stupid like "We feel that WMG is a sufficient replacement for preceding technologies . . . etc"
I'll have to admit, I think that I'm going to have nightmares tonight. After seeing the spirits possess that soldier.. I know I'm a wuss, but I can't wait until the game comes out!
And DOWN plummets the credibility of the RIAA! woohoo!
amen. now that microsoft has given in, i hope that more countries follow suit, especially the US. (Maybe it's too bad that this didn't happen before the ruling of the anti-trust case?)
Sweet! I'm gonna go fight the wildfires in Asia! Woohoo!