Category Archives: internet

WordPress hacked: where do we go from here?

WordPress founder Matt Mullenweg reports the bad news:

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

This is truly painful and highlights the inherent risk of frequent patching. I haven’t seen any estimates of how many websites installed the hacked code, but I’d guess it is in the thousands; the number of WordPress blogs out there is in the hundreds of thousands. Ironically it is the most conscientiously administered installations that have been at risk. Personally I’d glanced at the 2.1.1. release when it was announced, noted that it did not mention any critical security fixes, and decided to postpone the update for a few days. I’m glad I did.

Keeping up-to-date with the latest patches is risky because the patches themselves may be broken or, as in this case, tampered with. On the other hand, not patching means exposure to known security flaws. There’s no safe way here, other than perhaps multi-layered security. All the main operating systems – Windows, OS X, Linux distributions – have automatic or semi-automatic patching systems in place. Applications do this as well. We have to trust in the security of the source servers and the process by which they are updated.

Having said that, there are a few things which can be done to reduce the risk. One is code signing. Have a look at the Apache download site – note the PGP and MD5 links to the right of each download. These let you verify that the download has not been tampered with. Why doesn’t WordPress sign its downloads?*

Next question, of course, is how WordPress allowed its site to be hacked. Was it through one of the other known insecurities in the WordPress code, perhaps?

I’m also reminded of recent comments by Rasmus Lerdorf on how PHP does not spoonfeed security. There is a ton of insecure PHP code around; it’s a obvious target for hackers in search of web servers to host their content or send out spam.

*Update: See Mullenweg’s comment to this post. I looked at the download page which does not show the MD5 checksums. If you look at the release archive you can see MD5 links. Apologies. Having said that, why couldn’t the cracker just update the MD5 checksum as well? This is mainly a check for corrupt rather than hacked files. The PGP key used by Apache is better in that it links to the public key of the Apache developers. See here for an explanation.

Perhaps this is a good moment to add that the reaction of the WordPress folk has been impeccable in my view. They’ve acknowledged the problem, fixed it promptly, and are taking steps to prevent a repeat. Nobody should lose confidence in WordPress because of this.

 

Technorati tags: , ,

Jitters about Adobe becoming “Microsoft of the web”

Ted Leung is bothered about Adobe becoming too sucessful with its Flash/Flex/Apollo technology:

Flash has a great cross platform story. One runtime, any platform. Penetration of the Flash Player is basically the same as penetration of browsers capable of supporting big AJAX apps. There are nice development tools. This is highly appealing.

What is not appealing is going back to a technology which is single sourced and controlled by a single vendor. If web applications liberated us from the domination of a single company on the desktop, why would we be eager to be dominated by a different company on the web?

These are valid concerns though arguably premature – we’ve not seen widespread adoption of Flex yet, let alone Apollo which is not yet released. But is Adobe’s potential monopoly equally as dangerous as what we’ve seen on the desktop? My instinct is that it is not, though I don’t pretend to have thought through all the implications, and I don’t like those proprietary Adobe protocols like Action Media Format (AMF) and Real Time Messaging Protocol (RTMP). I also think it will be healthy for the industry if Microsoft gains some momentum with WPF and WPF/E, and if Java stays alive as a client-side platform, simply because competition is our best protection against vendor greed. And as Leung notes, there is also Open Laszlo.

 

Technorati tags: , , , ,

Google can’t count

CodeGear’s Anders Ohlsson is excited because Google shows over half a million hits for “Delphi for PHP”. Even with the quotes.

I get the same results. More, in fact. Google says 654,000 hits.

Now try reading them. I get to page 35, then the hits come to a halt. There are 10 hits per page so that makes, hmmm, 350 hits. A bit less exciting. Let’s be honest, a lot less exciting. The real figure is probably a little higher, but not by half a million.

I do get this line (we’ve all seen it before):

In order to show you the most relevant results, we have omitted some entries very similar to the 341 already displayed. If you like, you can repeat the search with the omitted results included.

Trying the “complete” search does get more results, but they are just as repetitive as Google warns. Google appears to limit results to 1000 hits, so there is no obvious way to find out where the other alleged 653,000 hits can be found.

Microsoft’s Live Search says 24,473 results, but the trail runs out on page 80. That’s 800. So Microsoft Live Search can’t count either.

Yahoo says 322,000, but like Google can only show 1000 of them. I remain sceptical about the missing 321,000.

