[Hidden-tech] Ransomeware and Site & Server Security

Tim Boudreau niftiness at gmail.com
Wed Aug 27 00:55:55 EDT 2014

Previous message: [Hidden-tech] Ransomeware and Site & Server Security
Next message: [Hidden-tech] Anyone interested in carpooling to a virtual reality meetup in Boston?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Heh - a friend of mine once planned to give his son the middle name "DELETE
* FROM CITIZENS" (including the quotes!).

Not to be *too* much of a framework snob, but if SQL is *possible* in a web
framework, then that framework is deeply, fundamentally broken. And PHP is
- the root problem is that it mixes together code and markup. That means
these kinds of vulnerabilities are baked into the design of the language.
PHP is fundamentally by-amateurs, for-amateurs. I think the article that
best captures the issues is this one:
http://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/

There is a wider world of ways of doing web sites that is not prone to this
sort of problem.

While the idea of flat HTML sites sounds quaint to some folks, the reality
is that generating HTML on the fly on a server is pretty much dead as an
approach to doing dynamic web sites. Flat HTML is back :-) Combined with
a JSON REST API for dynamic data and javascript that runs on the client to
talk to it (using client-side frameworks such as AngularJS), you can do all
the things people have traditionally done with dynamic HTML generation on
the server, and the result scales far better - since the server is doing
less, you can do the same things with far less hardware, take better
advantage of server-side and browser-based caching, and scale out further
and much more easily. And the result is far easier to secure.

I realize that there are people attached to PHP; and that in general, in
the technology industry, broken platforms create economies of consultants
around them to babysit them (FreeBSD was actually a threat to Unix vendors
but Linux got all the attention when it was a tinker-toy; MySQL *still*
can't index a unicode string longer than 250 characters while Postgres can
rival Oracle; the list goes on). But the bottom line is that the industry
is going in the direction of flat files and dynamic content handled
in-browser, and given the huge advantages that offers in terms of
scalability, I don't know of anything that stands a chance of turning that
tide.

I'm not saying PHP hosting vendors are going to be out of business
tomorrow, but if you're dependent on it, now would be a good time to lift
the lid and let in some fresh air.

-Tim

--
http://timboudreau.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20140827/82e48b4f/attachment.html

Previous message: [Hidden-tech] Ransomeware and Site & Server Security
Next message: [Hidden-tech] Anyone interested in carpooling to a virtual reality meetup in Boston?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Hidden-discuss mailing list