PHP Not So Safe

• By Doug Barney
• 08/05/2008

So the next time your Web weenie kids you about patching Windows, ask what he's done to secure PHP lately.

Apple Gets DNS Security Religion
In the last week or so, Microsoft released a patch to fix a DNS vulnerability in its software. Shortly thereafter, an AT&T DNS server was compromised -- reportedly the first DNS attack ever.

Apple is feeling the heat, as well, and this week released a patch designed to cure its DNS security ills. This is all well and good, except some experts claim the fix is incomplete and doesn't fully protect clients.

IT Gone Bad
This is admittedly an old story, but it still serves as a warning for those in IT to not trust others in IT, and for IT not to abuse its access to corporate and personal information. According to a survey by Cyber-Ark, a third of IT pros spy on company employees.

I've met with hundreds of security companies and I'd always ask the same question: What are you doing to prevent internal security breaches? They'd all wax on about how their software keeps employees from getting at private information. Then I'd say, "But what about IT itself? What do you do to keep IT insiders from breaching?"

In pretty much every case, the vendor would be dumbfounded. It never occurred to them that IT would do such a thing.

I decided to find out how big a problem this was and used my usual approach: Ask you, the Redmond Report reader. I got horror stories of IT snooping into executive e-mail and using machines to commit fraud, stalk old girlfriends and commit blackmail. If you want a real eye-opener, check out my story "IT Gone Bad" here.

Confess your sins by writing to me at [email protected]. When we run letters, we don't publish last names, so you can admit your wrong-doing with no consequences (except maybe easing of your guilty conscience).

Mailbag: An OS From Scratch?
After word leaked that Midori would be Microsoft's next, all-new OS, Doug asked readers whether Microsoft building an OS from scratch is a good idea. Most of you said yes:

Absolutely! When you're a leader, isn't it better to aggressively compete against yourself as opposed to aggressively competing with others? Besides, it sounds like Midori already has a starting code base, or at least architectural models from the Singularity project.
-Jim

Absolutely! How refreshing.
-Dallas

Absolutely! I am a former Microsoft software engineer; I worked as a developer on Microsoft Works and Office. We've learned a great deal about what works well in an operating system and what doesn't. Hindsight is 20/20, and taking a look back from where we are today, it's easy to see that there are things that we would have done differently before if we knew then what we know now.

Given this perspective, I would say that Microsoft engineers can build a new operating system that is significantly better than our evolutionary operating system of today when the engineers are free from the historical baggage that's pent-up in Vista. I think that there is a great potential for immense improvement and I'm very excited about Microsoft's new OS project!
-Chad

Yes. A new alternate OS with NO backward portability. Get rid of the junk, all of the emulation and legacy compatibility layers. Just make it work exceedingly well on modern hardware, perhaps 64-bit only. Create a subset of tools in one or more of the popular programming languages for it and call it done. That would be simplicity at its best.
-John

Although starting from scratch to build a new OS can be extremely time-consuming and complex, who else but Microsoft could pull it off in a short timeframe? And I think it is an excellent idea, considering that is basically where Windows NT came into the picture. Now, when we look back at Win9x, it looks ancient and very inferior. Now the NT codebase is reaching its limits and is getting way too bloated. I'd be very interested in seeing where this goes and how it turns out in the end.
-Dustin

IMHO, a less complex OS which stresses reliability (which includes security of data) is what MS desparately needs. Vista's market problems are largely the fault of the success of XP -- Vista is prettier and has cool features like the sidebar, but I haven't seen a truly useful application that requires Vista, and I have struggled with device drivers and program compatibility both at work and at home. Even this far into Vista's life cycle, that's still a problem. Vista recovers from crashes more gracefully than any previous MS operating system, but they seem to happen a LOT. If a "killer app" that requires Vista turns up, then maybe the picture will change, but I'm not holding my breath.
-Peter

In this respect, Microsoft's success is its own millstone. Having to maintain compatibility with prior versions (i.e., Windows 95, 98, ME, NT, 2000 etc.) makes any improvements extraordinarily clumsy. If indeed Microsoft intends to offer a from-scratch version, I imagine their priority needs to be on speed, stability and security. I imagine as well that all the Microsoft apps must be rewritten or adjusted to work cleanly with the new OS.

If this were a possibility and we could gain a serious improvement in these three aspects (to me, this is the order of priority, as well) then supporting prior versions could be a purely secondary issue. Anyway, though I am only one of millions, a ground-up approach would be worth investing in from my point of view.
-Lindsay

Why not? Didn't they do this with Windows 95, ME to Windows 2000? What happened to DOS? Using Modori as a foundation, couldn't they then rebuild Windows around it, redesigning around it? Keeping backward compatibitliy using virtual technologies transparently. I can keep backward compatiblity using a VM now, except I need go thorugh a few more hoops than others may be willing to do.
-Stanley

If they're not going to let us continue to buy XP, most definitely! Vista has been such an administrative nightmare. It's really unacceptable. It's insane that we're forced to use sub-par technology simply because MS says so. While UAC is good in concept, I shouldn't have to buy a CAD capable system in order for a secretary to write Word documents.

As for your statement that "Singularity is designed to be simple and safe. For instance, components are isolated from one another, and code is automatically inspected before running to make sure it works with the OS. And all the components are tested to make sure they interoperate." Let's ask the real question: Will Microsoft create a new OS from scratch or will there be a new Linux distro? That quote sounds like Linux to me. MSX, Microsix or Winix, perhaps? I'm not very creative with names. It would be funny to hear what other people come up with.
-Cory

A couple of you expressed some doubts, however:

Start from scratch? Absolutely not! All-new code sounds good, but I hope they will have an eye toward the "look and feel" of what everyone is used to. One of the most objectionable parts of Vista and Office 2007 is that they are different in their user interface. If Microsoft wants a hit, they better keep their eye on what is really important, and to be user-friendly means that features are in familiar places. The first time I used Vista, I had to be shown how to shut down the computer. Does MS think I want to leave the power on all the time?
-John

The debate can rage on both sides, but a new OS will mean starting over -- bugs, SPs, security fixes, upgrades, new releases, new "end-of service" considerations, backward/cross-compatibility concerns, everything. General uncertainty is not a pretty picture for someone in Microsoft's position or for its customers. It basically negates all the work that's been done in these areas to shore up the old Iron Maiden that is Win32.

If you think a "fresh start" is all positive, wait a minute. MS has spent a lot of time, capital, lawyer fees and blood getting Windows to the point where it's respected -- even in the eyes of haters. If they think that dumping the name/concept will untangle and extract certain negative connotations/experiences, it might be a rude awakening and undo all this perception repair-work. For this to be effective, it should've been done years ago when the OS' rep was worse. Sometimes, the better hallmark of your dedication to a cause is not by abandoning it for another more palatable one (in name or action), but to press on with what you have; this tends to be better at stifling the "I told you so"s from the spectators, while letting you say your own "I told you so"s in vindication.
-Victor

What do you think? Leave a comment below or send an e-mail to [email protected].