×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

Over 78% of All PHP Installs Are Insecure

ircmaxell Re:Why the distros? (112 comments)

Are you aware of any analysis as to the extent that is actually true, ie for distro X or Y which patches really have been backported and which are skipped?

Yes. For most CVEs, the major distributions do backport fixes. They don't however backport all security fixes.

For example, there was a bug in crypt's bcrypt implementation which would cause collisions for certain classes of passwords (specifically those with characters with high bits set). The fix in 5.3.6 was to add a check into the normal $2a$ implementation, and to add $2x$ (legacy) and $2y$ (proper implementation). So when using > 5.3.6, you can enforce proper behavior using $2y prefix to crypt. CentOS backported this into their 5.3.3 version. Debian did not. So from a security standpoint, we now how a divergence between the two.

I wonder how much your "% of installs that are secure" statistic could be inaccurate due to most (I'd hope) sites that care even slightly about security suppressing the Apache header PHP version information.

Absolutely. The analysis is only as good as its data source. There are other people looking at other data sources (httparchive for one) to try to get more data for it. But ultimately I had to go with what I had.

I suppose there are also questions as to what "insecure" means in practice.

Well, perhaps insecure is an extremely misleading term in this context. Vulnerable would be better. Yes, an attack vector may not exist, but the vulnerability does. The reason this is important is that today you may not be using unserialize() on user input, but that doesn't say you won't tomorrow. The hole will exist, the vector would be what's created.

Check out my slight elaboration on this in this comment

about a month ago
top

Over 78% of All PHP Installs Are Insecure

ircmaxell Re: 5.3.10? (112 comments)

The 5.3 branch is end-of-life. Meaning that the latest release (5.3.29) has known vulnerabilities that weren't fixed. Therefore, it's not secure.

5.3.10 is listed as secure by the post because that version is supported by Ubuntu 12.04...

about a month ago
top

Over 78% of All PHP Installs Are Insecure

ircmaxell Re:Bogosity (112 comments)

There's a difference between a vulnerability and an attack vector. Even if it's not exploitable, the vulnerability still exists.

However, I would like to make a point. How many of these installs made a conscious decision by investigating the security fixes and balancing that against their codebase to see if it's exploitable or not? I'd wager that the number is so small as to not even register.

Besides, I think a variant of Schneier's law applies:

"any person can invent a security system so clever that she or he can't think of how to break it."

The same thing applies to vulnerabilities: If you can't think of a way to exploit it, that doesn't mean it isn't exploitable.

So yes, it is an over-statement. But it's also showing quite clearly how updates are being dealt with. And that was the precise point of the original post. If it gets people to think about upgrading more, then awesome. If not, nothing lost.

about a month ago
top

Over 78% of All PHP Installs Are Insecure

ircmaxell Re:Bogosity (112 comments)

I mean, come on: 82.27% of perl installs are secure? 77.59% of python installs? Get real.

No. 82.27% of all PERL installs have no known vulnerabilities in PERL itself.

This isn't to say the code on top is secure. And it isn't saying that it's exploitable. Just whether known vulnerabilities in the platform itself exist.

about a month ago
top

Over 78% of All PHP Installs Are Insecure

ircmaxell Re:Why the distros? (112 comments)

The point most people make when you talk about running old versions is that "well, distributions backport security fixes, so 5.3.3 is secure on distro XYZ".

So, to get around that, I looked at the popular distro's versions that they maintain. Then I counted *all* of those point versions as secure (over counting). So 5.3.3 is insecure as distributed by php.net, but as installed by Debian 6 it is secure.

So therefore to get an upper bound (rather than lower bound) on secure versions, you need some way of factoring in for distro support.