I’ve noticed this before. Certain phrases trigger huge numbers of alleged hits, but they vanish if you try to view them. Others seem to work fine. Perhaps someone more knowledgeable about the inner workings of search engines can explain why. It appears to be an unreliable measure.

 

Technorati tags: , ,

Can CodeGear make sense of PHP development on Windows?

I had a chat with CodeGear’s David Intersimone and Jason Vokes about Delphi for PHP, following which I wrote a short article for The Register.

I do have reservations about the CodeGear product, though I’ve not seen it yet. My main concerns are first, that CodeGear will find it difficult to work alongside PHP’s open source community; second, that Delphi for PHP will have an unexciting feature set in its first release; and third, that over-reliance on data-binding frameworks may get in the way of lean, fast PHP development. I am not a great enthusiast for data binding, which can all too easily be inefficient, hard to debug, and restrictive in terms of database drivers. I also think the name is silly, and that long-term it makes no sense for Delphi for PHP to have its own IDE, as opposed to using Borland Developer Studio or Eclipse.

Drag-and-drop form building is hardly an exciting feature these days. I’m more interested in aspects like how easily developers and designers can collaborate, or how the IDE helps developers create secure applications, profile performance, or refactor existing spaghetti PHP into something resembling a well-structured application.

Then again, PHP is poorly served by IDEs right now, so there must be an opportunity here. One of the reasons is that setting up to test and debug PHP on Windows is awkward, posing a problem for those who develop on Windows but deploy to Linux web servers. It is an ugly mismatch. Will you use Apache on Windows, or try to get IIS working well with PHP? Presumably you want MySQL as well? Or perhaps run one of those combined installers like XAMPP and hope that that all this stuff is being installed in a secure manner and won’t break IIS, ASP.NET, or anything else.

This is before you start thinking about the IDE. Will it be the Zend/Eclipse PHP Development Tools? Or the less official PHPEclipse? Something else? And not forgetting Dreamweaver, which is great for designers but less good for code unless you are happy with the built-in wizards.

It appears that folk often run into difficulties simply getting debugging working sensibly in their PHP setups.

Delphi for PHP will not necessarily be any better. In the past, Borland has not been shy about installing lots of miscellaneous bits onto your system unless you are careful what you click; it may be no different from XAMPP. Yet if it can pull off a smooth installation with a half-decent PHP editor, smooth debugging, and no conflict with our existing Visual Studio / ASP.NET / IIS setups, then that alone will make it a worthwhile proposition.

 

How secure is OpenID?

Everybody is talking about OpenID. Big players are adopting it. But should you trust it for things that matter – financial transactions, for example?

Here’s an important post from Microsoft’s identity architect Kim Cameron:

So let’s think about this.  Where is the root of trust?  In conventional systems like PKI or SAML or Kerberos, the root of trust is the identity provider.  I trust the identity provider to say something about the subject.  How do I know I’m hearing from the legitimate identity provider?  I have some kind of cryptographic key.  The relevant key distribution has a cost – such as that involved in obtaining or issuing public key certificates, or registering with a Key Distribution Center.

But in OpenID, the root of trust is the OpenID URL itself.  What you see is what you get.  In the example above, I trust Francis’ web page since it represents his thinking and is under his control.  His web page delegates to his OpenID identity provider (OP) through the link mechanism in (5).  Because of that, I trust his identity provider to speak on behalf of his web page.  How do I know I am looking at his web page or talking to his identity provider?  By calling them up on DNS.

I’m delving into the details here because I think this is what gives OpenID its legs.  It is as strong, and as weak, as DNS.  In other words, it is great for transactions that won’t attract criminal attack, and terrible for those that will.

And here’s Cameron’s conclusion:

OpenID cannot replace crypto-based approaches in which there are trusted authorities rather than trusted web pages.  But it can add a whole new dimension, and bring the “long tail” of web sites into the identity fabric.

Note that Cameron is not opposed to OpenID. Apart from anything else, he recognizes that this may well be the beginning of an identity revolution – part of a process, at the end of which we get a safer, less spam laden, less criminal-infested internet.

At the same time, he’s right. The whole OpenID structure hinges on the URL routing to the correct machine on the Internet. In other words, DNS. Now do some research on DNS poisoning. Scary.

Now, it strikes me that you can largely fix this by requiring SSL connections. In other words, have the OpenID URL be an https:// URL, and have the relying party (the website where you want to log in) check for a valid SSL certificate. Note thought that SSL must be used at every stage. OpenID lets you use your own URL as the identifier, but redirect to another OpenID identity provider. Both URLs must use SSL to maintain integrity.

