All posts by onlyconnect

blogging, internet, security, software development

WordPress hacked: where do we go from here?

3 Comments

WordPress founder Matt Mullenweg reports the bad news:

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

This is truly painful and highlights the inherent risk of frequent patching. I haven’t seen any estimates of how many websites installed the hacked code, but I’d guess it is in the thousands; the number of WordPress blogs out there is in the hundreds of thousands. Ironically it is the most conscientiously administered installations that have been at risk. Personally I’d glanced at the 2.1.1. release when it was announced, noted that it did not mention any critical security fixes, and decided to postpone the update for a few days. I’m glad I did.

Keeping up-to-date with the latest patches is risky because the patches themselves may be broken or, as in this case, tampered with. On the other hand, not patching means exposure to known security flaws. There’s no safe way here, other than perhaps multi-layered security. All the main operating systems – Windows, OS X, Linux distributions – have automatic or semi-automatic patching systems in place. Applications do this as well. We have to trust in the security of the source servers and the process by which they are updated.

Having said that, there are a few things which can be done to reduce the risk. One is code signing. Have a look at the Apache download site – note the PGP and MD5 links to the right of each download. These let you verify that the download has not been tampered with. Why doesn’t WordPress sign its downloads?*

Next question, of course, is how WordPress allowed its site to be hacked. Was it through one of the other known insecurities in the WordPress code, perhaps?

I’m also reminded of recent comments by Rasmus Lerdorf on how PHP does not spoonfeed security. There is a ton of insecure PHP code around; it’s a obvious target for hackers in search of web servers to host their content or send out spam.

*Update: See Mullenweg’s comment to this post. I looked at the download page which does not show the MD5 checksums. If you look at the release archive you can see MD5 links. Apologies. Having said that, why couldn’t the cracker just update the MD5 checksum as well? This is mainly a check for corrupt rather than hacked files. The PGP key used by Apache is better in that it links to the public key of the Apache developers. See here for an explanation.

Perhaps this is a good moment to add that the reaction of the WordPress folk has been impeccable in my view. They’ve acknowledged the problem, fixed it promptly, and are taking steps to prevent a repeat. Nobody should lose confidence in WordPress because of this.

 

Technorati tags: , ,

internet, software development

Jitters about Adobe becoming “Microsoft of the web”

1 Comment

Ted Leung is bothered about Adobe becoming too sucessful with its Flash/Flex/Apollo technology:

Flash has a great cross platform story. One runtime, any platform. Penetration of the Flash Player is basically the same as penetration of browsers capable of supporting big AJAX apps. There are nice development tools. This is highly appealing.

What is not appealing is going back to a technology which is single sourced and controlled by a single vendor. If web applications liberated us from the domination of a single company on the desktop, why would we be eager to be dominated by a different company on the web?

These are valid concerns though arguably premature – we’ve not seen widespread adoption of Flex yet, let alone Apollo which is not yet released. But is Adobe’s potential monopoly equally as dangerous as what we’ve seen on the desktop? My instinct is that it is not, though I don’t pretend to have thought through all the implications, and I don’t like those proprietary Adobe protocols like Action Media Format (AMF) and Real Time Messaging Protocol (RTMP). I also think it will be healthy for the industry if Microsoft gains some momentum with WPF and WPF/E, and if Java stays alive as a client-side platform, simply because competition is our best protection against vendor greed. And as Leung notes, there is also Open Laszlo.

 

Technorati tags: , , , ,
borland, delphi, internet, search

Google can’t count

6 Comments

CodeGear’s Anders Ohlsson is excited because Google shows over half a million hits for “Delphi for PHP”. Even with the quotes.

I get the same results. More, in fact. Google says 654,000 hits.

Now try reading them. I get to page 35, then the hits come to a halt. There are 10 hits per page so that makes, hmmm, 350 hits. A bit less exciting. Let’s be honest, a lot less exciting. The real figure is probably a little higher, but not by half a million.

I do get this line (we’ve all seen it before):

In order to show you the most relevant results, we have omitted some entries very similar to the 341 already displayed. If you like, you can repeat the search with the omitted results included.

Trying the “complete” search does get more results, but they are just as repetitive as Google warns. Google appears to limit results to 1000 hits, so there is no obvious way to find out where the other alleged 653,000 hits can be found.

Microsoft’s Live Search says 24,473 results, but the trail runs out on page 80. That’s 800. So Microsoft Live Search can’t count either.

Yahoo says 322,000, but like Google can only show 1000 of them. I remain sceptical about the missing 321,000.

I’ve noticed this before. Certain phrases trigger huge numbers of alleged hits, but they vanish if you try to view them. Others seem to work fine. Perhaps someone more knowledgeable about the inner workings of search engines can explain why. It appears to be an unreliable measure.

