WordPress Full Path Disclosure issue.

PLEASE NOTE THIS FINALLY APPEARS TO HAVE BEEN FIXED UNCLEAR WHICH VERSION RESOLVED THE ISSUE.

I am quite interested in security so I recently installed BackTrack on 1 of my spare pc’s so that I could have a proper play about. 1 of the tools that I have played with is WPScan which is a tool for scanning WordPress blogs to try to find security holes.

Continue reading “WordPress Full Path Disclosure issue.”

My First Foray Into Conferences

For sometime I have been considering going to a PHP conference. The plan was to travel to the US to maybe go to PHPTek. The biggest thing that really stopped me doing so was the massive potential costs. As I live in the UK the flights bio would be extortionate not to mention the hotel bill.

While perusing the internet last december I came across the PHP UK Conference which is organised by the PHP London user group. On seeing this I realised I was going through an unusual stage of having some spare cash so decided to take the plunge and purchase tickets for the 2 day conference.

The conference has been running successfully now for the past 8 years and was this year held in the brewery in the heart of London. From what I understand this is the first time the conference has been held in this venue.

The Venue

The venue for the conference was the Brewery which ceased to be an acting brewery in the 70’s. More recently the Brewery has become a conference centre . The centre itself is fairly sprawled out with conference rooms spanning 3 floors (well 3 that I am aware of). The brewery was very inviting and fairly easy to navigate once you got to grips where the rooms were all situated.

The Talks

The talks were quite widespread in subject matter ranging from the talks you would expect such as scaling PHP and new features that are coming with PHP through to using such products as Vagrant. The speakers ranged quite wildly in their abilities. Some appeared to have no fear at all and did not get phased (Beth Tucker Long, how you coped with the changes in schedule with such short notices astounds me) and others appeared unprepared (although I suspect this was more nerves getting the better of them at times. For some this was their first jump into giving talks (to be fair I cannot really criticise, i got so damn nervous when asking a question in Beth’s talk so I have no idea what I would have been like standing there for 45 minutes doing it).

1 speaker even managed to find a link between toilets and design. Aral Balkan is an amazing speaker and was an ideal choice for keynote speaker. I really feel for those people who had a talk directly after as Aral was a hard man to follow. He may not have a huge knowledge of PHP but his talks a very thought-provoking and inspiring.

1 thing that I was annoyed by was that some speakers were rushed off of the stage due to their talk over running. Although I understand that there are schedules and allowing 1 talk to go over can throw this out some form of allowance should have been made (maybe something to look at in future conferences).

The People

London isn’t exactly known for its friendly atmosphere and people as anyone who has travelled by tube or walked around Piccadilly Circus will know and appreciate however the people at the conference were very friendly. I did not socialize a lot (I know I missed out on a bit of networking there) however I did find myself talking to some very interesting people.

The range of different people at the conference was quite amazing ranging from people who are very active in the core development of PHP through to project managers (some who were new to PHP), and general programmers. Sometimes as is the way you can learn just as much if not more from others people’s experiences and opinions, you can gain a lot through talking these through.

The App

Prior to attending the conference I created a simple iPhone app and submitted this into the app store. Now I am not going to into detail here on my first experience of releasing an app however what I will say is that although it was fairly easy to submit the time taken to be accepted was quite annoying (especially as on 1 occasion on submitting an update the sql file did not compile into the package for some reason so the app did not work properly yet did in the simulator). The app itself managed to get around 30 people downloading it prior to the conference. This is not a huge amount but not bad considering it was uploaded a week before the conference.

I had planned on releasing more updates and features prior to the conference however time constraints did not permit. I am planning now on recreating an app but in more of a kit form so that it can be tailored for other conferences. 1 of the problems I found for this release was also due to schedule changes I was required to update the database of talks which is hard-coded into a SQLite database included in the app. For the next release such tasks will be retrievable by JSON/XML and allow users to update this way instead of updating the app in the app store (note to self contact the PHP London guys and ask if interested in an official app).

Conclusion

If there are any suggestions that I can make is that it could be worth having variable length talks. Some talks really could have done with being longer. Although I can see this being very difficult to organise..

The work that must go into organising such an event must be immense and PHP London did a very admirable job and should be immensely proud of their efforts. I have never been to such conference before but going by my experience this weekend I am sure it will be the first of many. I thoroughly enjoyed the conference.

Oh and I am really looking to seeing the recordings of the talks that I could not make due to clashes. Keep an eye on YouTube. PHP London advise these should be posted at some point in March.

Free IPv6 Magazine 27th July 2012 ONLY

I am always a fan of freebies and of course I am always eager to learn new things so when I saw a post by Admin Magazine on Facebook to advise that to celebrate Sysadmin day  2012 they have partnered with Splunk to offer a free IPv6 download special.