Another idea is to use an OpenID for non-critical logins, however you define those.

Note that this issue is different from the phishing risk, for which CardSpace strikes me as a good solution.

 

Rasmus Lerdorf on security, hormones and PHP

PHP inventor Rasmus Lerdorf spoke yesterday at the Future of Web Apps conference in London. It was the highlight of the conference: at once funny, insightful, techie and thought-provoking.

“I had no intention of writing a language”, he told us. “I hate programming with a passion. It’s boring. It’s tedious. It’s hard. I love solving problems. You endure the pain to get to the end destination.”

In case there are any non-geeks reading, I should explain that PHP is the most popular server-side programming language on the Web. This blog is driven by a PHP application called WordPress. PHP is also free, and one of the big successes of open source.

Lerdorf related the history of PHP, which originally stood for “Personal Home Page tools”. They were little scripts he wrote for his own home page, “my own little hack to reuse the C code I had written”. He then shared his work with friends. He showed us some code samples. Here is PHP in 1994:

<!--getenv HTTP_USER_AGENT--> 
<!--ifsubstr $exec_result Mozilla--> 
Hey, you are using Netscape!<p> 
<!--endif-->

By 1995 PHP looked more like what we would recognize at PHP. By 2007 it has sprouted all sorts of modern object-oriented features and Lerdorf noted that while he understood the importance of these, it has somewhat moved away from its original intent as a quick and dirty tool.

Lerdorf made PHP a completely open source project in 1997. He was fed up with maintaining scripts for other people and realised that he could not do it alone. “No one person can possibly learn 20 different database APIs”. So he contacted all the people who had made suggestions to him, gave them access to PHP’s source on CVS (a source code management system), and relinquished control.

This was the lead-in to some reflections on why people bother to contribute to open source software. Lerdorf gives 4 reasons:

  1. Self-interest
  2. Self-expression
  3. Hormones
  4. Improve the world

The last of these is, in his view, the least important. But why hormones? His theory is that open source is one way geeks get human interaction, despite preferring keyboards and screens to going out and meeting people. It follows that factors like recognition (within their circle) and a sense of ownership are critical to successful open source projects, or even to any form of user-generated content. “You have to think about how people feel about themselves”, says Lerdorf. In fact, his comments chimed nicely with what Kevn Rose said about Digg.

Performance and security

Next, Lerdorf addressed the two major hurdles facing web applications. He is a strong believer in performance as a feature. “Unless you can make it work, there’s no point.” He dived into a couple of profiling tools to make his point, showing how to identify bottlenecks in PHP applications.

Security on the web is awful – I fully take the blame

Then security. “Security on the web today is awful. I know a lot of people blame PHP for that … I fully take the blame for some of it, but not all of it.”

What could he have done? Well, PHP does not spoonfeed security; Microsoft’s ASP.NET is actually better in that respect (my comment, not his). It could be more secure by design. On the other hand, as Lerdorf notes, “there was no such thing as cross-site scripting in 1995”. He gave us a great explanation of how cross-site scripting works; it is not the easiest thing to explain. PHP 5.2 has a new filter function for making user-input safe.

How to be safe on the web? “You can never click on a link. Sorry. Unless you understand everything in that link, and some of them are huge. You can never be sure that it is safe….most people are really easy to trick.”

Finally, Lerdorf gave us a few general comments on future directions, the possibilities opened up by geocoding in Flickr, for example. He says don’t make new portals, “We have enough portals out there.” Use the APIs published by major sites, and finally – make it fast.

Technorati tags: , , , , , ,

More Future of Web Apps hits and misses

The Carson Future of Web Apps London conference is over; here are my quick reflections on day two.

Adobe covers old ground

Adobe’s Mark Anders (formerly at Microsoft and much invoved in ASP.NET) spoke about Flex and Apollo, explaining how FlexBuilder and MXML form a developer-firendly way to compile Flash binaries; this is familiar ground for me and I was disappointed that he didn’t go into more depth, expecially considering that we had a similar talk from Andrew Shorten at this event last year. Still, there were some interesting performance comparisons showing off the JIT compiler in Flash 9.0 – it is much faster for ActionScript, as I’ve confirmed with my own tests.

