Follow Slashdot stories on Twitter


Forgot your password?

Comment: Re:Even in Chrome it doesn't fucking work (Score 1) 192

by Jesus_666 (#48896227) Attached to: WhatsApp vs. WhatsApp Plus Fight Gets Ugly For Users

What device would you be carrying with which you expect to use a web application over Wi-Fi? Or do "normal" people still carry laptops?

I'd ask "Do 'normal' people still carry tablets?" as the tablet-on-the-go fad seems to have cooled off quite a bit. I see a lot of people with smartphones and a sizable number of people with laptops but pretty much nobody with a tablet. Tablets are commonly found in homes but they definitely don't seem to be popular for mobile computing.

This might be because tablets suck for the two things I commonly see people do with their laptops on the train: Watching movies (big stationary screen, easy to view with more than one person) and working (big screen, physical keyboard and sometimes software that has no smartphone equivalent).

Comment: Re:Choose a CMS you like (Score 2) 302

by Jesus_666 (#48874973) Attached to: Ask Slashdot: Has the Time Passed For Coding Website from Scratch?
If you want to lock down the login the easiest way (besides using a nonstandard admin user with a good password) is to rename wp_login.php and write a little plugin that changes the login URL to point to the new file. There's actually a hook for that. That way all brute force attacks will get 404'd by Apache without the WordPress core getting involved, which saves a ton of resources. In case someone mounts a distributed brute force attack on you this might mean the difference between somewhat elevated traffic and the server going down. (Yes, that happened to us already. Renaming wp_login.php took us from base load of 6 with spikes of 120(!) to a base load of 1 with spikes of 3. Login limiters and fail2ban weren't nearly as effective against distributed attacks.)

XML-RPC should mainly be disabled because of pingbacks; not too long ago these could be exploited to make your site participate in a DOS attack. XML-RPC itself not a significant security risk these days. You can go for a more nuanced approach by only disabling the functions used for pingbacks (there's a hook for that too) but if you don't need XML-RPC it might be easier to just rename or delete the entire file.

Trackbacks should be disabled because of trackback spam. Yes, you can install plugins that help you deal with it but - seriously - pretty much no Wordpress-as-a-CMS user cares about trackbacks (or pingbacks, for that matter) in the first place. Disabling them means fewer hassles.

Again, these days the biggest security risk are badly-written plugins. We once had an infected WordPress where it turned out that the attacker never compromised any user account. They didn't need to because a plugin allowed them to execute PHP code on the server. They just injected their attack code directly into WordPress and could do whatever they wanted, such as displaying dodgy pharma ads without even touching the database. That's the kind of danger unreviewed plugins pose.

WordPress can be quite capable when managed correctly. Just don't make the mistake of assuming that you can just install a plugin and get new functionality without any risk. Badly-written plugins are common and they can screw you just as much as an insecure admin account can.

Comment: Re:Choose a CMS you like (Score 3, Insightful) 302

by Jesus_666 (#48873453) Attached to: Ask Slashdot: Has the Time Passed For Coding Website from Scratch?
Not so fast, my friend. While I agree that the WordPress core has come a long way and is reasonably secure once hardened (such as by removing the XML-RPC and trackback files, two of the biggest attack vectors) I decidedly disagree on plugins being even remotely secure.

Some WordPress plugins are well-written and secure. Most WordPress plugins are messy and were written by people who haven't even heard of code injections. If you want your WordPress to be secure, don't use plugins. Ever. At least not without a full code review by someone who knows how to write secure code in PHP.

Seriously. Most WordPress CVEs these days are for plugins and after having seen the code of a few dozen plugins I can see why. Do not trust a WordPress plugin you have not verified yourself.

Comment: Re:Choose a CMS you like (Score 1) 302

by Jesus_666 (#48873425) Attached to: Ask Slashdot: Has the Time Passed For Coding Website from Scratch?
WordPress itself is actually reasonably secure these days provided you rename wp-login.php and delete the files for XML-RPC and trackbacks (comments too if they're not needed). The plugins, however, aren't. Most WordPress plugins are written by people who know a bit of PHP and need an itch scratched, not by people who know what MVC is or how to prevent code injection. The former just makes maintenance a hassle but the latter is what gets your network pwned.

You can use (a hardened) WordPress without much issue except for poor performance when compared to plain websites. If you intend to extend it in any way, however, you really should do a full code review of every plugin you use every time it is installed or updated. That means either your customers get their WordPress without plugins and further support or you rack up the billable hours doing code reviews for them.

