There's something I have recently noticed among PHP "security experts" (people who have had their software criticized at some point or other for poor security, and Googled "php security"). For some reason, some PHP developers have this idea that mysql_escape_string or mysql_real_escape_string is the answer to all of their problems. Wrong, wrong, wrong, wrong, wrong, wrong, WRONG. Read the rest of this entry »
Sep
28
Ronald over at 0×000000.com recently posted something on his blog that made me stop and think for a minute. He says that many PHP programmers are nothing more than data entry monkeys who clack away at their keyboards without any sort of technical understanding of what it is they're doing. I can't say I completely disagree - for instance, a critical vulnerability I published almost a year ago still has not been patched by the software vendor. You know how long the fix is? It's one line. But you know what? Their solution is easier - just delete the offending file. I won't name any names, but if you do a little bit of digging you should be able to figure out who I'm talking about. I do think there are people who know what they are doing and try to improve themselves when they write code, but I also think Ronald has a very valid point - most people couldn't give a damn about security or efficiency; they just want to write their scripts and forget about them.
Sep
28
I've noticed a handful of websites recently that offer to save those burdensome passwords everyone hates in an easy-to-access online database. Do people really go for this? Does anyone anywhere think to themselves, "I hate saving all these passwords offline where only I have access to them - hey, here's an idea! I could save them online in (probably) unencrypted format with an almost surely hackable website 'securing' them!"? And people wonder why we have a problem with identity theft in this day and age?
Here's my thought at this point about how easy it is to fool someone into giving you their full information: give it a good layout with lots of happy-looking stock models and a domain name that sounds authentic; something like "911ronpaulobamaabortionintegritycolbert.com" ought to suffice. After that, it's easy as cake to convince the user that all their information will be safely secured online in your "hacker-proof" vault of information.
I'll be hiding in my fallout shelter if anyone needs me, I'm just waiting for the end of the world.
Sep
23
Everyone's been to a site that had great content, but it was either the default black on white or some other eyesore (green on red, yellow on blue, etc). If you have GreaseMonkey, you can easily style up these sites with JavaScript.
Example:
// ==UserScript== // @include site.com/* // ==/UserScript== document.body.style.color = "#DAE4FC"; document.body.style.backgroundColor="#000000"; document.body.style.fontFamily = "Verdana";
This example will change the background to black and the foreground to a light blue. If you want to use it, save it as a .user.js file, install with GreaseMonkey, and your site of choice should look a lot prettier the next time you load it. There are many other things you can change, this is just a very simple example. For instance, you can style particular DIVs in the layout, links, etc. Never put up with ugly websites again! 
Sep
21
Ever since I saw it, I knew I had to have an IronKey flashdrive. Some features:
- Fast 30MBPS Read, 20MBPS Write
- Drive contents encrypted with AES CBC-Mode Encryption
- Onboard IronKey Password-manager keeps all your internet passwords safe
- Secure version of Firefox included that encrypts all your web-surfing traffic
- Encased in a potted metal case, not plastic, making it one of the strongest USB keys around
- Exceeds MIL-STD-810F military waterproofing standards
- The encryption chip self-destructs if an invasive attack is detected
- If your Ironkey is lost, you can restore from a secure backup to a new Ironkey in minutes
- Dual channel SLC NAND Flash for high-quality and read/write speeds
Anyone feeling generous? 