[00:53] http://localhost.re/p/whmcs-v5210-vulnerability [00:53] again.png [00:55] I'm so suprised. [02:00] joepie91: give them a few weeks/months [02:00] they'll have it patched in no time [02:13] in about another 5 days i will have video in the top 9 of the computer & technology collection [02:28] Kubuntu 13.10, here we go [02:34] odie5533: hehe [02:35] joepie91: how quickly do they actually patch stuff? [02:35] 1-3 days [02:35] because from what I've seen, software companies leave stuff vulnerable for 1 week minimum [02:35] approximately as long until a new vuln is found [02:35] well uh [02:35] they can't really afford to [02:35] 1-3 days isn't even bad [02:35] odie5533: in their situation? it is [02:36] think of how long bank software stays vulnerable? minutes to hours at most. [02:36] tens-hundreds of hosting companies having client area shut down [02:36] and shouting/screaming at them [02:36] and threatening to leave [02:36] yes, 1-2 is bad [02:36] 1-3 * [02:36] guaranteed the banks and stock software is being patched as fast as humanly possible [02:37] yes [02:37] why are the client areas shut down? [02:37] uh, because otherwise a random skid can dump/wipe entire databases [02:37] or gain admin access to servers? [02:37] :| [02:38] I thought the bug was only that anyone could view invoices [02:38] no [02:38] there's an SQLi [02:38] same for previous bugs [02:38] one of them was even arbitrary code eec [02:38] exec * [02:39] Not regarding this, but I always find it funny when people want to create their own PHP framework. It's very hard to create a secure PHP framework. [02:39] odie5533: actually, not really [02:39] this case shows how hard it is even for a large company to create a secure piece of software in PHP using your own framework [02:39] you just need to not be an idiot [02:39] (read: using mysql_) [02:39] it's way more than that... [02:39] like? [02:39] As soon as you get more than one or two SQL queries [02:40] you start needing abstraction [02:40] and then you end up messing up somewhere. [02:40] That's why using a framework is so important because it handles a lot of the security for you. [02:40] wat? [02:40] what does SQL and abstraction have to do with security? [02:41] because people fail at abstracting away SQL [02:41] or they just leave SQL all over the place. [02:41] odie5533: and that reflects on security how? [02:41] joepie91: because then their software is insecure. [02:42] ... [02:42] apparently you don't agree [02:42] odie5533: "SQL all over the place" has absolutely 0 to do with security [02:43] so explain how exactly abstracting away SQL causes security issues [02:43] concretely [02:43] no vague statements [02:43] "SQL all over the place" absolutely has to do with security. [02:43] concretely [02:43] no vague statements [02:43] so explain how exactly abstracting away SQL causes security issues [02:44] okay. Let's say I'm writing an invoice page for my application and I decide to make the SQL queries for the page. [02:44] But wait! I've fucked up the SQL queries and now my application is vulnerable. [02:44] I should have used a library to provide input sanitization and validation instead of creating an SQL injection vulnerability by trying to do it all myself. [02:46] joepie91: maybe you're really good at rolling your own input validation schemes in PHP. I guess I'm not that good. I've found writing them to be tedious, and have gone over old code where I'd completely failed at it. [02:46] I'd rewritten the site using CakePHP, and the CakePHP version didn't appear nearly as vulnerable. [02:47] * joepie91 sighs [02:47] odie5533 [02:47] this has been a solved problem for the past 2 years [02:47] if not more [02:47] it's called "PDO" [02:47] if you're still "sanitizing input in your database queries" then you're doing it wrong to begin with [02:47] parameterized queries [02:48] as I said [02:48] (read: using mysql_) [02:48] you just need to not be an idiot [02:48] I haven't written a single line of PHP in the past 2 years I'm afraid. [02:48] I thought you meant using mysql_ directly instead of using an abstraction layer, as was the recommended way when I was coding and I assume still is. [02:48] right, in that case I can tell you that a secure framework is absolutely trivial to implement if you're not behaving like an idiot (and more often than not, arrogance is the issue, not competence) [02:49] with the current state of PHP [02:49] ... [02:49] no [02:49] it's not [02:49] mysql_ is officially deprecated [02:49] and has been discouraged for at least 4 years [02:49] PDO has been on par speed-wise in the past 2 [02:49] hmm, neat [02:49] I still hope I never have to write PHP again :) [02:50] last time I used PHP was 2007-2008 [02:52] I can understand that [02:52] I'm just pointing out that "it's hard to write a secure framework" really isn't hard [02:52] er [02:52] really isn't true * [02:52] wow, it's getting late [02:52] my grammar is going derp [02:52] judging by how many vulnerabilities there are in existence, I'd have to disagree [02:52] it seems like writing a secure framework is hard. [02:52] eh [02:53] that's a very very poor metric [02:53] it's in fact completely unrelatetd [02:53] unrelated * [02:53] writing a secure framework being hard or not has nothing to do with amount of vulnerabilities in the wild [02:53] there are MANY more factors involved with that [02:54] Why do you think so many security vulnerabilities end up in frameworks then? [02:54] odie5533: because, as you can see in for example WHMCS, the developers are too stubborn/arrogant/careless to use PDO, or to read up on the basics of how to secure web applications [02:55] SQLi's are still the primary attack vector [02:55] and virtually always it's because a developer used mysql_* [02:55] I've found some myself. And years later they are still there [02:55] found in a homemade website for which the devs didn't use a framework [02:56] again, the problem is not that they didn't use a framework [02:56] the problem is that they used string concatenation [02:56] I think you are overestimating how easy it is to create a secure framework [02:56] you seem very intent on linking vulnerabilities to "not using a pre-made framework", and this is, to put it simply, complete bullshit [02:56] * joepie91 sighs [02:56] odie5533 [02:56] perhaps because you find it easy [02:56] you're speaking to a PHP developer [02:56] who has written his own framework [02:57] Yes. You find it easy. [02:57] and frequently helps others write more secure code [02:57] Not everyone is you [02:57] right, seeing as you're not even letting me finish talking [02:57] I don't think you're actually interested in having a conversation about this [02:57] just in being right [02:57] in which case I have more useful things to do [02:58] I'd just reitrate that although you may find it easy yourself, you are, as you said, helping others create secure applications. Why would they need help if it were so trivial a task? It is not so trivial. You have expertise in the area so it feels trivial to you. [02:59] * joepie91 facepalms [02:59] okay [02:59] let me be a bit more direct [02:59] odie5533: I KNOW WHAT PEOPLE DO WRONG AND IT'S NOT BECAUSE IT'S HARD, IT'S BECAUSE OF PERSONAL BIAS AND CHARACTER TRAITS [02:59] is that clear enough? [03:00] I have experience on this topic [03:00] you haven't touched PHP for the past 5 years [03:00] I am clear on your opinion, certainly. But I don't agree with it. [03:00] I'm not sure why you're not taking seriously what I say [03:00] odie5533: please go read up on the current state of PHP [03:00] and try again [03:00] you have absolutely no idea what you're talking about, at this point [03:02] I'm surprised you can't see it from another point of view. Even if we factor in personal bias and character traits, it still shows that people are finding it difficult to secure their applications. [03:13] odie5533: look, it's very simple [03:13] your claim: writing secure frameworks is hard [03:13] Who here preordered the PS4? [03:13] that claim is provably false [03:13] any discussion around that, fine [03:13] but that does not take away that the claim is false [03:14] On that I disagree. [03:14] relatedly, http://haacked.com/archive/2013/10/21/argue-well-by-losing.aspx [03:14] odie5533: then provide proof [03:14] I preordered the Killzone Shadow Fall bundle on Amazon a few months back but only one of my buddies have preordered it. If anyone here has let me know so we can play on launch day [03:14] joepie91: look at all the frameworks with security vulnerabilities [03:14] odie5533: I said proof [03:14] not correlation [03:15] joepie91: I find that to be proof. [03:15] here's the proof that it isn't hard: use PDO, run output through htmlspecialchars unless you want it to be HTML, don't place uploads in a web-accessible directory, add a token to each form [03:15] you're