skoop.dev

What we can learn from yesterday’s phpbb.com hack

February 2, 2009

hack, php, phpbb, security

As some of you may know, I used to be the Support Team Leader of the phpBB Support Team back in the days of phpBB2. I’ve had a lot of shit thrown my way back then, together with the rest of the support team, trying to keep up with the releases, the flaws, the patches and the thousands and thousands of phpBB users that were hit by one of the security flaws.

Most of the users hit by security flaws were – fortunately and unfortunately – not users that were hit by unknown exploits or published exploits that had not been patched yet. Instead, most hits were easily gotten because a lot of users of the phpBB software didn’t keep up with new versions and/or security patches. Instead, they left their old vulnerable version of phpBB running unpatched and open for exploiting. A lot of the criticism by users at that time was only partially fair; had they updated their forums to the latest version, they would not have been hit. Sure, it means there was an exploit in an earlier version, and that is not a good thing, but at least the phpBB group tried to patch vulnerabilities as soon as they were notified of the problem.

Because of the issues with security in phpBB2 though, the phpBB group decided to have their brand new code for phpBB3 to be thoroughly audited by what is probably the number one company in the world for PHP security: Stefan Esser’s SektionEins. The issues found by SektionEins were quickly solved before the final release of phpBB3, ensuring a secure codebase to start with. So when I got notice of yesterday’s hack (through an e-mail sent by the hacker to all subscribers of the phpBB announcement mailinglist), I was pretty sure it was not phpBB itself that was abused.

The hacker himself (herself?) confirmed this. The e-mail sent out contained a lot of details on how he got into the server using an exploit in an unpatched version of the phpList mailinglist manager. I seriously disagree with the decision of the hacker to also include a full export of the users table of phpBB.com, as well as the inclusion of other “private” information such as passwords, however I must say I was impressed with the level of detail that the hacker exposed on how he got into the server, and I think phpBB should learn something from this.

Seperate from that though, I think the whole world can learn something from this: Your server is only as secure as your weakest link. So if you use any third party open source software, make sure that you always use the latest version, and that you subscribe to notification mailinglists of new releases. This will ensure that you get notified when new versions are released, so that you can patch your installation to the latest version and fix any vulnerabilities in the software.

So even when you build your own application as secure as you can and have it audited by an external company, make sure that you not just have your application audited, but also the environment that it runs in.
public static vs static public

January 26, 2009

php, public, static, symfony

Even in current literature on PHP 5 object oriented development, you’ll mostly see mentions of the “public static” order. And it isn’t strange, I can understand that some people prefer the PPP at the start to give clarity on the access rules for methods.

While looking around inside the symfony code, I first encountered the “static public” order of keywords. At first, I thought this strange, but the more I look at it, the more beautiful I think it is. It gives a great overview of which methods are static and which aren’t.

In the end it is of course a personal preference, however I’ve found my preference shifting towards the latter over the past months. I decided to check which was preferred most in my twitterverse, and here’s the results:

As you can see, a big majority still prefers “public static”. However, even more important I think is that the “static public” had more ground than I expected (or perhaps it’s that a lot of people that follow me come from the symfony world). Having 2 votes for the option “I don’t use static methods” was perhaps also a small surprise, but I guess it depends a lot on what you work on as well.

If you haven’t voted yet, feel free to give your opinion in my poll.
phpGG Frontend Special: We made the point

January 25, 2009

adobe, conferences, css, frontend, HTML, javascript, microsoft, php, phpgg

The about 50 attendees of the event started coming in at about 9:45. They had some coffee and were able to chat a bit with eachother and get to know eachother. At about 10:30, I started out with the opening talk, welcoming everyone and telling them what they could expect.

After the welcome, Bram Veenhof from Microsoft took over. At first he introduced Windows 7 a bit, something that some of the attendees seem to have seen as a marketing thing and I can understand their point. And even though it missed the point of the event, the small tour of the new Windows was nice. After that, he went on to show some of the applications of Silverlight. Impressive was the way they handled several different sporting events with multiple live video streams covering those events. Also, the Deep Zoom functionality looked quite impressive, even though it requires really high resolution imagery. The only thing I missed was a technical look into how to work with Silverlight.

After this, Mihai Corlan of Adobe came to present Flex. And where Bram missed some technical information about Silverlight, Mihai had an abundance of information available. Lots of practical examples. I still have a hard time seeing a really practical use of Flex for web-based applications, however I see a lot of potential for Flex-based AIR applications.

Next up was the lunch break, after which three communities presented themselves. First off, Fronteers, the dutch organization for frontend developers, presented themselves. After that, phpWomen told us what they’re all about. Finishing off the community-block, I had a 15 minute block in which I shortly presented the Dutch PHP Usergroup and also gave away some goodies.

Starting the afternoon sessions, Boy Baukema have 8 reasons why PHP developers should love Javascript. He had a really well-organized talk and made very clear points on why PHP developers should love Javascript. I could not really disagree with any of them, and understood their points. Still, for some reason, Javascript is just not my thing.