Chris Wilson on IE

Microsoft’s Chris Wilson (co-author of the first NCSA Mosaic for Windows) spoke on IE7; his talk was billed as “The Future of the Browser” but it was not about that, it was more of an apologia concerning why IE was frozen for 5 years between IE 6.0 and IE 7.0 (I think it is worse than that, since IE 6.0 was not really a major advance on 5.0). He gave three main reasons: in 2001 few people were building browser-based rich web apps so there seemed little point investing in the technology; in 2002 Microsoft’s security push drained resources; and complacency from lack of competition. Wilson assured us of Microsoft’s commitment to standards, reminded us of compatibility issues (“don’t break the web”), and said that we can expect better standard support, improved user experience, and further security features in future versions of IE. A good bridge-building talk.

I caught Chris Wilson afterwards and explained my disappointment with Outlook’s use of the IE7 RSS platform, which is a botch (see here for why). I’ve asked several others at Microsoft this same question and received mumbled answers and promises to follow up that have not materialized. Wilson by contrast says he is aware of the problem and that many of Microsoft’s employees are complaining about it as well; he’s turned off RSS sync in Outlook 2007 himself, for exactly this reason. He says it will be fixed somehow but gave no clues as to when; at worst it could be the next version of Office.

I also asked when we can expect IE8. Wilson says it will be no later than two years from the release of IE7, but probably close to that. IE is no longer tied to major releases of Windows itself.

Design challenges at the New York TImes

Khoi Vinh is Design Director at NTTimes.com and gave us some great insights into the problem of maintaining strong design when content is changing rapidly. In essence, he said that tools cannot keep pace with real-time, forcing compromise. He also spoke about how changing media means many-to-many interaction (not 1-to-many), and how user interface design should risk offending experts, by going for ease of use with perhaps some compromises on advanced features, rather than offending novices with UIs they cannot make sense of. Excellent talk.

The promise of OpenID

Simon Willison gave an animated talk on the future of OpenID, enthusing about the benefits of single sign-on. This was mostly a great presentation, pitched at the right level with examples, and honest about the risks and pitfalls as well as the advantages. He mentioned how Microsoft’ s CardSpace helps solve the phishing problem, by moving the authentication UI into the browser, but mistakenly said this is a feature of Vista – it is not, it is a feature of .NET Framework 3.0 and available for Windows XP. (I spoke later to Chris Wilson about this, who hinted that progress in implementing CardSpace for other browsers such as FireFox and Safari is well advanced). I particularly liked the way Willison brought out some potential future benefits from a well-supported Internet identity standard, such as networks of trust enabling whitelists to combat problems like comment spam.

Google, Vodafone disappointments

After three strong presentations in a row I was feeling upbeat about this conference, but sadly it took a dive. Carson had decided to experiment with user-generated content, giving attendees the chance to put forward their own presentations; attendees voted on which ones they would like to see, and the top three got 15 minutes each. Good idea, but didn’t work well in this instance for several reasons – lack of presentation skills, not enough participation, perhaps none of the submissions was really strong enough.

Jonathan Rochelle from Google spoke on “How web built Google Docs & Spreadsheets”. I had been looking forward to this session, but it was a big disappointment, very high-level with no real insight into how the application was put together. Rochelle is too much a company man and gave little away. Then Daniel Applequist from Vodafone spoke on the mobile internet, observing that there are 1000 million XHTML-capable mobile phones versus a mere 150 million wi-fi equipped laptops. Unfortunately Applequist didn’t succeed in enthusing the conference, perhaps the mid-afternoon timing was to blame.

Great PHP talk and closing words

It was worth hanging on for Rasmus Lerdorf’s presentation on PHP. This was outstanding and I am going to post separately about it. In part this may be because I had not heard him speak before; but I really enjoyed this talk.

This post is already too long, and I’ve already posted about NetVibes, so I will close by just mentioning the entertaining Moo session from Richard Moross and Stefan Maddalinski. They love the UK’s Royal Mail.

Thanks to Carson for a thought-provoking couple of days – but please make the wi-fi work properly next time!

Netvibes Universal Widget API and OpenID

Widgets are a great concept – the user interface components of Web 2.0, perhaps? Problem: which widgets? Google Desktop? Microsoft Live? Dashboard on the Mac? Konfabulator? Or Netvibes?

Netvibes CEO Tariq Krim reckons he has the answer, announcing at the Future of Web Apps conference in London his Universal Widget API. Not sure exactly how this will work, but the idea is that you write your widget once and it runs everywhere. Dashboard and Google were specifically mentioned, along with “a bunch of others.”

