PHP making great progress
on
PHP 5.6.0 Released
·
· Score: 2, Informative
I'm certainly biased because my company (ServerPilot) sells a service for PHP developers using DigitalOcean and other servers, but it does seem like PHP is making great progress in the past few years both in the language and in terms of a strong developer community. We're very glad to see PHP 5.3 EOL'd recently. To encourage adoption of 5.6, we've already packaged and added support for 5.6.
Thanks for letting people know about RequestPolicy. I would like to stress, however, that RequestPolicy is not a replacement for NoScript. I actually keep a FAQ entry about the high-level differences between the two extensions as this is a not uncommon misunderstanding:
To give one example of why it can be bad for a package manager to accept older metadata when it has previously seen more recent (valid/signed) metadata: If you are installing a new package (rather than updating a package) and the old package you are served doesn't conflict with your currently installed packages, you will be installing a package that may have known security vulnerabilities. Additionally, the attacker who gave you that package may know your IP address now.
In this case it does not matter that the packages are signed. And if the metadata isn't signed, the above still applies but is easier to exploit.
Just to be very clear about this one point because it is sensitive: the public mirrors we setup and had listed as official repositories were kept up-to-date and we only served current metadata and packages. We served nothing that was out-of-date (beyond normal mirror update lagtime between rsyncs with the upstream mirrors) and we served nothing that had been modified.
All tests we performed related to what a malicious mirror could do (e.g. serving out-of-date metadata, serving modified metadata in the case of package managers that don't sign metadata, etc.) were performed using separate mirrors and clients of our own. Nothing we did with our mirrors put users at risk.
Airscanner seems to be a company that is dedicated to information and it would seem to me that we have an option to protect our devices.
Aircanner seems to me to be a company that is willing to mislead users on very sensitive matters. Take, for example, their volume encryption tool, Encrypter, that doesn't actually work like every other volume encryption tool, encrypting and decrypting on the fly, but rather decrypts all data from a volume onto the storage device when you mount it and leaves all of that data unencrypted until the volume is mounted again. If, for example, you dropped your phone/pda that had a mounted volume and the thing broke and you sent it in for repair, all of the data of your mounted volume would be unencrypted for the service people to see. Or if your battery died while the volume was mounted, once again, all data would remain in unencrypted form. Compare this to using loop-aes or dm-crypt/luks with a mounted volume, or pgp disk.
I believe in such sensitive matters as data encryption/privacy/security that if one is doing something outside the norm that is detrimental to the user and their intentions with the software, then it is the responsibility of the vendor/producer to make people aware of it. To mislead by omission on a matter such as this is, in my opinion, akin to to flat out lying.
If it was the case that the Airscanner people actually weren't smart enough to realize the problems with their Encrypter software before it was pointed out to them recently, then that would be even less reason to trust anything that comes out of their mouths. As it stands, I have to assume that they knew the shortcomings of their software that could jeopardize users who took for granted that the software would work as expected but decided not to make that information obvious because it would hurt sales.
Thank you Airscanner for educating this average user!
Given the fact that Airscanner may be doing more to jeopardize the average user who uses their Encrypter product and therefore thinks their data is secure in cases where it is not, I am more inclined to say shame on you, Airscanner, for profiting off of deception. Honestly, I can't help but think the post I'm replying to is an advertisement by someone connected with Airscanner rather than a truthful statement from an average user. However, I do appreciate them picking apart the competition. Too bad they didn't include a section on their own software in the article. Their excuse would probably be similar to the responses from the vendors they queried: It's that way by design, so it's not a problem.
Really, nobody says it better than Seth Fogie, the author of TFA, himself. From TFA:
Fortunately, there is a great deal of 3rd party security software out there. Unfortunately, much of it is completely insecure. Sadly, Windows Mobile developers have not yet been held up to the same scrutiny as desktop software developers. For instance, you may think your 'encrypted' or 'secure' data is safe on a Pocket PC because the vendor stated as much, when in reality the data is insecure.
Slashdot Mirror
I'm certainly biased because my company (ServerPilot) sells a service for PHP developers using DigitalOcean and other servers, but it does seem like PHP is making great progress in the past few years both in the language and in terms of a strong developer community. We're very glad to see PHP 5.3 EOL'd recently. To encourage adoption of 5.6, we've already packaged and added support for 5.6.
[Note: I'm the RequestPolicy author.]
Thanks for letting people know about RequestPolicy. I would like to stress, however, that RequestPolicy is not a replacement for NoScript. I actually keep a FAQ entry about the high-level differences between the two extensions as this is a not uncommon misunderstanding:
http://www.requestpolicy.com/faq#faq-noscript
To give one example of why it can be bad for a package manager to accept older metadata when it has previously seen more recent (valid/signed) metadata: If you are installing a new package (rather than updating a package) and the old package you are served doesn't conflict with your currently installed packages, you will be installing a package that may have known security vulnerabilities. Additionally, the attacker who gave you that package may know your IP address now.
In this case it does not matter that the packages are signed. And if the metadata isn't signed, the above still applies but is easier to exploit.
Just to be very clear about this one point because it is sensitive: the public mirrors we setup and had listed as official repositories were kept up-to-date and we only served current metadata and packages. We served nothing that was out-of-date (beyond normal mirror update lagtime between rsyncs with the upstream mirrors) and we served nothing that had been modified.
All tests we performed related to what a malicious mirror could do (e.g. serving out-of-date metadata, serving modified metadata in the case of package managers that don't sign metadata, etc.) were performed using separate mirrors and clients of our own. Nothing we did with our mirrors put users at risk.
Aircanner seems to me to be a company that is willing to mislead users on very sensitive matters. Take, for example, their volume encryption tool, Encrypter, that doesn't actually work like every other volume encryption tool, encrypting and decrypting on the fly, but rather decrypts all data from a volume onto the storage device when you mount it and leaves all of that data unencrypted until the volume is mounted again. If, for example, you dropped your phone/pda that had a mounted volume and the thing broke and you sent it in for repair, all of the data of your mounted volume would be unencrypted for the service people to see. Or if your battery died while the volume was mounted, once again, all data would remain in unencrypted form. Compare this to using loop-aes or dm-crypt/luks with a mounted volume, or pgp disk.
http://forums.pocketpcfaq.com/viewtopic.php?t=1757 1
I believe in such sensitive matters as data encryption/privacy/security that if one is doing something outside the norm that is detrimental to the user and their intentions with the software, then it is the responsibility of the vendor/producer to make people aware of it. To mislead by omission on a matter such as this is, in my opinion, akin to to flat out lying.
If it was the case that the Airscanner people actually weren't smart enough to realize the problems with their Encrypter software before it was pointed out to them recently, then that would be even less reason to trust anything that comes out of their mouths. As it stands, I have to assume that they knew the shortcomings of their software that could jeopardize users who took for granted that the software would work as expected but decided not to make that information obvious because it would hurt sales.
Given the fact that Airscanner may be doing more to jeopardize the average user who uses their Encrypter product and therefore thinks their data is secure in cases where it is not, I am more inclined to say shame on you, Airscanner, for profiting off of deception. Honestly, I can't help but think the post I'm replying to is an advertisement by someone connected with Airscanner rather than a truthful statement from an average user. However, I do appreciate them picking apart the competition. Too bad they didn't include a section on their own software in the article. Their excuse would probably be similar to the responses from the vendors they queried: It's that way by design, so it's not a problem.
Really, nobody says it better than Seth Fogie, the author of TFA, himself. From TFA:
the average user doesn't enclose their google search phrase in quotes.
no quotes: 12,200,000 results
good luck getting on the first page there.