I've written lots of PHP code in my spare time, and have written an article on creating "rootkits" to covertly inject into PHP scripts (phpBB2 in particular), so I thought I'd chime in. This'll probably be a long post but hopefully it'll give people some things to look out for.
Here are the most common security problems you run into in PHP:
magic_quotes: This adds slashes to all input so that you don't have to sanitize it before it gets inserted into SQL. The problem is that developers write their code with magic_quotes on, but don't realize that it's often turned off elsewhere, which leads to gaping holes.
register_globals: Variables can be placed directly into the global namespace. If you don't explicitly set all variables before using them anything can be injected into them, which brings me on to:
Only critical errors are reported: If you use a variable which isn't set it'll just return null, with no error (unless you specifically turn up the error_reporting level). This means that someone who isn't familiar with the problem won't know that a variable in their script can be written to by anyone until it's being exploited, functions which you would expect to return an error and halt the script if they fail can carry on without giving any indication of failure.
fopen_urls: By default you can include scripts hosted on other websites! This often makes remote PHP execution, which would otherwise require eval(), much easier.
Who would have thought "<?php include($var.'/include.php'); ?>" will run any PHP on any server, anyhere? (The attack in the article above leveraged entry using this, coupled with register_globals.)
Inconsistencies: What one function does can never be applied to what another function does; you can never assume anything with the PHP library and always have to keep a browser window with the PHP manual handy. Using a function without carefully reading up what it does, even when it's very similar to another function you're familiar with, is asking for trouble in PHP.
The same goes for just about everything; are you checking whether some input equals some harmless number before passing it on to a SQL query or the browser? Don't forget that (5 == "5 UNION SELECT secret FROM..."), null == 0 == "" == false, "a" == 4 == true; generally you just have to be on your toes.
Input checking is difficult: Do you want htmlentities() or htmlspecialchars() ? Have you remembered to strip_slashes() if magic_quotes is on? Remember the user can input arrays too, are you checking that the input isn't an array? Have you remembered to escape queries with mysql_real_escape_string() ? mysql_escape_string() doesn't account for the character set being used, and so isn't good enough, trying to escape input for yourself is also dangerous. What about null bytes? Remember that the user can input binary data; PHP allows null bytes, and will add a slash to them, but when you send a string with null bytes to some functions, but not others, the null bytes will be silently dropped leaving only slashes.
To check input in PHP you have to be absolutely rigorous and take no half measures, people who aren't aware of the dangers don't stand a chance.
To be honest I'm a big fan of PHP, it's very flexible and lets you develop very quickly and easily; if you have the knowledge and self discipline it's an excellent language. But allowing fast, easy development at the cost of security is insane for a server-side web scripting language!
I was hoping that PHP6 was all about doing a 180 degree turn on security, but this article doesn't bode well..
I don't understand, I've read quite far into the comments posted and no-one mentions nuclear?!
Talk about ignoring the elephant in the room; breeder reactors have the capability to provide all the energy we could need from 10,000 to 4 billion years, they have already been developed and are in use in Russia and China, and India are hoping to build some because of their vast amounts of Thorium. The waste they give off decays relatively quickly compared to the waste given off by conventional fission reactors.
They're only not in use because of the problem of proliferation (they can be used to generate plutonium), and because they're slightly more expensive than conventional fission.
There is no energy problem, energy is everywhere, there are only political problems!
Certainly we change our values all the time based on our environment. What evolutionary reason was there to free people from slavery from example? It sure makes a lot of sense evolutionarily speaking to keep slaves.
If you're just saying that people's values change, then I agree, but values aren't people's deepest desires. We're talking about the desire to feel comfortable and good, no-one is going to start having cold showers to fight greenhouse gases.
If you're suggesting that religion is the explanation for why people slavery was abolished; you do realize that the Bible condones slavery (read it in the account of Noah, and in other passages where you're told how to keep a slave the proper way), and that Abraham Lincoln (the main mover behind the recent abolition of slavery) wasn't a religious person?
Have you ever actually used a Dreamcast emulator? There are always sprites that don't render, polygons which are the wrong color, games which don't load, graphics which were meant to be viewed on the relatively blurry TV looking terrible on a computer screen, etc.
Also the computers required to run an emulator with any sort of speed will always be more expensive than the console, unless you're talking about an antique console which you can no longer find. That kind of defeats the object of trying to be cheap; who doesn't have the money to buy a modern console but does have the money to buy a PC which can emulate one?
