The conference is surprisingly huge (6000 people). Virtualization is obviously important to IT now. I am looking forward to the security-related talks (I’ll post about them later). Here are a few notes from the sessions I attended:
[tags]malicious code, wikipedia, trojan horse,spyware[/tags]
Frankly, I am surprised it has taken this long for something like this to happen: Malicious code planted in Wikipedia.
The malicious advertisement on MySpace from a while back was a little similar. Heck, there were trojan archives posted on the Usenet binary groups over 20 years ago that also bring this back to mind—I recall an instance of a file damage program being posted as an anti-virus update in the early 1980s!
Basically, anyone seeking “victims” for spyware, trojans, or other nastiness wants effective propagation of code. So, find a high-volume venue that has a trusting and or naive user population, and find a way to embed code there such that others will download it or execute it. Voila!
Next up: viruses on YouTube?
[posted with ecto]
Once again, Scott Adams cuts to the heart of the matter. Here’s a great explanation of what’s what with electronic voting machines.
Someone sent the following to me as an example of how to ensure secure passwords
Microsoft claims this message is an error. However, I think we all can see this is simply a form of extreme password security of the sort I wrote about in this post.
I decided to not be all self-deprecating as I usually am with things like this, and admit that I’m really happy and proud to say that I was interviewed by Cal Evans for the Zend Developer Zone.
I guess the first question that comes to my mind is “Why did you build this?”Read the rest »
I built it because there was no good way to audit the security settings in your PHP.INI or your PHP environment. The average PHP user I feel is someone who can use an installer to install scripts on their server, get them running and do a little customization or hack up some code but they are not educated developers. These users have no easy way to check how secure their environment is. So I wrote PHPSecInfo to give these uses something easy to run and present the information in a format they are already familiar with.
Also, I uploaded a new build of PHPSecInfo this morning. This version fixes the errant Notices we were getting, makes it easier to extract test data for your own nefarious purposes, and fixes a bug with the curl file protocol test on PHP4. The latter unfortunately just skips the test on PHP4 because I’m not sure how to do the check; suggestions are welcome.
Download: http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip
Docs: http://phpsec.org/projects/phpsecinfo/docs/
What’s new:
v0.1.1
- Added PhpSecInfo::getOutput(), PhpSecInfo::loadAndRun() and PhpSecInfo::getResultsAsArray() methods
- Modified PhpSecInfo::runTests() to fix undefined offsent notices
- Modified PhpSecInfo_Test::setMessageForResult() to fix undefined offset notices
- Modified PhpSecInfo_Test_Curl_File_Support to skip if PHP version is