The company I work at is actually migrating away from WordPress because our customers demand non-core functionality and keeping the plugins reasonably secure is simply too expensive.

Comment: Re:Yeeeeeees! (Score 1) 165

by Jesus_666 (#48870455) Attached to: Time For Microsoft To Open Source Internet Explorer?
The problem is not really the customers themselves but the expected visitors to the site. (And yes, I'm talking about websites. Web apps follow different rules as the customer and the user are the same person.)

Generally, customers expect future visitors to use something similar to what they themselves use. If the customer uses IE8 they will assume that a significant number of visitors will also use IE8. Telling the customer to switch to Firefox is useless as they can't assume that all visitors will now also magically have switched to Firefox. The only argument that does work is if we can show to them that the IE version in question has a negligible market share.

If there was a legitimate new version of IE for old Windowses it might help in driving old versions out of the market, even if it only gets the IE diehards to upgrade. Over here in Germany we already had mainstream media telling people to stop using IE (especially after the DHS and the BSI issued warnings); we might very well see computer mags reporting on an open-sourced IE for those who can't switch. That would further reduce market share and make the day when IE8/9 can be safely ignored come sooner.

(Then all we need to do is get rid of iOS <8 and Android <4.4 and we might even be able to ditch most remaining vendor prefixes.)

Comment: Re:Yeeeeeees! (Score 1) 165

by Jesus_666 (#48868085) Attached to: Time For Microsoft To Open Source Internet Explorer?
Nobody cares about IE6. At least nobody who counts. As far as web design is concerned, the current shambling zombies are IE8 and IE9. Those are the ones I see people asking about and those are the ones we could get rid of if we could backport newer Trident versions.

People generally don't use these versions of IE because some internal web app requires them. They use them because they're the most recent versions available for their version of Windows. And they're not going to upgrade Windows because they don't need to; their current setup works for them and there's no business case for upgrading before something breaks.

Comment: Re:Yeeeeeees! (Score 1) 165

by Jesus_666 (#48867231) Attached to: Time For Microsoft To Open Source Internet Explorer?
No, the problem is exactly Microsoft and old versions of Windows. "I need this specific version of Internet Explorer for this custom intranet app" may be of relevance in big corporations but for SMEs the limiting factor is usually their Windows version.

Internet Explorer is tied to Windows. You can't install IE10 on Vista. It's simply not possible. That means that for any SME running Vista IE9 is the latest version of IE. And they expect their shiny new website to be equally shiny in IE9. And no, they aren't going to buy new computers or install a different browser because their web designer told them to. (Plus, they know full well that their new site's visitory might also run IE so "just use a different browser" won't convince them even if they do switch browsers themselves.)

If Windows 8.1 was free and had the same requirements and UI as Windows Vista you could perhaps convince some of these people to upgrade. It isn't, though, and that means that either you cater to their browser choice (which usually means the latest version of IE supported by the oldest version of Windows they run) or they'll take their business elsewhere.

Having an open Trident/Son-of-Trident would at least allow people to backport it. If the mainstream tech media reported on it word might actually reach these businesses and they might consider installing the latest OpenIE. Not all of them but perhaps enough to further drive the old-IE user base further down until we can finally declare 8 and 9 irrelevant like 6 and 7 already are. Even Microsoft wants that to happen.

Comment: Re:a better question (Score 3, Interesting) 592

by Jesus_666 (#48844925) Attached to: Why Run Linux On Macs?
The price/performance ratio for Macs has always been highly dependent on what kind of device you're getting. Since the G4 iBook (which is when I started using Macs) their notebooks have been a pretty good value for what they did, especially if you want to run some kind of unixoid without having to fiddle around or compromise on capability. Since the unibody MBP they're pretty damn robust, too.

Their desktops, on the other hand, cater exclusively to a) people who need big workstations and b) people who see a sleek form factor, no fans and fewer cables on the desk as serious value-adds. I fall into neither of these categories, which is why my desktop is built from COTS parts.

Unfortunately even the notebooks are becoming less attractive as Apple is focusing on the "I want my notebook to be as light and thin as possible" demographic at the expense of everyone else. My next notebook will still run OS X because I'm used to it but it won't come from Apple.

Factorials were someone's attempt to make math LOOK exciting.