The presence of sulpher ballls (brimstone) has not been explained any other way. Within this pile of ashes are the traces of buildings that once were. There is much physical evidence of other events in the Bible as well. However, it is only a wast of time an energy to present it here.
The Bible record says that "the Lord rained brimstone and fire on Sodom and Gomorrah" (Genesis 19:21) The Hebrew word used here and translated "brimstone" literally means "suphur". In fact the New International Version uses the word "sulphur". Wyatt delves into the earth and finds some small globules which he says are balls of sulphur.
This, however, is not significant. Elizabeth points out that this type of chemical feature in lake sediemnts can be found in many ancient lakes elsewhere in the world. Actually, sulphur is particularly common around the Dead Sea. There is a chemical factory at the south end of the sea which extracts salt and other minerals from the area and when I first visited there in 1958 I found a huge mound of yellow sulphur ready for treatment and export.
Troy was likely inhabited by descendants of the Israelite tribe of Dan. I could go into much detail about all of this but it would be fruitless. Many of the gods of Greek mythology are taken from Biblical events. Ever wonder why Greek Mythology and some events in the Bible are very similar?
Because we can find similarities and patterns in anything. There are plenty of absurdities in both religions, some different (Zeus tricking his dad into eating a rock instead of him, for one of thousands of examples), some the same (Menelaus sacrificing his daughter for wind, as the Delphic oracle told him).
Like I said before (read the post), Current translation states that the Flood covered the entire earth (as in planet). The original Hebrew word is Eretz which means land. It could just as easily been translated that the flood covered the entire land (where Noach lived).
Okay, so it didn't wipe out all the birds and land animals as God said it would? Or did God mean that only the animals in the immidiate area were evil, and animals everywhere else got off the hook?
Whether it was small or large, is there any evidence God was the cause?
Actually, your statement show exactly how little you know about the Bible.
I know more than most Christians do, I know more than the people who come knocking on my door preaching about it do; but that's irrelevant, I don't have to know every word of an Aboriginal tribe's Rainbow Snake myth in the Aboriginal tribe's own metaphorical language to be confident that it's not true. Same goes for the Bible.
I agree with you in this statement. Hebrew is very much a metaphoric language. (trees clapping hands - we all know that trees do not have hands). In order to understand the Bible, one must also look at the Hebrew culture, its language, and the idioms of the language in that day. One must also look at how things can be mis-translated as the Bible was translated from one language to another. I have studied all of these things, and have taken them into account.
It makes me wonder what the point of it is, if it has been mistranslated from a language that it couldn't be effectively translated from. If I did know the Bible inside out I suppose you would then say "Ah, well do you know Ancient Hebrew? If not then who are you to question the Bible?" "You learned Ancient Hebrew? Well do you have a PhD in Biblical Archeology?"
If only God came down again and got someone to write it out again in English, right from the Horse's (capitalized out of respect) mouth. But he's strangely silent; no-one turning into salt, he hasn't come down to have a ni
Re:h264 decoding on vlc player kicks ass!
on
VLC 0.8.6 Released
·
· Score: 1
You should thank the ffmpeg team for that, not the VLC guys (who certainly deserve credit for their work in other areas though)
The only evidence you link to was that Sodom was found. How is this evidence for the Bible? Are there any woman shaped pillars of salt near by? Is there a big smoking crater?
Even some evidence that Lot really did have sex with his two daughters in a nearby mountain would be better than nothing..
How about how they discovered the city of Troy from the Illiad? Is Troy evidence that the Gods the ancient Greeks worshiped existed?
If there was a big flood is there any evidence that God did it? Is there any evidence that it truly did kill all land animals and birds that weren't on the Ark? (Mitochondrial DNA clocks, genetic diversity, and common sense, suggest otherwise)
You say that the first Genesis was the creation of hunter gatherers, and the "second Genesis" was the creation of agriculture. This contradicts God's curse against Cain, IIRC God said something to the effect of "The land will yield nothing for you, you will be a wanderer in the land" to which Cain replied to the effect of "No, anything but that, if I become a wanderer men will kill me". And didn't Cain's feeble offering to God that resulted in him murdering his brother contain sheep and other farm produce?
It seems he was a farmer before God cursed him, as were the other people that were alive at the time (where did these people come from anyway?). The only way you can get out of this is by adding on another even more dubious "interpretation".