done [03:15] google "writing secure PHP applications", first 5 results will likely tell you the above [03:15] odie5533: it isn't [03:15] What does add a token to each form mean? [03:16] a random string that you store server-side as well to verify that the user really did fill in a form, and it's not a fake request [03:16] match the submitted token against what you have server-side [03:16] and you're done [03:16] to make sure they loaded the form.php page? [03:16] and didn't just do a POST to it? [03:16] to make sure their request comes that form, yes [03:17] ah. That is easily defeated, though it does slow down the bot a bit since it needs two requests now. [03:18] ... no, it isn't [03:18] it doesn't protect against what you think it protects against [03:18] Then what's the purpose? [03:18] it's a CSRF protection; prevents spoofed forms on other sites and iframe attacks [03:18] ah [03:18] http://www.gnucitizen.org/blog/csrf-demystified/ [03:20] It seems like there are a lot of attack vectors that a PHP application developer needs to deal with. [03:22] One might even sugggest that it were difficult, or perhaps hard, to secure your site against all of them. [03:28] * joepie91 facepalms [03:28] odie5533: every. single. thing. I mentioned above is trivial to implement [03:28] and well-documented [03:28] no, it isn't hard [03:28] and if at this point you sttill believe it is, despite not having written PHP for 5 years, then sorry [03:28] but you're really not interested in learning anything [03:29] but just interested in being "right" or at least being able to tell me I'm "wrong" [03:29] in which case, http://haacked.com/archive/2013/10/21/argue-well-by-losing.aspx [03:29] go read that [03:30] that gnucitizen article seems more interesting than the hacked.com one [10:25] hah, what a discussion [13:59] ersi:) that's one way to phrase it :D [13:59] Oh god the please tell me it ain't true ;) http://www.leasticoulddo.com/comic/20131025/ [14:04] oh man [14:04] if fucking only [17:19] I have found the the more money they throw at a website, the harder it is to use. [17:21] The reason is that "Web 2.0" websites each have their own undocumented user-interface. The more money spent of coding, the further the page can diverge from user expectations. [17:33] the more money spent on a site, the harder it is to crawl as well [17:34] blogspot dynamic views and groups.google.com are impossible without a headless webkit [17:36] how youtube-dl extracts signatures from Flash objects https://github.com/rg3/youtube-dl/blob/master/youtube_dl/extractor/youtube.py#L623 [19:42] anyone know/have a good gigabit home router which actually can go up to gigabit on WAN via NAT without any issues? [20:27] deathy: most wont do gig on the WAN side because no one has WAN connection taht fast. You are probably looking at a real Cisco router or similar [20:28] my ISP starts rolling out 1 Gbps plan from next month [20:28] where is that ? [20:28] Maybe someone with Google Fiber? ..but I guess they're using the network box provided [20:28] the providor would usually give you the router, or it's included in the CPE [20:30] where is all over Romania. In all 150 Cities/Towns they have their network built out [20:30] ahh [20:30] we dont have service liek taht anywhere in the US without paying thousands a month [20:30] 1 Gbps download (30-ish Mbps upload) for 18.3 USD/month [20:30] unless you live in a google fiber area [20:30] only 30 up ? that kinda sucks [20:31] guess they have to slow down people runnign servers soemhow [20:32] are they wiring fiber to every home ? [20:32] well yeah. But on their nation-wide network it will be 100 Mbps upload [20:33] :) [20:33] the things we will never see in the US until we get rid of the RIAA/MPAA [20:33] fiber+ethernet. I live in a 10-story building, fiber comes into building, 2 equipment boxes and then CAT5 to every apartment [20:34] nice [20:34] do you have to pay for install fees ? [20:36] nope, not now at least. building is wired and I'm their customer since maybe 5-6 years or more. Mostly they just need to change their building switches and maybe some cables [20:37] very cool [20:37] a lot of countries are starting plans like that now, just not here, except in very few, specific locations [20:41] the impact on web hosting companies will be interesting [20:41] large ones will upgrade to 10G tot he server, smaller ones will either have crappy performance to places tht