Forgot your password?
typodupeerror

Comment: Game or not, web app security is web app security (Score 4, Insightful) 105

by twistah (#32710312) Attached to: Security For Open Source Web Projects?

You got me before my morning (afternoon) coffee so here are some haphazard thoughts:

1) You're writing a PHP/MySQL app. It doesn't matter if it's a game or the next big social networking site. There are holes common to all web apps (check out the OWASP Top 10). There are also holes common in PHP code, such as remote file inclusion. There are things you can do wrong with JavaScript. Learn about them, learn about how to prevent them and write your code accordingly. Security should be part of development, not something you tack on afterward. This means using good coding convention (i.e using parametrized queries instead of concatenation, always encoding output, etc) and ensuring that any design decision you make does not compromise the security of your application. Make sure security is multi-layered as well. For example, even if you think your app is 100% free of SQL injection (wrong assumption!), you still need to make sure you've properly hashed user passwords in the database in case they're exposed. (Side note: please don't use MD5 for this; look into bcrypt, or at least many rounds of SHA-256 or such.)

2) Harden your environment. No amount of hardening will stop all attacks, but it may help mitigate their impact, and if you're lucky, it may thwart some script kiddies or automated scripts. Running PHP? Harden the crap out of your php.ini (magic_quotes_gpc, turn off fopen() for URLs, etc). Think about installing the Suhosin patch. Just don't get complacent; there are ways around all these protections and they are not a substitute for secure code! You may also consider a web-app firewall (WAF), in the vein of mod_security, but don't fully rely on these either. If you're publishing code for others to use, don't ever count on your users to implement these same protections in their environment.

3) Web app scanners can help, especially if you're a novice with security, but once again, they will not catch everything (probably not even a lot of things.) There's skipfish, NetSparker and free versions of some of the more commercial scanners.

4) I know your question was whether to publish your code. I say "Yes", but this is a personal opinion -- I just happen to think it will give security dudes more of a chance to audit your code, and attackers will find your vulnerabilities anyway, through poking at your app and fuzzing even if nothing is published.

I hope that helps a little!

Transportation

Men Cross 5 Mile Wide Lake In Inflatable Castle 17 Screenshot-sm

Posted by samzenpus
from the dreams-do-come-true dept.
Jack Watkins, 25, and engineers Chris Hayes, 24, and Dave Sibley, 25, have succeeded in crossing Italy's Lake Garda in a huge, inflated bouncy castle. "Great Britain has such a great tradition as a seafaring nation and we really feel we have played no role at all in adding to this," admitted intrepid waterman Hayes. "That said, it was possibly the most fun we have ever had and we really never believed this most frivolous of dreams would ever be realized."

Comment: To add a little context... (Score 5, Insightful) 121

by twistah (#29845291) Attached to: Judge Rejects Sheriff's Suit Against Craigslist

When you say "local sheriff", it makes it sound like he's the sheriff of some small town. In fact, Tom Dart is the sheriff of Cook County, which contains Chicago, is the second most populous county in the U.S, and his department is the second largest in the U.S.

People claiming Dart is drumming up publicity are pretty much correct. Keep in mind, we're talking Chicago here, so consider the history of the political machine here. Dart also refused to evict renters from houses when their landlords lost the mortgage. In a way, this is an honorable thing to do, but the way it played out, everyone read it as once again more publicity for Dart. The Craigslist case just further proves his motives.

Comment: Why this is a bad idea (Score 1) 193

by twistah (#29572737) Attached to: Banking Via Twitter?

Does anyone else worry about sending sensitive information over a service like Twitter, which has had security issues in the past? And, assuming this works over DMs, what if a user instead accidentally uses a reply or just a straight Twitter post? What sort of information have they just inadvertently exposed?

Comment: Bad name for pen-testing (Score 4, Informative) 205

by twistah (#29225581) Attached to: Hackers (or Pen-Testers) Hit Credit Unions With Malware on CD

Aside from the usual gripes about the efficacy of pen-testing, this gives pen-testing a bad name. The firm I work for does this exact same ploy, and so do teams from the Big 4 and various security firms, but they are always planned ahead of time. You have to do this sort of thing in a controlled manner (or as controlled as possible.) Usually, these things are dropped in a parking lot, the the payload is innocous, because a customer (or member in the case of a CU) can pick it up. These guys exposed themselves to a lot of liability and can screw it up for honest hardworking sellout hackers such myself and others.

"You stay here, Audrey -- this is between me and the vegetable!" -- Seymour, from _Little Shop Of Horrors_

Working...