No-one doubts that the Bible isn't completely fiction, just like no-one says that the Illiad isn't completely fiction, but that doesn't mean the whole thing is non-fiction.
There is simply no way you can take the Bible literally without "interpreting" it in such a way that it loses all meaning.
Since I wasn't even using this obscurity argument, all I can do is throw up my arms at your bizarre strawman attack.
I'll use your only argument that OS X is secure (which I've already addressed over, and over), and replace "OS X" with "MS-DOS 6.22".
Cite a single "remote vulnerability exploit in the wild" against MS-DOS 6.22. You can't, go ahead, I dare you. With Windows I have to worry about hackers writing remote exploits, but with MS-DOS 6.22 none exist at all. MS-DOS 6.22 is therefore more secure than Windows NT 5.x.
Also my house is more secure than The National Museum of Fine Art in Sweden. Number of Rembrants stolen from The National Museum of Fine Art, Sweden: 1, number of Rembrants stolen from my house: 0.
If you question my logic here I will repeat the same argument in a long drawn out form with some National Museum of Fine Art FUD, and some sentences in caps-lock, until you give up and leave me with my false sense of security.
By the way, cite a remote exploit for Windows XP SP2.. It's called an inbound firewall, and any OS with one, which isn't being used as a server, can't have a remote exploit in the sense you require. This makes the number of remote exploits an absurd metric for desktop computer security. What about number of vulnerabilities / number of users? Who do you think would have the largest ratio out of Apple and Microsoft given this more sensible metric?
What you doing posting to Slashdot?! If you're not having sexual intercourse right now you're killing potential future Einsteins and Newtons! Murderer!
Basically, you have to go through a lot of work to make a Mac hackable.
From here on I will quote only Apple, as you don't seem to believe anything that doesn't come from Apple.
Impact: Attackers on the wireless network may cause arbitrary code execution
Impact: Visiting a malicious web site may lead to arbitrary code execution
Impact: Uncompressing a file with gunzip may lead to an application crash or arbitrary code execution
Impact: Viewing maliciously-crafted font files may lead to arbitrary code execution
Impact: Using PPPoE on an untrusted local network may lead to arbitrary code execution
Impact: Processing maliciously-crafted email messages with ClamAV may lead to arbitrary code execution
The last one isn't part of OS X, but then again MS Word isn't part of Windows. I haven't included local exploits, because I know you don't believe in them or something..
It was on the front page, but as soon as I clicked on it I got the "Move along, nothing to see here" message, and it was gone from the front page. If you look at the poster Spiked_Three's page you can see that the story is listed as accepted.
Did this get suddenly yanked off the front page while IE MySpace worms and MS Word 0-day exploits get through just because Slashdot has a lot of sensitive Mac owners?
I come here to read tech news, not to have my ego stroked. If something relevant happens I want to hear about it regardless of whether it makes a company I like look bad..
I doubt anyone is really this stupid, you must be a troll, but what the hell..
Yes, you absolutely did. There are no exploits running around in the wild affecting Macs. You can't cite a single real-world example. Not a single one.
"running around in the wild"? An exploit is a piece of code which can be used to exploit a vulnerability. One thing that the rm-my-mac-mini competition showed is that exploits have been written for undisclosed OS X vulnerabilities. If no exploits existed how could OS X's security have been breached, and the Mac Mini's files deleted? Q.E.D.; exploits do exist for OS X.
Absolutely correct. None of them are being exploited at all.
As I showed above exploits have been written for OS X. What you are saying is that the only time exploits have ever been used against OS X was in the rm-my-mac-mini competition. The hackers that look for security holes in Apple's software, and don't disclose the holes, never exploit the holes they find; they just do it in case rm-my-mac-mini competitions come up.
And yet nobody's exploiting it, because OS X's security prevents access. Next.
What about the Safari vulnerability that allows you to remotely execute code? What about the Webkit vulnerability, or the AirPort vulnerability, or the Windows share vulnerability? OS X seems to allow access more than prevent it.
Which should tell you just how "urgent" it was to fix something that wasn't really a problem in the first place.
So holes like anyone being able to get complete access to your machine simply by you connecting to someone wirelessly, or looking at a malicious webpage, or accessing a malicious share or folder, aren't urgent to you? If not then I should say that there's a difference between being secure, and simply not valuing your security.
Lies, lies, and more lies. 100% false in every way imaginable.
But I'm citing Apple's own list of patches. Do you believe Apple's security is so flawless that the only explanation for their list of critical security holes is that they're lying?
