Thank you and good night Planet PHP
Wednesday, 5 September 2007
I’ve decided to remove my feed from Planet PHP because of some small minded commentors (Jani and David Rodger). I would like to thank everyone who has read my blog on the planet php feed and I hope I have provided some useful information. If you didn’t think I was relevant to PHP Planet you now have your wish.
No. 1 — September 5th, 2007 at 2:13 pm
No reason to get so worked up about a couple comments. I’m sure the majority of your visitors appreciate your writing (I’m one of them).
No. 2 — September 5th, 2007 at 2:13 pm
Keep up the good work Gareth! Don’t let the mindless minority get you down.
And Ronald if you’re reading, I’m sorry you had to do away with your comment functionality, I still read all the new stuff on your site.
No. 3 — September 5th, 2007 at 2:18 pm
Thank you for your kind words.
I’ve made up my mind though, I’m removing the site from the planet php feed. I don’t mind answering valid questions or good points but mindless rubbish gets me down.
I’m doing blogging to interact with some clever people, which I’ve really enjoyed and it is a shame that some people can’t open their eyes a bit and realise that the stuff I posted can be applied to their applications.
So from now on I’ll only post on the web security feed which is a shame because other people will probably miss out but I do have a short fuse.
No. 4 — September 5th, 2007 at 2:26 pm
What a shame… π – luckily it only takes 2 seconds to add your feed!
No. 5 — September 5th, 2007 at 2:31 pm
I didn’t mean all your posts have been “off-topic”. Only the exploit/js stuff. Don’t take it so seriously, we live in a free world (or well..most of us π and it’s supposed to be free to state your opinions, isn’t it? π
Isn’t it possible to have different channels or something in these blog things? π
No. 6 — September 5th, 2007 at 2:41 pm
>> IΓ’β¬β’m sure the majority of your visitors
>> appreciate your writing (IΓ’β¬β’m one of them).
I second this!
Your blog is within my “daily feeds” anyway π
No. 7 — September 5th, 2007 at 2:45 pm
Jani my article was on the context of security. This is important to secure your PHP applications. If you had read the whole article you would have understood that it provides the reader with knowledge on how to exploit and think about applications from a hacker point of view. Exploiting your PHP applications is the only way to provide good security for your users. If you don’t think that’s relevant then….enough said.
No. 8 — September 5th, 2007 at 2:47 pm
Thank you Benjamin!
Nice to hear from my readers and not just useless comments which get me down.
No. 9 — September 5th, 2007 at 2:49 pm
Why don’t you tag your PHP posts with “PHP” and submit a feed for that tag to Planet PHP?
No. 10 — September 5th, 2007 at 2:50 pm
Gareth thanks for your posts so far. Keep them comming.
Added your site to my daily list. It was convenient to read it through planet-php. But it doesn’t really matter from what feed it comes. It’s the source that counts.
No. 11 — September 5th, 2007 at 2:57 pm
Ensi thanks for the support
My feed can be retrieved through Planet Web security if required.
I don’t want to stay on a site which people think my stuff isn’t relevant. They can filter the content in their readers but they still choose to post useless comments on my blog when I spend the time to write this stuff in order to provide I hope useful information.
No. 12 — September 5th, 2007 at 3:00 pm
@Richard
My post was tagged with PHP because I thought it was relevant for developers because they need to know how to hack their own stuff.
I feel strongly about these views and if someone questions it or implies that my stuff doesn’t work without any foundation then I will take action. People will lose out but the real fools will be highlighted.
No. 13 — September 5th, 2007 at 3:31 pm
Thanks everyone who posted support, you made me feel much better. I’ve not had much sleep and I spent a bit of time preparing that article and when I received just those 2 comments, 1 telling me security isn’t relevant to PHP and the other implying that my exploit didn’t work and was just google ad words spam, I was understandably annoyed.
I’m staying on the Planet PHP feed but I will no longer post security related stuff to it. So I’m sorry if any new novice developers miss out if they find the Planet PHP feed but you can always grab the security feed from here.
No. 14 — September 5th, 2007 at 8:21 pm
Gareth,
Your posts are informative and useful, I particularly enjoyed the Safari exploit, even though it was not relevant directly to PHP, but more to being security-conscious as a developer in general. A bit of unsolicited advice: you should sleep a night when feeling rebellious and wanting to post things like “seeya planet PHP” π
I know I’ve sent out a few doozies when I forget this rule and click “Send” or “Post” …
No. 15 — September 6th, 2007 at 7:18 am
Thanks Greg
I’ve had some sleep now and I feel a bit better. I just got a bit silly I think because of 1 or 2 annoying comments. Damn those 24 hour coding sessions, they’re not good for me π
No. 16 — September 6th, 2007 at 11:15 am
Did I say the hack wasn’t serious? Did I say it was non-existent? Did I say your post wasn’t relevant? I said none of these things.
And Jani, it’s his blog, not a democracy. He can do as he wants, including unjustifiably slagging me off! I hope he has the good grace to publish this qualification but I can’t and won’t force him to.
My copy of Safari (version number included in my comment) does not display the behaviour implied in your description. What that behaviour should be exactly I don’t know, but i assume from the JS I should have had an alert.
