iPhone – I dont get the hype

Its crazy… I really just dont get this crazyness over an insanely priced cell phone. Now keep in mind, I live with my video iPod, it goes everwhere with me and most of the TV and movies I see these days are on the thing. I also look forward to the day that I can have a single device so that I dont have to carry the iPod and cell phone.

However, the iPhone just isnt it for me. Its cool, and its heading toward the dream of having a single device, but for $600 and having to switch to a crappy cell phone carrier, NO THANKS. Aside from the price and cell phone carrier monopoly, I really just cant stand touch pad phone buttons. I need to be able to dial without looking, and can only do that with actual buttons. Touch screens wear out, and become a pain to push the button you want. Im sure you are all experienced in using the touch screens at the market when you pay by debit card, and the hassles when they start wearing out. Do we really want that on our cell phone, where we have a $600 price tag to replace the thing. No me.

Planet Websecurity

For those trying to follow the latest news of our web app sec community, someone has finally setup a feed planet called Planet Websecurity that I’m really impressed with. No, at this time MightySeek is not yet part of the RSS mashup, but I do hope to be at some point.

For those not familiar with Planet sites, they are basically RSS readers which download other RSS feeds and merge together into a single feed. This means you can subscribe to one and get all the postings from all the feeds in the Planet.

Visit Planet Websecurity to see this in action

Why is it so hard to code secure web apps?

After my run in with vBulletin I began a search for a secure and stable open sourced forum solution. My first thought was to find out what was running on sla.kers.org so I put in a call to rsnake and was told to keep looking because his solution sucked as well and that he was still on the hunt for a replacement. I’ve been looking at a bunch of the apps out there and so far I havent been all that impressed with the security design of the forum apps I’ve looked at.

This makes me wonder if web app sec is ever going to succeed, or if the web is just doomed to have problems for all time. Forum software is a very good example of the problem with many web apps, and web app development in general. To start its a very simple application, which if done right can be done securely. Of course the major challenge is that your taking user input and displaying it to other users. This immediately means your storing the data most likely into a database, which means you must secure against SQL Injection attacks. OK, thats not too hard, so that can be done. Next you need to make sure your filtering the inputs on the way in to remove any HTML tagging and escaping on the way out to be safe. The XSS part is a bit harder because there are clever people out there using a ton of different ways to bypass any filtering/escaping you do.� However, this can be accomplished with some focused attention, and you will then have a simple, secure and stable forum application.

So whats wrong with this? Feature creep.
Now that you have a basic forum in place, people will want to be able to format their text, which means you need to allow some  HTML tags, or have some custom tags like BBCode which you then convert to real HTML tags. At this point things are starting to get a little tougher, but with diligence its still all workable. Next users want to upload attachments, have avatars, have all sorts of moderation features, and so on and so on. Then to make matters even worse, new developers join the project and they are not always as aware or concerned about security issues, and soon the application is as buggy and vulnerable as the forum software you are trying to replace.

Is this solvable? Yes, but only with diligence, hard work and auditing. Did I mention hard work?

Run in with vBulletin – leasing software is intolerable

I had been using vBulletin for a little over a year when I started podPress and wanted a place for users to create a community and to provide support. The forums have been very successful and tend to have on the order of 20-30 postings a day, with many more viewers.  Now vBulletin is commercial software, so I had to pay $85 to use it, and figured that donations would cover the costs and I mistakenly had thought the way the licensing worked is that after one year I could keep running the forums, but could no longer get updates which seemed fair enough to me.
Well, the license I did buy doesnt allow for that, and I had to find out the hard way. After my license had been expired a couple months I received an email saying I was in violation, which I ignored on the assumption that it was a mistake or SPAM. I mean, why would software I paid for become invalid to use? It does when you purchase leased software! Continue reading