Ah, the old "false sense of security" canard, despite the fact THERE IS NOT A SINGLE EXPLOIT RUNNING IN THE WILD THAT IS INTRUDING ON A SINGLE MAC. You can't cite a single one. Go for it.
See above; rm-my-mac-mini couldn't have happened without an exploit. If you're wondering why I keep referring to rm-my-mac-mini it's because hackers or script kiddies with OS X exploits generally don't make a habit of letting everyone know what they've been up to. rm-my-mac-mini is a source which I can cite which conclusively shows that exploits have been written for OS X vulnerabilities. (PS Writing in caps doesn't make people ignore the fact that your (only) argument has already been addressed)
The argument you seem to be stumbling towards is "OS X has practically no market share, so no piece of malicious software written for it can be mass distributed effectively, therefore OS X is secure."
Luckily for you barely anyone owns a Mac. By the same logic I could say "MS-DOS 6.22 is a perfectly secure, robust OS; there's not a single exploit being used against it".
By the way, have you noticed the recent MySpace worm that's being spread with Quicktime? Quicktime is just about the only piece of Apple software that a large number of people use to process data directly from the web, and sure enough hackers find a way to exploit it.
Participants were given local client access to the target computer and invited to try their luck.
Did you not understand?
We are talking about a zero day exploit from an email attachment here - not someone getting an elevated access level AFTER being give a user account on the effected machine.
If I understand you right you are saying OS X is secure because the rm-my-mac-mini competition wasn't realistic.
First off I only referenced it to show the GP that exploits for these vulnerabilities do exist in the wild, and had been in the hands of hackers for months. Something which he thought I "made up on the spot".
As regards your specific point, if the rm-my-mac-mini competition instead allowed the attackers to submit HTML, which would automatically be rendered in Safari (a more true to real life scenario), vulnerabilities still existed which could have been used to get root privileges.
Before you reply saying "That's still unrealistic. You shouldn't render suspect HTML, or connect to suspect wireless networks, or visit suspect Windows shares, or look at suspect directories in Finder. Realistically no-one would run into those OS X vulnerabilities.", perhaps I'd say that realistically no-one would download and look at a word document from an e-mail attachment that they weren't expecting. I know I wouldn't.
No, I don't, because nothing was "being exploited for months," and you can't cite a single incident to back up that claim. You just made it up on the spot.
No, I didn't:
"It probably took about 20 or 30 minutes to get root on the box. Initially I tried looking around the box for certain mis-configurations and other obvious things but then I decided to use some unpublished exploits -- of which there are a lot for Mac OS X," gwerdna told ZDNet Australia.
None of the patches were zero-day exploits, and most were patches of UNIX utilities, not Apple software.
Read the list. I count 13 out of 22 of the vulnerabilities are in Apple's code. Who's making things up on the spot here?
None of them are zero-day exploits? Checking one of the UNIX utility vulnerabilities (because these are the only ones that we know when they were discovered) the perl vulnerability was discovered in December 2005.
With this Word vulnerability MS discovered its use in the wild, and they've let everyone know and are working on a patch. With that perl vulnerability, and probably others in the list, it was discovered in 2005 and Apple only get around to releasing a patch now.
At least you're right that that's not zero-day; that's negative-three-hundred-and-sixty-five-day.
Have fun screening all your email from all your contacts in Outlook.
I don't have to screen anything; I just won't open any Word documents. Look at the list above from Apple; you would have had to screen e-mail for HTML, new fonts, turn off your wireless card, not use any Windows shares, not go to any links to web pages given in e-mails, not go to any suspect web pages, etc, etc. The only difference is that Apple don't post security bulletins giving people warning, that might damage sales.
Have fun having a false sense of security though.
The thing PostgreSQL needs is a phpMyAdmin, it has something similar but it doesn't come close. phpMyAdmin makes MySQL accessible to everyone, and I think if an OSS DB is going to be widely used it needs a good admin CP which doesn't require the user to be fluent in SQL.
separation of the human species in case of global tragedy
That's like saying the ISS is good because we now have a seperation of the human species. There's no way a base on the moon would be self sufficient. No human will become independent of Earth for a long time, if ever.
I agree. I'm currently on holiday, and have been spending most of the day pawing through an open source app of mine simply changing part of the internal architecture to the way I should have made it in the first place. You can only add so many hacks on top of hacks before you have to tear it all up and re-write a lot of code.
