16. Security

There are many articles that cover PHP vulnerabilities, but I've run across a lot of programmers and code that seems oblivious to them. When interviewing programmers, I look for an understanding of these types of vulnerabilities, and how to prevent their programs from being vulnerable to them.

Aside from register globals issues, most of these attacks are not specific to PHP.

Register Globals issues
From early on, the developers of PHP had this great idea: accept any parameters passed from the browser, and automatically turn them into variables available in the code.

Not to make you paranoid or anything, but here's a fascinating story of a new social engineering tactic: a new way somebody might trick you into giving away your passwords and any other sensitive stuff on your computer.
Dark Reading - Host security - Social Engineering, the USB Way - Security

A highly technical article that's a great how-to for setting up remote verification of file integrity from a central trusted server. Sys Admin > v15, i02: File Integrity Assessment via SSH

Windows flaws keep causing trouble for most Internet users. Earlier this week I was at a meeting of a group of tech professionals in the Seattle area, all of whom work with small businesses. The interesting thing was, most of the Windows people spoke about the latest anti-spyware programs or the merits or problems with specific anti-virus software. Meanwhile, the Mac person and I were talking about ways our systems could actually help a business.

A couple months ago, I had a dialog with another computer consultant, debating the security of Linux versus Windows.

Fascinating read here, about how a copy-protected music CD from Sony installed a surriptitious program on a computer, hid itself completely from view, and made itself nearly impossible to remove without crippling the user's computer. These are the techniques of people trying to hijack your computer, the worst techniques of crackers, spyware, and viruses. What's different in this case is that it's a big well known company doing it.

Another very technical article. This one describes how to set up an infrastructure for securely providing single sign-ons to multiple systems in a LAN. Paranoid Penguin - Single Sign-on and the Corporate Directory, Part I | Linux Journal

Voice Over IP (VoIP) is becoming a main part of the small business infrastructure. As phone networks converge with data networks, security becomes more of a concern. This group is assembling a taxonomy of security issues associated with VoIP: VOIPSA : Activities : Working Groups : Threat Taxonomy.

The New York Times has an interesting editorial running today by Joseph Nocera, about solving the identity theft problem. Nocera proposes making the banking industry completely responsible for identity fraud, the same way Senator William Proxmire held them accountable for credit card fraud in the early 1970s.

For those who need to keep an archive of every sent or received in an organization, here's a brief story about how to create one securely and automatically.

NewsForge | Keeping email under lock and (public) key.

Finally, in the spirit of all the fact checking going on these days, here's a report comparing the relative security of Linux vs. Windows, based on an analysis of the claims and the data that supports them. Excellent read. Windows v Linux security: the real facts | The Register