Hello Mike,
I think you have your real question here:
Having been recently hacked and several of my webmaster email account
names being hijacked by spammers, I am looking for viable solutions to
safeguard my websites and the membership of these sites.
How about fixing the problem, instead of adding new security measures?
Please define "hacked"?
Did they guess the passwords to theses accounts - Enforce
non-standard/dictionary passwords, implement password expiration policies.
Did they brute force an account - lock the account after N failed
attempts in Y minutes (example: 15 failed logins in 1 minute).
Did they sniff traffic - Require all credentials (and maybe everything)
be sent over SSL.
Did they sql inject - Bind your params & validate all user input.
Don't let someone send out >N emails in Y minutes (example: 50 emails in
1 minute) - If you control the front end to the mail, you could add some
last line of
defense checks into that.
- Ben
[EMAIL PROTECTED] wrote:
Hello NYPHP,
Having been recently hacked and several of my webmaster email account
names being hijacked by spammers, I am looking for viable solutions to
safeguard my websites and the membership of these sites.
I just ran across some discussion about openID (yes, I have been in a
cave now for some time, lol) and am skeptical that the primary motivation
is altruistic like when g$$gle first came on the scene, it too "looked like"
a good thing for the planet but evolved into the world's biggest $$$ machine
that is likely, if not already, to make micro$ look like chump change.
I sense rather that OpenID is yet another marketing ploy to rake in
huge piles of cash rather than provide warmth and security that it
touts in its hype. Already, I see lots of RED FLAGS about being highly
susceptible to phishing, like what isn't these days.
All of my websites run php forum and CMS software of varying flavors
so I am not convinced that OpenID is a viable solution to secure them
against the kinds of attacks I have see recently and wonder about the
integrity of a system that claims (from phpMyID):
* The whole point of OpenID is to allow you to manage your own identity,
and phpMyID lets you do that without giving control to a third party.
* It's easy to install and easy to configure. Edit just a few lines in your
config file, and you're off and running!
* Allows "Smart Mode OpenID" (more secure) transactions, even if you don't have a
"big math" library available. Seriously, phpMyID comes with a pure-PHP math library which
can be used if you want to demand that extra level of security.
* Ensures secure password transmission even if you don't have SSL! By using
HTTP Digest authentication, phpMyID ensures your password is never sent or
stored anywhere in clear or decypherable text.
I would really appreciate an eye opener on this one. It looks like
more flim flam to me.
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