 

Technorati tags: , ,
software, software development

Who’s coding the Linux OS?

LWN.net has an article (subscriber only until March 1st) on who wrote the current release of the Linux kernel, 2.6.20. The author analyzes the code repository to see who submitted changes and what company they work for. Here are the conclusions:

The end result of all this is that a number of the widely-expressed opinions about kernel development turn out to be true. There really are thousands of developers – at least, almost 2,000 who put in at least one patch over the course of the last year. Linus Torvalds is directly responsible for a very small portion of the code which makes it into the kernel. Contemporary kernel development is spread out among a broad group of people, most of whom are paid for the work they do. Overall, the picture is of a broad-based and well-supported development community.

The top contributing companies are:

Unknown: 19%

Red Hat: 12.8%

None: 11.0%

IBM: 7.3%

Other stats that caught my eye: Novell with 3.4%, Intel 3.4%, Sony with 2.4%, Nokia 1.6%.

The figures should not be relied on too much (note the large “Unknown” category) but it is still interesting. Contrary to a myth still sometimes peddled, Linux is not primarily the work of hobbyists in back bedrooms or students pulling all-nighters; but nor is it wholly taken over by the usual commercial suspects. I think these are healthy indicators.

Don Dodge has more extracts and commentary.

 

Technorati tags: ,
internet, software development

Can CodeGear make sense of PHP development on Windows?

1 Comment

I had a chat with CodeGear’s David Intersimone and Jason Vokes about Delphi for PHP, following which I wrote a short article for The Register.

I do have reservations about the CodeGear product, though I’ve not seen it yet. My main concerns are first, that CodeGear will find it difficult to work alongside PHP’s open source community; second, that Delphi for PHP will have an unexciting feature set in its first release; and third, that over-reliance on data-binding frameworks may get in the way of lean, fast PHP development. I am not a great enthusiast for data binding, which can all too easily be inefficient, hard to debug, and restrictive in terms of database drivers. I also think the name is silly, and that long-term it makes no sense for Delphi for PHP to have its own IDE, as opposed to using Borland Developer Studio or Eclipse.

Drag-and-drop form building is hardly an exciting feature these days. I’m more interested in aspects like how easily developers and designers can collaborate, or how the IDE helps developers create secure applications, profile performance, or refactor existing spaghetti PHP into something resembling a well-structured application.

Then again, PHP is poorly served by IDEs right now, so there must be an opportunity here. One of the reasons is that setting up to test and debug PHP on Windows is awkward, posing a problem for those who develop on Windows but deploy to Linux web servers. It is an ugly mismatch. Will you use Apache on Windows, or try to get IIS working well with PHP? Presumably you want MySQL as well? Or perhaps run one of those combined installers like XAMPP and hope that that all this stuff is being installed in a secure manner and won’t break IIS, ASP.NET, or anything else.

This is before you start thinking about the IDE. Will it be the Zend/Eclipse PHP Development Tools? Or the less official PHPEclipse? Something else? And not forgetting Dreamweaver, which is great for designers but less good for code unless you are happy with the built-in wizards.

It appears that folk often run into difficulties simply getting debugging working sensibly in their PHP setups.

Delphi for PHP will not necessarily be any better. In the past, Borland has not been shy about installing lots of miscellaneous bits onto your system unless you are careful what you click; it may be no different from XAMPP. Yet if it can pull off a smooth installation with a half-decent PHP editor, smooth debugging, and no conflict with our existing Visual Studio / ASP.NET / IIS setups, then that alone will make it a worthwhile proposition.

 

software development, windows

Got Paint.NET?

I am late with this; Paint.NET 3.0 was released at the end of last month. It deserves more publicity, since it is of high quality. If you have .NET Framework 2.0, Download it here.

The application is fine for general use; I may switch to it from my old favourite Paint Shop Pro, for trimming and touching up screen captures. One feature I like is the way it handles multiple documents. A thumbnail of each open document appears at top right, in a fat toolbar; click a thumbnail to switch to that document.

Paint.NET is particularly interesting for developers. It is written in C#, and started out as a design project; as I understand it, one of the intentions was to discover whether Microsoft’s .NET Framework was up to the task, given that image applications do a lot of intensive number-crunching. Most of the code is C# but not quite all. There is a shell extension written in C++ and some use of PInvoke and COM interop. I get the impression that the chief developer Rick Brewster is now more interested in creating an excellent application than in proving a point about .NET.

One point of interest is the user of multi-threading for optimized performance on multicore processors. Brewster has recently posted his performance tests on various processors from two to eight cores:

The 8-core system is frightfully fast, and it’s very clear that having rendering code optimized for multiple threads is a big win. However, I will be honest and state that the performance scaling is not at the level I was hoping for: we’re already seeing diminishing returns at this point! In general, I am seeing gains of about 3.0x on a quad-core system, and 5.1x on an 8-core system (compared to running with only 1 thread). Unfortunately, I do not have an 8-core Opteron system to compare against which might provide some more meaty information to chew on (does it scale better? worse?).