have gig fiber to the home, or just go out of business [20:43] it's slowly starting to spread, hopefully these guys can make a go of it in canada http://www.cbc.ca/news/technology/ultrafast-internet-service-launched-by-vancouver-startup-1.1382430 [20:47] i'm all for anyone who wants to try [20:48] this ISP of mine just did a big (completely everywhere on their customer network) IPv6 roll-out, everything dual-stack IPv4 and IPv6 [20:48] (that was last year) [20:48] IPv6 is something I'm scared of a bit [20:49] still waiting on that too [20:49] not a lot of support on the other end is the problem [20:49] is your ISP doing 6 to4 NAT ? [20:50] every connection is dual-stack. you get both IPv6 and IPv4. So I guess that isn't a problem [20:51] thats solves it [20:52] IPv4 exhaustion is becoming a serious problem [20:52] hey every one [20:52] i'm doing a google grab of i.walmart.com+filetype:pdf [20:53] it has a 5 second wait on it [20:56] it has tons of pdfs [20:56] like guides to video games by walmart [20:59] Omaha, Nebraska (boring place, no offense to residences of) is getting 1Gb/s through CenturyLink. Not sure if it is 1Gbit down AND up though. [21:00] likely not up, but still nice to see someone trying [21:01] I've heard nothing about the google fiber project here in austin [21:01] they havent even defined where it will be possible [21:03] Hopefully Boulder, CO will get gigabit internet when I move up there when I start University of Colorado Boulder next year. But doubtful... Colorado really only has CenturyLink and Comcast and CenturyLink is terrible and Comcast is ridiculous. [21:03] swebb: You live in Boulder, right? What ISP and speeds do you get? [21:39] i'm finding $10 rebates on 64mb flash disk [21:39] byt edge digital media [21:41] Google fibre prohibits servers :P [21:41] Don't they allow home servers now though? [21:41] "prohibits" [21:41] I am weird, I read fine-print. [21:41] http://arstechnica.com/information-technology/2013/10/google-fiber-now-explicitly-permits-home-servers/ I didn't read this article though [21:42] every isp has a thing in the fine print about servers, usually they don't really police it unless you come to their attention for some other reason [21:44] I shopped around for a ISP that allowed servers and sharing the connection. [21:44] I figure my Bitcoin node may eventually get attention one way or another. [21:44] for example I ran a personal website off a "no servers" home cable connection for years and never heard a peep [21:45] depends a lot on the traffic [22:03] so i'm going after greenamerica.org [22:06] :) [22:06] DFJustin: not all ISPs have 'no servers' in the TOS [22:07] XS4ALL is a good example of an ISP that allows (allowed?) It [22:07] it * [22:08] (Dutch ISP) [22:08] the major north american ones anyway [22:08] over in socialist paradise it may be different :) [22:08] >socialist paradise [22:08] ROFL [22:08] I really do hope you're joking [22:08] :| [22:09] functional healthcare, ISP's without restrictions, what next [22:09] NL is neither socialist (other than theoretically) nor a paradise [22:09] just talking from a us politics perspective :P [22:09] DFJustin: even then [22:09] then at least take Norway as an example [22:09] NL basically has a clusterfuck right now - capitalist/liberal approach applied to a traditionally socialist society [22:09] also joking as well [22:09] it doesn't go well [22:11] someone let US republicans in ? [22:11] a lot of euro countries seem to be electing (comparative) conservatives lately [22:13] why are they called conservatives while bringing in radical right-wing policies? [22:13] good question [22:13] They also somehow have a reputation for balancing the books (which they never do) [22:14] and reducing the size of government [22:16] the best we can hope for in the US is the tea part implodes before the next election and returns us to the regular right wing crazy [22:16] *tea party [22:16] Third party just need 34% of the vote ;) [23:42] archive: Comcast - about 15 Mbit down, 2-3 Mbit up with the entry-level business level config [23:43] no fibre available? [23:44] arkhive: ^^ [23:44] i have 30mb down/2mb up for $60/month [23:46] they offer up to 100 down/5 up for $125/mo [23:46] but thats about the fastest available in the area [23:48] balrog: wait you have FIOS thats not fair [23:48] yeah rockin' 50/25 [23:49] I'm amazed I can get what I can wher eI live [23:49] i got cows in my back yard