The point is with my open source projects I find that I write the code to get a feature that I want now; I enjoy the results of the code more than coding itself. The opposite is true where I work; I'm not rushing to see some boring inventory app in action, so I enjoy coding it right.
I don't think you can say "open source means good code" or "no deadlines means good code", I'd say it's more to do with your motivation.
But once developed, the cost of additional copies is zero, and they prolferate in no time. So it seems no one has invested the time or money to develop that.
As I said the cost of development makes developing spyware for Macs prohibitively expensive for the profits that such a relatively small market share could yield. I don't see how I could make it any clearer.
If the cost of development is $10,000, but the software is only expected to yield $1,000, it doesn't matter that the software, once developed, is easy to proliferate. It can only be expected to proliferated to so many Macs, which will only yield so much profit.
Slashdot Mirror
Here are the most common security problems you run into in PHP:
Who would have thought "<?php include($var.'/include.php'); ?>" will run any PHP on any server, anyhere? (The attack in the article above leveraged entry using this, coupled with register_globals.)
The same goes for just about everything; are you checking whether some input equals some harmless number before passing it on to a SQL query or the browser? Don't forget that (5 == "5 UNION SELECT secret FROM
To check input in PHP you have to be absolutely rigorous and take no half measures, people who aren't aware of the dangers don't stand a chance.
To be honest I'm a big fan of PHP, it's very flexible and lets you develop very quickly and easily; if you have the knowledge and self discipline it's an excellent language. But allowing fast, easy development at the cost of security is insane for a server-side web scripting language!
I was hoping that PHP6 was all about doing a 180 degree turn on security, but this article doesn't bode well..
How does transmission of data equate to taking a dump? Unless you use Morse code to talk to people in adjacent toilet cubicles.
I don't understand, I've read quite far into the comments posted and no-one mentions nuclear?!
Talk about ignoring the elephant in the room; breeder reactors have the capability to provide all the energy we could need from 10,000 to 4 billion years, they have already been developed and are in use in Russia and China, and India are hoping to build some because of their vast amounts of Thorium. The waste they give off decays relatively quickly compared to the waste given off by conventional fission reactors.
They're only not in use because of the problem of proliferation (they can be used to generate plutonium), and because they're slightly more expensive than conventional fission.
There is no energy problem, energy is everywhere, there are only political problems!
If you're suggesting that religion is the explanation for why people slavery was abolished; you do realize that the Bible condones slavery (read it in the account of Noah, and in other passages where you're told how to keep a slave the proper way), and that Abraham Lincoln (the main mover behind the recent abolition of slavery) wasn't a religious person?
Have you ever actually used a Dreamcast emulator? There are always sprites that don't render, polygons which are the wrong color, games which don't load, graphics which were meant to be viewed on the relatively blurry TV looking terrible on a computer screen, etc.
Also the computers required to run an emulator with any sort of speed will always be more expensive than the console, unless you're talking about an antique console which you can no longer find. That kind of defeats the object of trying to be cheap; who doesn't have the money to buy a modern console but does have the money to buy a PC which can emulate one?
http://www.diggingsonline.com/pages/rese/tales/sod om.htm
Because we can find similarities and patterns in anything. There are plenty of absurdities in both religions, some different (Zeus tricking his dad into eating a rock instead of him, for one of thousands of examples), some the same (Menelaus sacrificing his daughter for wind, as the Delphic oracle told him).
Okay, so it didn't wipe out all the birds and land animals as God said it would? Or did God mean that only the animals in the immidiate area were evil, and animals everywhere else got off the hook?
Whether it was small or large, is there any evidence God was the cause?
I know more than most Christians do, I know more than the people who come knocking on my door preaching about it do; but that's irrelevant, I don't have to know every word of an Aboriginal tribe's Rainbow Snake myth in the Aboriginal tribe's own metaphorical language to be confident that it's not true. Same goes for the Bible.
It makes me wonder what the point of it is, if it has been mistranslated from a language that it couldn't be effectively translated from. If I did know the Bible inside out I suppose you would then say "Ah, well do you know Ancient Hebrew? If not then who are you to question the Bible?" "You learned Ancient Hebrew? Well do you have a PhD in Biblical Archeology?"