I take his point, though a 5.1x gain on an 8-core system strikes me as decent. I recommend downloading the source code and taking a look; it is well commented and has workarounds for various System.Windows.Forms annoyances. Before you ask the obvious question, Brewster recently commented in the Paint.NET forum that he has not yet looked at WPF (Windows Presentation Foundation).

 

Technorati tags: , , ,
software development, windows

Peeking into Vista’s virtual store

3 Comments

In the user data area in Vista is a virtual store. Find it at:

C:\Users\[USERNAME]\AppData\Local\VirtualStore\

It is worth having a peek now and again. Here’s part of mine:

The Virtual Store is a feature of User Account Control, the centerpiece of Vista’s enhanced security. Applications that try to write to protected system locations, including Program Files, Windows, and HKEY_LOCAL_MACHINE in the registry, are prevented from doing so. Instead, a compatibility feature kicks in, and these applications write to a location in your home directory. Registry entries are written to a special area in HKEY_CURRENT_USER. The application mostly won’t know the difference, though there are limitations and you can get strange results. For example, if an application deletes a file from the virtual store when a file of the same name exists in the real location, the delete appears to succeed but the file still exists. Virtualization also fails (by design) if the application is run under another user account, or using Run As Administrator. The files written to the first user’s virtual store are invisible to these other users.

Virtualization is a stop-gap measure. Well-behaved applications should not write to these locations except when first installed, or for maintenance, both of which are administrative tasks. So the Virtual Store is a hall of shame. Microsoft features heavily in mine; we can just about forgive the appearance of the beta Expression tools, but Visual Foxpro 9.0? Adobe’s Flex Builder 2 is another disappointment. In most cases there are only one or two files, so we are not talking about major design issues, but they still need fixing.

If you are developing software, it is worth checking your virtual store in case stuff is slipping through. Note that you must have UAC enabled, and not be using Run As Administrator, since either of these settings will prevent the virtual store being used.

Technorati tags: , , ,

software, windows

Annoying Word 2007 problem: can’t select text

368 Comments

I run Word 2007 on Vista. Today I hit a curious problem. Word opened, but something was badly wrong. I could not select text with the mouse. The document scroll bar did not work. Word crashed on exit. And going into Options – Addins, I could not navigate beyond the “Popular” section.

After several crashes an Office Diagnostics wizard popped up and offered to help. Kind of it. It chugged through numerous tests and finally told me it could not see anything wrong. Never mind.

Checking the newgroups, I found fellow-sufferers but no solution. I decided to be methodical. I started Word in safe mode. (winword /a). It worked. Probably an add-in. I went to the COM add-ins and tried to disable them. Message: “The connected state of Office add-ins registered in HKEY_LOCAL_MACHINE cannot be changed”. OK, registry then. Navigated to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins

Found three add-ins listed. I changed the value of the LoadBehavior key from 3 to 0 for each add-in.

Word now worked OK, but still crashed on closing. I found I could restore two of the add-ins without problems. The guilty party: OfficePrintAddIn, a component of Flash Paper.

I had a look at active templates. There was one called FlashPaperWordUITemplate.2302.dot. If I tried to unload it, Word crashed. Perhaps it needs the related COM add-in to be loaded. I closed Word, found the template file, and deleted it. Everything is fine now.

A quicker route might be to uninstall Macromedia Flash Paper, unless you use this of course.

I’m still puzzled about why this problem only showed up today. I’d not made any changes to Flash Paper or Word that I’m aware of. And I don’t blame Macromedia (now Adobe) for this; Word 2007 did not exist when this Flash add-in was released.

Posted in the hope that it saves someone else some time.

 

Technorati tags: ,
internet, security

How secure is OpenID?

2 Comments

Everybody is talking about OpenID. Big players are adopting it. But should you trust it for things that matter – financial transactions, for example?

Here’s an important post from Microsoft’s identity architect Kim Cameron:

So let’s think about this.  Where is the root of trust?  In conventional systems like PKI or SAML or Kerberos, the root of trust is the identity provider.  I trust the identity provider to say something about the subject.  How do I know I’m hearing from the legitimate identity provider?  I have some kind of cryptographic key.  The relevant key distribution has a cost – such as that involved in obtaining or issuing public key certificates, or registering with a Key Distribution Center.

But in OpenID, the root of trust is the OpenID URL itself.  What you see is what you get.  In the example above, I trust Francis’ web page since it represents his thinking and is under his control.  His web page delegates to his OpenID identity provider (OP) through the link mechanism in (5).  Because of that, I trust his identity provider to speak on behalf of his web page.  How do I know I am looking at his web page or talking to his identity provider?  By calling them up on DNS.