So I picked the most popular distros for server usage. Is this hand-waving? Absolutely. But it should give a pretty reasonable upper-bound.

about a month ago
top

Over 78% of All PHP Installs Are Insecure

ircmaxell Re:PHP (112 comments)

Ummm... No. WordPress was first written in PHP3. Before it was even called "register globals". Back when that was just how you did things.

about a month ago
top

Over 78% of All PHP Installs Are Insecure

ircmaxell Re:ircmaxell (112 comments)

Thank you for the kind words :-)

about a month ago
top

New Largest Known Prime Number: 2^57,885,161-1

ircmaxell Re:Uhhh... (254 comments)

Definitely not true:

110

That has 2 1s, which is prime (2 is prime), but 6 definitely is NOT prime...

Likewise,

1001

That has 2 1s, which is prime, but 9 definitely is NOT prime...

about 2 years ago
top

Barack Obama Retains US Presidency

ircmaxell Re:Looks like ACA (Obamacare) is with us to stay. (1576 comments)

Have you actually read the bill? Because I find it REALLY hard to believe that anyone who actually has would say that it does anything about the health care problems the USA has. It's not a health care bill. It's a health insurance bill. One which does nothing to solve the existing problems that health care has (abuse, ridiculous spiraling costs, ridiculous GOVERNMENT regulations - aka Medicare's rules, etc). Not to mention fraud or malpractice abuse (false malpractice cases, which drive up costs significantly)...

Does that make it useless? No, absolutely not. But it does nothing for the healthcare problems that we face. All it does is put a band-aid on a gunshot wound. A band-aid that costs how many billion dollars per year (that we're already over-budget by)?

more than 2 years ago
top

Ask Slashdot: How To Avoid Working With Awful Legacy Code?

ircmaxell Re:any questions? (360 comments)

Actually, this touches on an interesting point.

Everyone thinks that high turnover is a bad sign. And it is. But very few people think of what extremely low turnover means.

If a company has 40% turnover each year, that's a sign that something's wrong in the organization. There's a reason that people are leaving so quickly. If the average tenure is only 14 months, that's not a good sign. But on the flip side, it could be that same 40% that keeps turning over. Imagine that they have a small team, and are trying to grow it. High turnover in the growth area could mean that they just haven't found the right fit. (in this case, the average tenure could be 3 or 4 years, even though the turnover appears so high). That could indicate the quality of applicants, or that their interviewing process sucks. So turnover by itself is hard to understand. But turnover with average tenure tells a more complete picture.

Now, if turnover is under 1%, that could also be a scary sign. It could indicate that employees are never growing. That they are stagnating in their position and can't move on because their skills have gone rusty. That could also be a huge negative.

I personally look for moderate turnover. Somewhere between 5% and 20%. Signs that there's some new blood in the team, keeping complacency in check. It also may indicate that people are actually growing in their positions. Which is an awesome thing to look for.

So turnover by itself is a useless metric. It may indicate towards a good or bad thing. But the more important factor is not what the turnover is, but why it is what it is. Unfortunately, that's not something that's usually going to be easy to understand in an interview. But luckily, it should be pretty clear in the first few weeks of employment...

more than 2 years ago
top

Nissan Develops Emergency Auto-Steering System

ircmaxell Re:recipie for disaster (391 comments)

Yes

Basically, it used one valvebody with two separate chambers (one for each system). However, the main valve cover covered both chambers. So when the cover's seal blew, both were compromised. Granted, it's an edge case. But it did happen to me...

more than 2 years ago
top

Nissan Develops Emergency Auto-Steering System

ircmaxell Re:recipie for disaster (391 comments)

The only common points of failure are the pedal assembly (designed fail-safe, by the way) and the master cylinder

And the ABS valve body assembly. Which I had go on my catastrophically on a 1994 Chevy Blazer. In that has, the only brakes I did have was the parking brake cable assembly.

The more complicated vehicles become, the more failure modes are possible...

more than 2 years ago
top

Accountability, Not Code Quality, Makes iOS Safer Than Android

ircmaxell Re:You have to be kidding (210 comments)

This. Very much this.

This article is pure FUD. Plain and simple.

Malware, by its very definition is:

Malware is a general term used to describe any kind of software or code specifically designed to exploit a computer, or the data it contains, without consent.