If only God came down again and got someone to write it out again in English, right from the Horse's (capitalized out of respect) mouth. But he's strangely silent; no-one turning into salt, he hasn't come down to have a ni
You should thank the ffmpeg team for that, not the VLC guys (who certainly deserve credit for their work in other areas though)
The only evidence you link to was that Sodom was found. How is this evidence for the Bible? Are there any woman shaped pillars of salt near by? Is there a big smoking crater?
Even some evidence that Lot really did have sex with his two daughters in a nearby mountain would be better than nothing..
How about how they discovered the city of Troy from the Illiad? Is Troy evidence that the Gods the ancient Greeks worshiped existed?
If there was a big flood is there any evidence that God did it? Is there any evidence that it truly did kill all land animals and birds that weren't on the Ark? (Mitochondrial DNA clocks, genetic diversity, and common sense, suggest otherwise)
You say that the first Genesis was the creation of hunter gatherers, and the "second Genesis" was the creation of agriculture. This contradicts God's curse against Cain, IIRC God said something to the effect of "The land will yield nothing for you, you will be a wanderer in the land" to which Cain replied to the effect of "No, anything but that, if I become a wanderer men will kill me". And didn't Cain's feeble offering to God that resulted in him murdering his brother contain sheep and other farm produce?
It seems he was a farmer before God cursed him, as were the other people that were alive at the time (where did these people come from anyway?). The only way you can get out of this is by adding on another even more dubious "interpretation".
No-one doubts that the Bible isn't completely fiction, just like no-one says that the Illiad isn't completely fiction, but that doesn't mean the whole thing is non-fiction.
There is simply no way you can take the Bible literally without "interpreting" it in such a way that it loses all meaning.
Cite a single "remote vulnerability exploit in the wild" against MS-DOS 6.22. You can't, go ahead, I dare you. With Windows I have to worry about hackers writing remote exploits, but with MS-DOS 6.22 none exist at all. MS-DOS 6.22 is therefore more secure than Windows NT 5.x.
Also my house is more secure than The National Museum of Fine Art in Sweden. Number of Rembrants stolen from The National Museum of Fine Art, Sweden: 1, number of Rembrants stolen from my house: 0.
If you question my logic here I will repeat the same argument in a long drawn out form with some National Museum of Fine Art FUD, and some sentences in caps-lock, until you give up and leave me with my false sense of security.
By the way, cite a remote exploit for Windows XP SP2.. It's called an inbound firewall, and any OS with one, which isn't being used as a server, can't have a remote exploit in the sense you require. This makes the number of remote exploits an absurd metric for desktop computer security. What about number of vulnerabilities / number of users? Who do you think would have the largest ratio out of Apple and Microsoft given this more sensible metric?
What you doing posting to Slashdot?! If you're not having sexual intercourse right now you're killing potential future Einsteins and Newtons! Murderer!
And the Webkit vulnerability that allowed a malicious webpage the ability to execute code?
The last one isn't part of OS X, but then again MS Word isn't part of Windows. I haven't included local exploits, because I know you don't believe in them or something..
Speaking of Slashdot censorship, can anyone tell me what happened to this story:
Apple Quicktime virus on MySpace
It was on the front page, but as soon as I clicked on it I got the "Move along, nothing to see here" message, and it was gone from the front page. If you look at the poster Spiked_Three's page you can see that the story is listed as accepted.
Did this get suddenly yanked off the front page while IE MySpace worms and MS Word 0-day exploits get through just because Slashdot has a lot of sensitive Mac owners?
I come here to read tech news, not to have my ego stroked. If something relevant happens I want to hear about it regardless of whether it makes a company I like look bad..
"running around in the wild"? An exploit is a piece of code which can be used to exploit a vulnerability. One thing that the rm-my-mac-mini competition showed is that exploits have been written for undisclosed OS X vulnerabilities. If no exploits existed how could OS X's security have been breached, and the Mac Mini's files deleted? Q.E.D.; exploits do exist for OS X.
As I showed above exploits have been written for OS X. What you are saying is that the only time exploits have ever been used against OS X was in the rm-my-mac-mini competition. The hackers that look for security holes in Apple's software, and don't disclose the holes, never exploit the holes they find; they just do it in case rm-my-mac-mini competitions come up.
What about the Safari vulnerability that allows you to remotely execute code? What about the Webkit vulnerability, or the AirPort vulnerability, or the Windows share vulnerability? OS X seems to allow access more than prevent it.
So holes like anyone being able to get complete access to your machine simply by you connecting to someone wirelessly, or looking at a malicious webpage, or accessing a malicious share or folder, aren't urgent to you? If not then I should say that there's a difference between being secure, and simply not valuing your security.