Finishing off the Frontend Special was a presentation by Robert Jan Verkade. He gave what was to me the best presentation, on the topic of why PHP developers and Frontend developers should be friends, and the best ways of ensuring that a project is a success by cooperating and making agreements on certain stuff.

Overall the event was a great success and the feedback we got was amazing as well. So that leaves me with only one conclusion: We made the point that the frontend is important, and this event was great, so on to the next.
Speaking at PHP Conference UK

January 21, 2009

conferences, london, php, symfony

This talk will focus on the different myths and prejudices that people have against symfony. Symfony is supposed to be slow, extremely coupled and overengineered. To work with symfony you don’t do PHP anymore but only work with YAML configuration files. It’s things like this which I will test during this talk. I will either have a myth BUSTED, a PLAUSIBLE verdict or even confirm myths… we’ll see.

For those not in the London area: I will be giving this talk also during PHPCon Italia in Rome in March, and I may also propose it for an uncon session at PHP|Tek if there is interest in this topic stateside.
I want to see all of you at DPC!

January 16, 2009

cfp, conferences, Dutch PHP Conference, php, symfony, talk

The past two editions of the Dutch PHP Conference were a big success, and now it’s time to be part of that success! So start writing that proposal on the topic you know everything of, and submit it for consideration for the Dutch PHP Conference.

If you’re a bit unsure of how to write a proposal, my colleague Lorna wrote a great article on “How to Submit a Conference Talk“, which may help you along. In case you’re still not sure, feel free to contact me, I’d be happy to help you out!

So, no excuses now, start writing those proposals and send them in!
Convert m2ts on OSX

January 8, 2009

imovie, m2ts, movie, osx

Searching for something like ‘m2ts convert OSX‘ gives you a lot of results. However, a lot are quite useless, for instance torrent sites and such. However, there are some discussion forums in the results where solutions like ffmpegx are being mentioned. I am afraid I couldn’t get the ffmpegx conversion solution working. It did convert the movies, but the resulting movies were mostly noise and not much of the original image.

The discussion forums also mentioned some other tools, some of which – as was commented, used libraries that were from iMovie. People on these forums wondered why iMovie didn’t support the m2ts format.

I decided to start iMovie anyway. When iMovie was running, all of a sudden it recognized the DVD I had in my DVD player as a “camera” and listed all the available movies on the camera. It was my lucky day. As it turns out, iMovie is easily able to simply import the movies if it sees the DVD with the video’s as a camera.

The resulting movies are of excellent quality and definitely usable for video. I’ll use iMovie to export to a format Premiere will accept and edit in Premiere, as I for some reason can’t get used to the iMovie’08 editting interface.
Speaking at PHP|Tek

January 6, 2009

conferences, php, phptek, phptek09

The Power of Refactoring

I will be revising my refactoring talk again a bit. The base message will remain the same but the execution and order of topics will be changed a bit (no more live coding – live unit test execution stays though) and I’ll be adding a few short things here and there.

A Guide to Using and Understanding the Community

I am quite excited to be doing this talk. First of all, it’s the first time I’m doing a joint talk (and I’m quite happy to be doing this with Lorna). Second of all, being the community person that I am, this topic is much closer to me than the refactoring talk. So expect a very interesting talk!

The North American Community

Possibly even more exciting is the fact that this is my first time on the other side of the pond, so I’m going to meet a lot of people I’ve so far only spoken to online, or possibly never even spoken to but am very interested in meeting. Amongst those are Elizabeth Naramore, Cal Evans 2.0 Eli White, Wez Furlong, Chris Shiflett, Chris Cornutt and Ben Ramsey. I could’ve put all speakers on that list of course, but then the list grows so big so quickly 😉

Anyway, I’m really looking forward to it, so feel free to drop by at PHP|tek in May in Chicago.
Seven Things – Tagged by Matthew Weier O’Phinney

January 3, 2009

meme, personal, seventhings
- I have no computer science background. Hell, the “communication systems” education I took – a 4-year education – took me 7 years to finish. But I learned PHP purely by reading and trying out – one of the powers of PHP if you ask me.
- I will be writing a book this year. I’m not going to say much more about this at this point, but I’ve committed myself to a publisher already
- I used to make electronic “music”. Some of it is still available online, and one track is even available on iTunes.
- I have actually contributed code and documentation translation to Zend Framework before switching my main focus towards symfony.
- Even though I’ve been a sincere Microsoft-hater over the past years, I’ve recently been cautiously revising my opinion on them.
- I usually enjoy doing the dishes. We don’t have a dishwasher and I have no problem with that.
- When I was younger I knew for sure I was never going to get married or have kids. Now i’m married and have two kids.
So, now to tag seven other people. This is getting quite hard within the PHP world so I think I’m going to extend this meme into a wider audience next to some people from the PHP world. I am going to tag the following 7 people:
- Kilian Valkhof – For being a very nice guy and a very gifted frontend developer and designer.
- Bill Stegers – For being a cool colleague
- Marko Mihelcic – For being a very gifted designer
- Bob den Otter – Very cool guy, author of the Pivot(X) weblog software, and successful businessman these days as well
- Bert Boerland – Important in the Drupal community, gifted speaker (one of the first speakers of our re-launched dutch usergroup!)
- Joost Farla – For being enthousiastic about symfony and – together with his colleagues – deploying some impressive symfony projects
- Jonathan Wage – For all his work on Doctrine and symfony
And here’s the rules of the game:
- Link your original tagger(s), and list these rules on your blog.
- Share seven facts about yourself in the post – some random, some wierd.
- Tag seven people at the end of your post by leaving their names and the links to their blogs.
- Let them know they’ve been tagged by leaving a comment on their blogs and/or Twitter.
Dutch Frontend Special

