Wednesday, June 28, 2006

Crappy Humans

Sometimes it's not the software that's crappy. Rather, it's the humans that attack that software that are filled with crap.

Three weeks ago, crappy humans attacked screensite.org, the site we put together to assist film/TV students and teachers. They used a vulnerability in PHP-Nuke (on which ScreenSite was built) to hack in and then defaced the entire site with drivel. I had known PHP-Nuke was open to attacks, but I had not had time to patch it.

And yesterday, some crappy human attacked the guest book on Blog Ian, which is built on J.A.G. (Just Another Guestbook). This jerk (actually probably a robot employed by jerks) posted links to Cialis and Viagra sites. When I locked the guest book and ostensibly made it read-only, the crappy human still found a way to hack in and post his/her crap. So, evidently there's a security hole in J.A.G. that permits spamming. I guess this is not surprising since J.A.G. has not been updated in three years, but, still, it's disappointing that crappy humans would take advantage of its vulnerabilities.

These hacks of PHP-Nuke and J.A.G. raise a larger issue: are PHP and MySQL -- on which both of them are based -- inherently insecure platforms for Web-application development?

It seems like every LAMP application I've used has required security-based patching -- often quite urgently. Most recently, I read that Coppermine had a big hole in it that needed filling. It is discouraging me from developing applications on my own in PHP/MySQL. If major applications, with large programming teams, fall prey to such hacks, what chance do I have to make a secure application?

It's a sobering thought.

Friday, June 23, 2006

Preloaded Crap

Anyone who's bought a new computer recently knows that it comes preloaded with all manner of crap you do not need or want: ISP software from AOL/Earthlink, MSN/Hotmail solicitations, "support" software that pitches useless extended warranties, anti-virus software that stops updating after six months, buggy DVD players, "trial" or "lite" applications that are crippled and/or expire in 30 days, and on and on.

This was on my mind because I recently bought a new Dell desktop. In general, I'm pleased with it (for one thing, it's phenomenally quiet), but it did come with typical preloaded crap and I've been removing crappy apps one at a time. I could have saved myself the trouble, however, if I'd earlier discovered Jason York's "Dell De-Crapifier":

http://www.yorkspace.com/2006/04/38

Its sole purpose is to remove preloaded crap from Dell machines.

Great idea!