After the announcement he left the stage, then dashed back, grabbed the microphone, and added a promise to support OpenID. More momentum.

Technorati tags: , , , ,

Notes on the Future of Web Apps

This is the beginning of the second day at Carson’s Future of Web Apps conference in London. I was drawn by the excellent speaker line-up, including Kevin Rose from Digg, Werner Vogels who is the CTO at Amazon.com responsible for services including S3 and EC2 (web storage and on-demand virtual servers), Mike Arrington from TechCrunch, and PHP inventor Rasmus Lerdorf. There are also speakers from Adobe, Microsoft, Yahoo, Google, NetVibes and various other organizations flying under the Web 2.0 banner.

The first day was worthwhile but mixed. I am a little jaded I guess, having been to a number of these sorts of conferences. There is too much Web 2.0 tub-thumping, too many sales pitches, and not enough investigation of hard questions. In particular, I would like to hear more about business models. Cool free apps are great, but sustainability is important too.

I was disappointed by Werner Vogels’ talk yesterday. A shame, since I remain impressed by what Amazon is doing. He gave pretty much a repeat of what we already know about S3, EC2 and Mechanical Turk. Having heard Jeff Barr present the same stuff on two other occasions (including this same conference last year), I was hoping for more. How is S3 coping when stressed, is performance holding up, what have been the pressure points? Is the pricing sustainable (I think it is too cheap)? Why is there still no SLA? What are the main feature requests from users, and how will they be addressed?

I don’t mean to pick on Vogels; some of the same criticisms apply to other speakers.

Fortunately there is good stuff here as well. The second part of Rose’s talk on Digg was interesting and I plan to cover this separately. Bradley Horowitz from Yahoo gave a though-provoking talk on automatic content filtering, detecting “interesting” Flickr images, and distinguishing between synonyms like Jaguar (car) and Jaguar (animal) in user-generated content. I enjoyed the brief talk from ThinkFree on its online Office suite, though TJ Kang mystified me by being seemingly unconcerned about the business aspect. ThinkFree has an online Microsoft Office viewer which looks useful – upload your .doc or .xls, have users view it in HTML.

There is a small exhibition here with stands from Google, Yahoo, Microsoft, Adobe and others. Adobe has a neat Apollo app on show, a desktop application which uses the EBay web service API to give you full access to EBay without having to visit the site. I’ve asked for a screenshot as this type of application will be increasingly common in future. Of course it could just as easily be written in Microsoft’s WPF, but without the cross-platform compatibility.

A couple of notes on Microsoft, a newcomer to this conference and showing off the Expression range of design tools. First, I noticed that several ex-Macromedia folk are now working for Microsoft, including Andrew Shorten who presented Flex here last year. Shake-out from the Adobe merge, but good for Microsoft in my view. Second, the first release of WPF/E will be soon, but without C# and CLR support; this will follow in the second release. Interesting, especially since Flash 9 already has a JIT compiler for its JavaScript implementation. However the plan is that there won’t be a long wait for the updated WPF/E – less than a year, I was told.

Microsoft is giving away free copies of Expression Web Designer. It is actually a decent product, but what do you do when everyone (at a conference like this) is using Dreamweaver?

Oh yes, and Java? Hardly mentioned here (though ThinkFree uses it, so does Flex server-side of course).

Digg will support OpenID

I’m at the Carson Future of Web Apps conference in London, where Kevin Rose is talking about Digg. My favourite comment:

You have to take it for what it is, it’s not a perfect system

Rose threw out a few comments about how he sees Digg evolving. One which interested me: it will support OpenID, which describes itself as:

an open, decentralized, free framework for user-centric digital identity.

I’m not sure that OpenID is going to solve many problems in itself – it is not necessarily a stronger form of authentication – but here as least is some progress in improving identity management.

AOL is also supporting OpenID, making all its accounts automatically OpenID accounts. I observed out to Edwin Aoki, an AOL Chief Architect who is also here, that using a single identity for multiple sites could make the problem worse, since when it gets compromised multiple sites are then at risk. He said that happens anyway, because users already use the same email address and password on multiple sites. A fair point.

I’m actually hoping to see Microsoft’s CardSpace getting wide adoption in tandem with OpenID, as it appears to be more resistant to phishing attacks.

Still, the story here is that OpenID is gaining momentum.