Forgot your password?
typodupeerror

Comment: 3rd party code is nice and all, until... (Score 1) 590

by J-F Mammet (#33491574) Attached to: Programming Things I Wish I Knew Earlier

Like everyone else I went ahead and used third party code and libraries to accelerate the development of my various sites. Everything went as well as possible I guess, until one of my sites was defaced one day. Not because of my code (though by no means I'm pretending my code is perfect, far from it), but because one of these libraries had a security vulnerability and they didn't even have a security mailing list. That vulnerability was big enough that it would show in about every single site that would use this particular library, and was of course exploited very quickly by all the script kiddies in the world (I still see it being scanned automatically from time to time, years later).
Lesson learned, I don't ever use any 3rd party code unless there is a announcement security mailing list anywhere on their site, and even then I'd rather do the code myself if possible. Not because it will be perfect, but because at least my site won't be vulnerable to an automated attack targeting a 3rd party thing I put in their and totally forgot about.

And of course, don't get me started on phpBB and stuff like that, using such apps a few years ago was either having open doors for hackers, or a nightmare of patching.

Comment: Re:Sometimes (Score 1) 64

by J-F Mammet (#31888172) Attached to: Become an SSLAdmin In a Few Easy Steps

Yeah I know, that's why I don't work with them unless absolutely required to do, like some of our partners do. They are much more expensive and much more annoying to work with than Godaddy for example. Not that I like Godaddy, who at least should have chosen a name that make them look like a serious business, but at least their pricing is fair.

Comment: Re:Sometimes (Score 4, Informative) 64

by J-F Mammet (#31886846) Attached to: Become an SSLAdmin In a Few Easy Steps

It depends on who will issue the certificate. Serious companies like Network Solution, Thawte or even Godaddy will send a validation email to the owner of the domain (if it's listed in the whois data) or require you to create a new file on the web site or a DNS CNAME to prove that you have admin right on the domain. It's a bit of a pain in the ass when you are registering SSL certs for a third party partner, but it's rather safe.
Some SSL companies though will simply ask you to provide an email for that domain and send a validation link to that email. So you could create ssladmin@hotmail.com and they would happily create you a perfectly valid SSL certificate for hotmail.com you could use for man in the middle attacks.

Comment: Re:Basic Requirement (Score 1) 134

by J-F Mammet (#30610962) Attached to: Motorola's Rumored Android Phone Focuses on Screen Size

There is actually an effort to port Android 2.01 to the Touch Pro 2 (and most other Windows Mobile 6.X devices from HTC). Right now it boots and the OS works, the touch screen works, so does the keyboard. Radio works so you can call people, but audio doesn't work completely so you can't talk just yet. 3G works on the Android 1.6 port, but not yet on 2.01. Wifi, GPS and other niceties like this are lower priority, but since they already work on other HTC phones it's only a matter of days or at worse weeks.
It's really exciting to see this maturing, even though the latest homebrew roms running Winmobile 6.5.3 and the latest HTC Sense interface are surprisingly fast, stable and usable.

If what they've been doing hasn't solved the problem, tell them to do something else. -- Gerald Weinberg, "The Secrets of Consulting"

Working...