On Sat, Mar 26, 2011 at 9:36 PM, Joe Shisei Niski <[email protected]> wrote: > On 03/26/2011 07:39 PM, Keith Lofstrom wrote: >> PHP, the public >> bathhouse orgy of programming languages > that's the funniest (and most apt) description of PHP i've ever seen. > Thanks for the laugh!
It made me laugh too, but since PHP is mostly written in C... what does that make C? The water of both bath houses and hospitals? As far as GD being part of PHP now, if you want to help maintain it, it's certainly possible to send in patches, but I tend towards ImageMagick (and I have/had trunk commit rights to PHP). WRT to "wiki.php.net" being down, as I understand it, it's much more mundane (tech-wise) than it's being played up as. A brute force attack (many months ago) got access to an account on the the PHP SVN trunk. That exploited account was never used for more than minor testing in the code, *however*, after the account password was changed, the correlating account uname/pass wasn't changed across *all* PHP properties... which meant that it was later used to pull all wiki uname/pass combinations from the wiki, and gain access to the machine running the wiki. Which means that they're (the accounts) all exploitable via rainbow tables attacks, if users used the same uname/pass across accounts. In short: If somebody got your email password, and you were an admin on *other* boxes, and you used the same password for all of the accounts and services, things could get messy. Fast. In a related note, I went to rubyonales in Bend last week, where one of the speakers pointed at a total meltdown they were dealing with, for very similar reasons.... they had a fail over system for hosted sites, where any VM hosting sites that failed (for whatever reason) failed back to a core, central, machine... Where apache ran as root. So, the user web code ran as root. So.... their fail over system gave their hosted users root.... On a box which shared root credentials with all of their other boxes.... Yeah. You see where this is headed. A single failed site meant root access to all sites, all machines. After asking about the details on this "one too many times" to a tech (nice guy, BTW, outside of this, best as I can tell) he got in my face. Poor guy. Looks like a good company, but forcing a password reset on hundreds, or thousands, of users must *really* suck. -Bop _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
