Beautiful Ojai

Here are a couple photos from a relaxing weekend in Ojai, California (click the images to enlarge). My wife, sister and I hiked the Howard Creek Trail in Rose Valley. After recent torrential rains, the hills were green and new streams were rushing in the valleys. It was a much needed break from urban life.
More than this, Ojai has always been a special place to me, and seeing it so lush and alive reminded me of our wedding last spring. So many perfect little touches, little surprises, like the Wisteria coming into bloom, seemed to indicate the work of a greater providence.

The Winding Path

People have been commenting on the logo in the upper left corner of the site. It’s a medieval labyrinth, a mystical Christian meditation/prayer device. I like it in part because it looks a bit like a brain. It also seems to appear chaotic, yet is orderly. To me it symbolizes the mind, and is fitting for a site like this one where I park my thoughts.

Some people get really into labyrinths, and it has been making a bit of a revival lately. My own personal experience with the labyrinth is that it is a wonderful tool for “unwinding” in many senses of the word. If you’re interested in walking a labyrinth, the world wide labyrinth locator can probably help you find one in your area. People are building them in surprising places. My personal favorite here in Los Angeles is Peace Awareness Labyrinth and Gardens near downtown. Make an appointment and be sure to visit the meditation gardens while there.

Enterprise PHP Embarrassment

Thanks to fellow Serendipity user Norbert Mocsnick for pulling this roster of PHP users from Zend:

“Hewlett-Packard, Boeing, Lufthansa, Dresdner Bank, Disney Online, Yahoo!, Lycos, Sprint, T-Mobile, Orange, Nortel Networks, Lucent, WallStreetOnline and Siemens.”

This helps answer the question, “Who are the enterprise?” but raises another: “Where have they been?”

My experience so far has been that corporations keep plans to implement open source technology tightly guarded under non-disclosure agreements. Upon discovering I was, “an open source guy” a friend of a friend with a wink and a nudge disclosed to me that his company uses MySQL as the mainstay of their information gathering operations. Huge operations. Yet he’d throttle me if I disclosed the company name (a household word in IT).

Why the shame?

Continue reading…

Who’s on Input

OK, so maybe Chris didn’t say “security is what happens between input and output.” But I do. The truth is that a PHP developer really only has control over these two deceptively simple components of the application. Sure, there are scads of other types of attacks — attacks relatively beyond the control of the PHP developer, involving DNS, file system permissions, and (in the case of phpBB) other applications written in totally different languages (like Perl) running on the same hardware. The PHP developer, however, has a specific responsibility to make the “black box” he codes in as airtight as possible. And the way to make that happen is to focus on two domains: input, and output.

This raises another pretty interesting point: most PHP developers aren’t.
Continue reading…

The Politics of Creating Communities

PHPDeveloper just reported that the phpBB development server has been hacked by a politically motivated group. More details and the response from the phpBB group are on the phpBB site. What strikes me most is the phpBB slogan: “creating communities.” Why would anyone want to maliciously thwart that? I guess in a meritocracy like open source if you don’t feel you’re getting your share of merit, sometimes people resort to drastic means. But if this is truly a “benificent” move, why didn’t the hackers let the phpBB group know about their weaknesses in a more civil manner? This is a sad day for open source, and a step backward in creating a sense of community in the open source world.

Security In, Security Out

PHPChris Shiflett has an interesting post on his blog wherein he declares that all PHP security vulnerabilities come from either a lack of flitering input or escaping output. In fact, he’s betting $100 that the next 4 of 5 vulnerabilities that get reported by PHP|Arch will confirm his proclamation.

My question is: what other kind of security vulnerability exists besides one that can be exploited by input either directly or as that input later becomes output to another application (like MySQL)? Define filtering broadly enough, and there’s really no way to loose.

But seriously….

Continue reading…