But I'm citing Apple's own list of patches. Do you believe Apple's security is so flawless that the only explanation for their list of critical security holes is that they're lying?
See above; rm-my-mac-mini couldn't have happened without an exploit. If you're wondering why I keep referring to rm-my-mac-mini it's because hackers or script kiddies with OS X exploits generally don't make a habit of letting everyone know what they've been up to. rm-my-mac-mini is a source which I can cite which conclusively shows that exploits have been written for OS X vulnerabilities. (PS Writing in caps doesn't make people ignore the fact that your (only) argument has already been addressed)
The argument you seem to be stumbling towards is "OS X has practically no market share, so no piece of malicious software written for it can be mass distributed effectively, therefore OS X is secure."
Luckily for you barely anyone owns a Mac. By the same logic I could say "MS-DOS 6.22 is a perfectly secure, robust OS; there's not a single exploit being used against it".
By the way, have you noticed the recent MySpace worm that's being spread with Quicktime? Quicktime is just about the only piece of Apple software that a large number of people use to process data directly from the web, and sure enough hackers find a way to exploit it.
If I understand you right you are saying OS X is secure because the rm-my-mac-mini competition wasn't realistic.
First off I only referenced it to show the GP that exploits for these vulnerabilities do exist in the wild, and had been in the hands of hackers for months. Something which he thought I "made up on the spot".
As regards your specific point, if the rm-my-mac-mini competition instead allowed the attackers to submit HTML, which would automatically be rendered in Safari (a more true to real life scenario), vulnerabilities still existed which could have been used to get root privileges.
Before you reply saying "That's still unrealistic. You shouldn't render suspect HTML, or connect to suspect wireless networks, or visit suspect Windows shares, or look at suspect directories in Finder. Realistically no-one would run into those OS X vulnerabilities.", perhaps I'd say that realistically no-one would download and look at a word document from an e-mail attachment that they weren't expecting. I know I wouldn't.
Solve the world's energy problems.. Utah.. Solve the world's energy problems.. Utah.. Hrmmm..
Read the list. I count 13 out of 22 of the vulnerabilities are in Apple's code. Who's making things up on the spot here?
None of them are zero-day exploits? Checking one of the UNIX utility vulnerabilities (because these are the only ones that we know when they were discovered) the perl vulnerability was discovered in December 2005.
With this Word vulnerability MS discovered its use in the wild, and they've let everyone know and are working on a patch. With that perl vulnerability, and probably others in the list, it was discovered in 2005 and Apple only get around to releasing a patch now.
At least you're right that that's not zero-day; that's negative-three-hundred-and-sixty-five-day.
I don't have to screen anything; I just won't open any Word documents. Look at the list above from Apple; you would have had to screen e-mail for HTML, new fonts, turn off your wireless card, not use any Windows shares, not go to any links to web pages given in e-mails, not go to any suspect web pages, etc, etc. The only difference is that Apple don't post security bulletins giving people warning, that might damage sales.
Have fun having a false sense of security though.
Then Microsoft lets everyone know the moment an 0-day vulnerability is released which exploits a bug in Word.
Some people here make Slashdot seem like a parody of itself..
The thing PostgreSQL needs is a phpMyAdmin, it has something similar but it doesn't come close. phpMyAdmin makes MySQL accessible to everyone, and I think if an OSS DB is going to be widely used it needs a good admin CP which doesn't require the user to be fluent in SQL.
That's like saying the ISS is good because we now have a seperation of the human species. There's no way a base on the moon would be self sufficient. No human will become independent of Earth for a long time, if ever.
I agree. I'm currently on holiday, and have been spending most of the day pawing through an open source app of mine simply changing part of the internal architecture to the way I should have made it in the first place. You can only add so many hacks on top of hacks before you have to tear it all up and re-write a lot of code.
The point is with my open source projects I find that I write the code to get a feature that I want now; I enjoy the results of the code more than coding itself. The opposite is true where I work; I'm not rushing to see some boring inventory app in action, so I enjoy coding it right.
I don't think you can say "open source means good code" or "no deadlines means good code", I'd say it's more to do with your motivation.
If the cost of development is $10,000, but the software is only expected to yield $1,000, it doesn't matter that the software, once developed, is easy to proliferate. It can only be expected to proliferated to so many Macs, which will only yield so much profit.