Now if you’d said “Safari preferences must be set as follows…” or “only on this version and lower/higher/sideways”, it might have accounted for it. I suppose I should have anticipated that my “Hmm” might be misinterpreted by the [ahem] “mindless minority”.
No. 17 — September 6th, 2007 at 11:19 am
I did over react because I was tired but it was your mistake. I assumed that people would have the intelligence to read the address bar before leaving a comment about it not working on a non-beta product.
You implied those things.
No. 18 — September 6th, 2007 at 11:34 am
I apologise unreservedly to you Gareth. You did talk about the beta. What I was worried about, I suppose, was that such exploits were in earlier versions of Safari and maybe no one had noticed. Your reference to “Apple software update appeared with news of a new beta of Safari” gave me the impression that what preceded was not entirely about the beta (or an earlier beta).
My real mistake is assuming that Apple was unlikely to introduce new bugs into a newer version (it’s supposed to be an improvement isn’t it?). Don’t know why; an expectation, after years of using Apple products, that it will just work. But it’s happened with PHP releases plenty of times. No reason why anyone else wouldn’t experience it.
I, and I’m sure that others here, appreciate your work and find it intriguing. It’s very convenient having you on Planet PHP and it would be a shame if you were not. (Besides, your post is actually web-related unlike some other entries about what happened at the pub last night — you know what I mean?)
I don’t actually want to have to think too hard about this stuff. I just want it to work. It’s hard enough worrying about my PHP code and user input without considering browser hacks. But then the CSS folks probably similar things about MSIE.
No. 19 — September 6th, 2007 at 11:43 am
Thank you David no hard feelings.
We all make mistakes and I must have misinterpreted your comment for being nasty when it probably wasn’t. Sorry about that.
Yeah that’s why I did take offense to Jani because of all the other unrelated stuff on there, yet he chose to leave a comment on my blog, which I thought was a waste of mine and everyone else’s time.
No. 20 — September 6th, 2007 at 11:56 am
I haven’t tagged my latest post about window.name vulnerability with PHP, so it won’t appear on PHP Planet. Even though that knowledge is needed by PHP developers because the very example is used for a PHPIDS system. They are trying to filter out javascript injection.
But hey it’s not PHP related eh? See how silly some people are.
No. 21 — September 6th, 2007 at 5:20 pm
The reason I hate coding w/ web-types most of the time is this attitude “of I just want it to work.” If you want it to work, then write correct code. The trouble is, you don’t “just want it to work”– you want to get a lot of result w/o much effort or thought.
I’d check out a different career field.
No. 22 — September 6th, 2007 at 5:21 pm
That last comment was supposed to be a reply just to David Roger comment (#18), but it showed up as a comment on the whole article… my bad.
No. 23 — September 6th, 2007 at 8:45 pm
Maybe it’s just Safari, Tom, but I don’t see a mechanism for indicating that your reply is to a specific post (unlike, say, Serendipity on Stefan Esser’s site).
>If you want it to work, then write correct code.
Tom, do you write code for the web, where this vulnerability and its consequences would become evident? If you’re not a “web type”, I’m impressed that would have spotted it in a nano-second (as opposed to the long, hard slog Gareth put in to find it). Incidentally, what is it of yours that is bad?
Gareth, could you tell us whether you think what the Safari beta does is what it (or any browser, for that matter) ought to do?
No. 24 — September 6th, 2007 at 9:04 pm
Well every browser should deny access to write access things like the document object. Firefox’s behavior in this matter is the best.
But this specific vulnerability is the way Safari handles local files, it seems that if a file is run locally or fooled into thinking it is local then the cross domain policy seems to go out the window. Hence why I could access data from other domains.
I would recommend everyone uses an alternate browser until Apple release a fix for the beta as this vulnerability is extremely dangerous, it would be possible to hide the iframe and perform any action on any web site and retrieve data as that person.
Normally I would have reported this to the manufacturer before releasing it to the public but Apple’s attitude deserved otherwise.
No. 25 — September 7th, 2007 at 10:51 am
Hi Gareth,
I’ve been educated and entertained by your posts, and will be subscribing to your own feed.
Thanks for sharing your work.
Regards
Richard
No. 26 — September 7th, 2007 at 10:55 am
Richard thanks a lot, it helps a great deal if I know people are learning or enjoy my posts.
No. 27 — September 7th, 2007 at 12:19 pm
Gareth- I never have gotten around to saying “thanks” for such an *informative* blog. Most blogs seem to focus on sound bytes– I think this one focuses on, well, focused substance. Not for everyone, but great for those it is for.
No. 28 — September 7th, 2007 at 12:31 pm
Thanks Tom much appreciated, I always blog about the stuff I’m passionate about and that’s why I find it easy to do, you’re right it’s not for everyone but I’m not trying to appeal to everyone, I just want to share knowledge and talk to clever people.
In the last few months I’ve talked to some outstanding programmers and starting blogging was probably one of the best decisions I’ve made.
No. 29 — September 7th, 2007 at 12:39 pm
Dave-
Of course I wouldn’t have spotted the problems with that vulnerability without careful investigation, if ever! In security, people often have their own technique for finding particular types of problems. Also, just because I strive to write correct software doesn’t mean I do it. However, we do have a responsibility to ensure our software does what we claim it does, and most software products claim to be secure.
BTW- I don’t intend to get involved in a flame war that clogs up this blog… good luck doing your thing.