January 1, 2009

conferences, css, event, frontend, HTML, php, phpgg

I am quite excited about us organizing this event. This is our first step towards a full-blown conference, and I am proud of the speaker schedule we’re putting together. We have speakers from Microsoft and Adobe who will go into their respective frontend and RIA technologies, Boy Baukema – the javascript expert at Ibuildings – will be talking about Javascript, and Robert Jan Verkade and Stephen Hay (Stephen Hay has unfortunately cancelled, so Robert Jan will be on his own) – who I saw with a very interesting talk at last year’s pfCongrez – will give a take on HTML and CSS technologies. More on the content of the different presentations will follow as well as the actual schedule.

I think we also have an excellent deal for people interested in visiting the event: entry is free for paying members of the phpGG, and non-members are able to come for the small fee of 15 euro. For that price, they’ll get a free year of membership of the phpGG thrown into the package. This deal is only available in the pre-sale. You’re still able to come without a pre-sale ticket, and you will still get the same package with free membership, however the price will then be 25 euro.

I am very much looking forward to this event and know for sure that it will be an amazing event. If you’re living in the Netherlands and are interested in frontend technologies, this event will be a must-attend!
A look back

December 29, 2008

leftontheweb, php, symfony, year

January

January my focus was mainly on the birth of Yara. A great experience of course, something truely special. It was also the month my podcast introducing symfony was published on the Zend DevZone though, and the month I received my Zend PHP5 certificate.

February

In February, I shared my experiences with the new Zend Studio for Eclipse, and also looked forward to the Dutch PHP Conference.

March

In March I published a post listing some tips for people beginning with symfony, which I got a lot of positive response about. I also found a great quote in a strategy guide for World of Warcraft that could just as easily be applied to (PHP) development.

April

April was a busy month for me. In april I did the first two of my conference presentations in the Netherlands. Both were on symfony, and were greated with positive response. Later in the month I enjoyed the company of some cool people from the PHP world, first for a dinner and then for a seminar.

May

In May my article The Power Of Refactoring was published on the Ibuildings weblog. This article triggered my preparations for the talk I’d end up giving at several conferences later in the year. It was also the month in which Ibuildings and PHP|architect announced ther partnership. And last but not least, I found out about an interesting gotcha when using SimpleXML with XML that has namespaces in it.

June

June was of course the month of the Dutch PHP Conference, where I joined Fabien Potencier of symfony in a full-day workshop. The month ended with Live concerts.

July

In July I guess I was quite busy, because I only wrote 3 posts on my weblog. One of them was quite funny, and that was my quoting of Ivo Jansch talking about the atkMetaNode and comparing it to pregnancy.

August

In August I came by a really good plugin for symfony, at least for plugin development, called DbFinderPlugin. Using this plugin you don’t need to manage different versions of your plugins anymore for different ORMs, which is really good. I also announced two new speaking engagements, a talk at SymfonyCamp and a talk at the International PHP Conference.

September

The Center of Expertise was announced by Ibuildings in September, something I was quite excited about. It was the month of SymfonyCamp 2008 where I did a presentation on debugging with symfony. I also announced yet another speaking engagement, this time in Manchester at the PHPNW08 conference. However, probablythe most exciting news was that the earlier announced Center of Expertise was going to be led by none other than Cal Evans.

October

In October we announced the first BugHuntDay, an initiative of the Dutch and Belgian PHP usergroups. I also gave a little insight into a project of mine, integration the lime unit testing framework and phpUnderControl. After this the work on that slowed a bit, but I hope to pick up on that early next year. October was also the month of the International PHP Conference and my presentation there.

November

November was the month of the Zend Framework BugHuntDay. It was a huge success. It was also the month of PHPNW08 and my presentation there. Another event where I had a lot of fun.

December

Finally, December. There’s two days left, but I don’t think I’ll write much in those two days 😉 It was a busy month, with symfony 1.2 and Jobeet going on. Having to let go of our 7 year old cat Indy was not easy either. All in all, this was probably the most hectic month of the year.

Next year

Next year I hope to continue my conference activity. I’ve already got proposals in at PHPLondon and PHP|tek (both of which I hope will announce their schedules before the end of the year), and I’ve already been accepted at the PHPCon Italia. I’ll be sending proposals to various other conferences as well. I’ve got plans for a book, which I hope will become more clear during the year. Of course, my involvement in the symfony community will stay, and the Dutch PHP Usergroup will become even more active next year. Enough to look forward to. Have a great new year everyone!