OSCON 2008 — Day 2
Day 2 started out a little late. I woke up last night with a short story falling out of my head, so I immediately grabbed my notebook and wrote it down. It needs some editing, but the premise and ideas are down on paper. When my alarm went off, I studiously ignored it until the last minute. I managed to get to my first tutorial on time, but without coffee or breakfast. During the break, I did get some caffeine and banana bread.
PHP: Architecture, Scalability, and Security
Presenter: Rasmus Lerdorf
This was an extension of a session from last year. The first few minutes were the history of PHP, and then Rasmus dove into how to profile an application, how to show a tree of require/include statements, and how to optimize their usage. He also showed how to use APC to speed up the delivery of pages from the back-end. Once this was done, the time for serious (but warranted) scare tactics started when it came to security on the web. Something that was not new to me, but seemed to be to a few people in the room is this fact: the World Wide Web is insecure. It’s not slightly dangerous, or hazardous, or even a little mean. Browsing the web is like playing in traffic while on fire, and trying to see how many cars you can leap in front of on purpose. However, Rasmus did show us how to do our part to lock down our sites using PHP. Some solutions are easy, and some are not, but it’s good to know what is an option. The security portion of the PHP talk was not new to me, but it was a good refresher course.
Links from this presentation:
- Architecture, Scalability, and Security
- YSlow for Firebug
- Siege
- APC’s PECL Page
- PHP Filters
- Rasmus’ XSS Test Site
- XDebug Docs
- Slackers One of many places to track what web site attackers are doing to break into sites.
Lunch was nice and quick, and I spent the time talking with three other guys about various file systems, and oogling over the features of ZFS.
Hack This App! PHP Security Workshop
Presenter: Damien Seguy
This was a live hack session against a web site and database that were filled with security holes. Damien told us to try to destroy everything we could since he could refesh the site and database in a matter of seconds… which he had to do many times during the half-day tutorial. This was an incredibly fun and useful practice, in which we all learned from each other and Damien on things to look for, vulnerability patterns, things to try, things to look for to tell us what not to try, and all that good stuff. We even learned a really fun PHP code injection vulnerability using an uploaded image (such as a profile photo or avatar), but it only works if the server is misconfigured. I doubted that it would be a commonly used exploit, but Damien assured us that quite a few places were configured to allow this to happen. I was quite proud of myself as I found the most hacks, and the first hack. My first hack actually deleted every user from the database. Muhahahahaa! About 20 seconds after my hack finished running (it only took seconds), Damien tried to log in using his admin account, and it failed. He asked if someone removed the account, and I raised my hand. He said that it was ok, that he had a backup admin account. I told him that it was gone as well. He asked me if there were any users left in the database, and I told him none at all. It was a good time, and I’ve learned quite a bit from him.
Links from this presentation: None
Dinner and the rest of the night was a blast! I ended up hanging out with Debrah, Josh, and Mako from the FSF along with quite a few other FSF members and interested people. We had some pretty good pizza (even though it was 100% vegetarian) and great beer! Once the FSF event ended, the four of us along with two other guys. One was Rob Smith, who is a MythTV developer, and he convinced me that I shold build my own box… wasn’t too hard on his part to convince me to do it, but I just need to find the time to put it all together. (Hey! No more laughing!) went out to a video game arcade which also had a bar. I’ve discovered that Rock Band is the new kareoke of the United States. I had a great time running around and playing Dig Dug, Galaga, Joust, and other ancient games like that. They are still as fun today as they were back then. Near the end of the night, I was a little tired, but too sober to leave. Debrah and I sat at the bar and finished off a couple more drinks while sitting there talking to each other about random stuff. She has some great stories from her days as a “chaffeur”, a convience store clerk, and a few other jobs. I thought I had good stories to tell until I heard some of hers!
Schwag Count (Not much, but that’s normal for a Tuesday.):
- 1 more O’Reilly pen for someone at the office.
- 13 more small sheets of Ubuntu stickers to pass around to folks.
Schwag of the Day: The stickers are the schwag of the day because I can just see Evil Shinto running around putting Ubuntu stickers all over the Windows computers in the office. Of course, Good Shinto would work later than normal and sneak into all of the offices with Windows computers and install Ubuntu on them.
Most Interesting/Unusual Person: Debrah. Her stories were just way too great to not put her on the top of the list for the day.
Best Quote of the Day: Rasmus Lerford, while talking about poor coding practices, said, “There are lots of passive idiots in the world. It takes someone special to be an active idiot.”