I’m delving into the details here because I think this is what gives OpenID its legs.  It is as strong, and as weak, as DNS.  In other words, it is great for transactions that won’t attract criminal attack, and terrible for those that will.

And here’s Cameron’s conclusion:

OpenID cannot replace crypto-based approaches in which there are trusted authorities rather than trusted web pages.  But it can add a whole new dimension, and bring the “long tail” of web sites into the identity fabric.

Note that Cameron is not opposed to OpenID. Apart from anything else, he recognizes that this may well be the beginning of an identity revolution – part of a process, at the end of which we get a safer, less spam laden, less criminal-infested internet.

At the same time, he’s right. The whole OpenID structure hinges on the URL routing to the correct machine on the Internet. In other words, DNS. Now do some research on DNS poisoning. Scary.

Now, it strikes me that you can largely fix this by requiring SSL connections. In other words, have the OpenID URL be an https:// URL, and have the relying party (the website where you want to log in) check for a valid SSL certificate. Note thought that SSL must be used at every stage. OpenID lets you use your own URL as the identifier, but redirect to another OpenID identity provider. Both URLs must use SSL to maintain integrity.

Another idea is to use an OpenID for non-critical logins, however you define those.

Note that this issue is different from the phishing risk, for which CardSpace strikes me as a good solution.

 

internet, security, web authoring

Rasmus Lerdorf on security, hormones and PHP

3 Comments

PHP inventor Rasmus Lerdorf spoke yesterday at the Future of Web Apps conference in London. It was the highlight of the conference: at once funny, insightful, techie and thought-provoking.

“I had no intention of writing a language”, he told us. “I hate programming with a passion. It’s boring. It’s tedious. It’s hard. I love solving problems. You endure the pain to get to the end destination.”

In case there are any non-geeks reading, I should explain that PHP is the most popular server-side programming language on the Web. This blog is driven by a PHP application called WordPress. PHP is also free, and one of the big successes of open source.

Lerdorf related the history of PHP, which originally stood for “Personal Home Page tools”. They were little scripts he wrote for his own home page, “my own little hack to reuse the C code I had written”. He then shared his work with friends. He showed us some code samples. Here is PHP in 1994:

<!--getenv HTTP_USER_AGENT--> 
<!--ifsubstr $exec_result Mozilla--> 
Hey, you are using Netscape!<p> 
<!--endif-->

By 1995 PHP looked more like what we would recognize at PHP. By 2007 it has sprouted all sorts of modern object-oriented features and Lerdorf noted that while he understood the importance of these, it has somewhat moved away from its original intent as a quick and dirty tool.

Lerdorf made PHP a completely open source project in 1997. He was fed up with maintaining scripts for other people and realised that he could not do it alone. “No one person can possibly learn 20 different database APIs”. So he contacted all the people who had made suggestions to him, gave them access to PHP’s source on CVS (a source code management system), and relinquished control.

This was the lead-in to some reflections on why people bother to contribute to open source software. Lerdorf gives 4 reasons:

  1. Self-interest
  2. Self-expression
  3. Hormones
  4. Improve the world

The last of these is, in his view, the least important. But why hormones? His theory is that open source is one way geeks get human interaction, despite preferring keyboards and screens to going out and meeting people. It follows that factors like recognition (within their circle) and a sense of ownership are critical to successful open source projects, or even to any form of user-generated content. “You have to think about how people feel about themselves”, says Lerdorf. In fact, his comments chimed nicely with what Kevn Rose said about Digg.

Performance and security

Next, Lerdorf addressed the two major hurdles facing web applications. He is a strong believer in performance as a feature. “Unless you can make it work, there’s no point.” He dived into a couple of profiling tools to make his point, showing how to identify bottlenecks in PHP applications.

Security on the web is awful – I fully take the blame

Then security. “Security on the web today is awful. I know a lot of people blame PHP for that … I fully take the blame for some of it, but not all of it.”

What could he have done? Well, PHP does not spoonfeed security; Microsoft’s ASP.NET is actually better in that respect (my comment, not his). It could be more secure by design. On the other hand, as Lerdorf notes, “there was no such thing as cross-site scripting in 1995”. He gave us a great explanation of how cross-site scripting works; it is not the easiest thing to explain. PHP 5.2 has a new filter function for making user-input safe.

How to be safe on the web? “You can never click on a link. Sorry. Unless you understand everything in that link, and some of them are huge. You can never be sure that it is safe….most people are really easy to trick.”

Finally, Lerdorf gave us a few general comments on future directions, the possibilities opened up by geocoding in Flickr, for example. He says don’t make new portals, “We have enough portals out there.” Use the APIs published by major sites, and finally – make it fast.

Technorati tags: , , , , , ,