Android requires that you give consent, since it tells you what permissions the application needs prior to installing it. So by very definition, these data leakages on Android are not malware. The user said it was ok for that application to collect that data.

more than 2 years ago
top

Are Brain Teasers Good Hiring Criteria?

ircmaxell Re:My thoughts and reply (672 comments)

Actually, that's my definition of a good team player. That's one reason we work as a team (to spot each other's mistakes, and help prevent them in the final product). Have you ever heard of Pair Programming?

about 3 years ago
top

Are Brain Teasers Good Hiring Criteria?

ircmaxell Re:My thoughts and reply (672 comments)

I think you missed the point, or at least read something in that wasn't there. What does knowing how a person will act have to do with wanting them to be that way?

about 3 years ago
top

Are Brain Teasers Good Hiring Criteria?

ircmaxell Re:My thoughts and reply (672 comments)

Absolutely. But do they let that panic take over their thoughts? Or do they push that down and try to approach it rationally? In that 5 minute puzzle I can get insight. Sure, I won't know the full story on the person, but that would take years of knowing them to get. So in the span and constraints of an interview, I find it to be absolutely worth while...

about 3 years ago
top

Are Brain Teasers Good Hiring Criteria?

ircmaxell My thoughts and reply (672 comments)

I actually wrote a blog post on this very subject this morning (I pushed up the publishing when I saw this). The post

In short, I disagree. I find brain teasers invaluable. But not in determining skill, but in determining personality and how a candidate behaves when they are faced with a challenge that they aren't familiar with...

about 3 years ago
top

Senators Recommend FTC Perform Antitrust Investigation Of Google

ircmaxell Re:It's Not Illegal (315 comments)

Look at the line below it. I said if you search for those names by itself (I skipped email, but I got the rest) Google is on top. Then again, those are the product names. And searching them on Bing produces strikingly similar results (email has gmail #3, calendar #4, news #5).

In fact, those three searches on Bing have Yahoo as either #1 or #2. So who's to say that what we are seeing is Google altering the results? Could it be that MS is altering the results so their partner is higher? I'm not accusing MS here. I'm just pointing out that just because something comes up #1 or #2 doesn't mean that it's malevolent.

In fact, let's try those searches on Ask.com:

Email - Google #1, Yahoo #2

Calendar - Google #1, Yahoo #5

News - Google #2, Yahoo #4

So 2 out of the 3 main search engines (Google, Bing and Ask) put Google above Yahoo. Yet the one that has an agreement with Yahoo puts it higher. While I completely understand your point, a cursory look at evidence looks to point exactly the opposite...

more than 3 years ago
top

Senators Recommend FTC Perform Antitrust Investigation Of Google

ircmaxell Re:It's Not Illegal (315 comments)

That's a very good point. I didn't disagree with the investigation in principle. I was just pointing out that the traditional metrics, and the ones indicated by the post are rather, iffy...

If other search companies cannot compete because of Google's dominance of either or both ads and searching, that is also anti-competitive.

I would just like to point something out here. If other companies can't compete because Google is really good at search, that's not anti-competitive (in fact, it's the exact opposite). So the simple assertion that other companies can't compete isn't enough to bury Google. What they need to prove/find is that Google leveraged its position unfairly to keep competition out. An example of that would be if Google required advertisers to sign an exclusivity deal (or gave incentives to do so) which would then unfairly keep competition out (hint: they haven't, although MS and Apple both do). Another example would be if Google used its dominance in search to promote its other products (by artificially raise their search, or artificially lower competitors), of which my OP is evidence to the contrary.

The key is that other companies not being able to compete does not make Google in violation of anything. It can be just free market pressure that does that (because Google has the "best" product, or whatever reason). But if they are unfairly leveraging their position in one area into other areas, that's where it becomes a dangerous problem...

more than 3 years ago

Submissions

ircmaxell hasn't submitted any stories.

Journals

ircmaxell has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?