The special covers numerous subjects covering what IPv6 is and how it works through too how to programme using IPv6. Be aware however the download is only available today.

You can download the special here.

On a related note those interested in the free download may also be interested in a guide that Burst.net have provided regarding IPv6 as well which you can download from here.

You never know, one day the world might be ready for IPv6 and we will need to know this stuff.

Logical Operators in PHP

Just a very quick post. Most of us use the operators && (AND) and || (OR) but 1 that I always forget is XOR. I have knocked up a quick image showing the results when comparing the logical operators in PHP.

Operators
Operators

As you can see XOR returns true if only 1 of A or B is true. This is not as commonly used as && or || but still useful.

PacktLib Hit or Miss

**PLEASE NOTE**

Since writing this review the service has changed dramatically. I currently have no experience of the current service as I cancelled some time ago. I was faced with a situation where my debit card would be blocked as soon as payment for the service was taken. I alerted Packtpub however received little support.

———————————————-

Anyone who is familiar with programming books have probably come across Packt Publishing even if they have not bought any of their books.

As well as allowing people to buy books and e-books from their website they also provide another intriguing service. This service is called PacktLib. PacktLib enables you to purchase a monthly subscription to their complete library

The subscription (which is currently £15 a month) allows you to read any book that Packt have ever published (new or old). This month I decided that I would take the plunge and purchase a subscription to the service to see how it is. Continue reading “PacktLib Hit or Miss”

Calculating How Much Tax Was Added When Only Knowing The Percentage.

Recently I started work on an iPhone app and came across a small problem. As part of the application I needed to know how much tax was added to a value when I only knew the tax percentage and the total after tax. Now if the tax rate was a fixed amount a formula would have been easy to generate (for example the UK has 20% tax so to find the tax paid you simply divide the total by 12 and multiply this by 2), The problem I had is that the tax rate was unknown as it was to be a user input.

I asked a few people and found that nobody I spoke too really knew any way to find this out. Most people suggested just working out the percentage of the total amount however this of course will not work.

Here is how I eventually worked this out : Continue reading “Calculating How Much Tax Was Added When Only Knowing The Percentage.”

Secrets and Lies: Digital Security in a Networked World (Bruce Schneier)

While doing my usual browsing of Amazon I came across Secrets and Lies by Bruce Schneier. I of course added this to my wish list and decided I would take another look at a later date. Some time later I decided to do a cull of my wish list. Unlike most people thou when I do a cull I tend to buy the item to remove it from my wish list.

When I bought the book I though that it was a bit of a gamble but looked ok so worth the risk. How more wrong could I be, this was certainly not a gamble at all.

Bruce starts the book by requesting that you read it numerous times so that the information sinks in and so that information obtained later in the book can be better understood.

The main part and bulk of the book explains many security concerns and explains why traditional thinking of security is incorrect (such as using a 256 bit encryption key is pointless and contains little security if the key was generated from for example the word password). Many aspects of security are covered within this ranging from network security to standard O/S security. At this point the book appears very negative and seems to suggest that there is little you can do to actually stop the impending security breaches.

Luckily as the book goes on the mood changes slightly and prepares you for methods to help combat the security implications that any system will have. These methods range from creating attack tree’s and how you can best decide on the viability of any attack vector and how to start bringing things into your favor instead of the intruders.

Since this book was written there have been many security breaches that have cost the companies involved large amounts of money both from lost revenue and the cost of picking up the pieces. For example this year Sony had a succession of attacks and the cost of the clean up was estimated to be around $140,000,000, this estimate could quite easily increase substantially as Sony’s insurer is also seeking methods for removing their own liability over the issue meaning that any law suits will come out of Sony’s pocket instead of the insurer.

A short while after this Lockheed Martin were found to have been compromised. On investigation it became clear that RSA had been compromised allowing someone to obtain information on the systems which aided in the Lockheed Martin compromise. As a result of this RSA were essentially forced to replace 40,000,000 secure ID devices.

It is not only the financial cost that these companies have suffered there is also the untold damages to their company profile with which the cost can never really be calculated.

Now you may be wondering my point at this stage, well the point is that if only the security of these companies read this book they may have been better prepared. The frightening thing however is that too many companies take security as an after thought. If the price is too high they decide to disregard the advice or not bother.

Conclusion

Although this is a 10 year old book this is certainly worth a read. You can learn so much from this book and it will completely change your perception of security. This book is highly recommended.

Title: Secrets and Lies: Digital Security in a Networked World
Author: Bruce Schneier
Publisher: John Wiley & Sons
ISBN 10: 0471453803
ISBN 13: 978-0471453802
Official Site – Buy On Amazon