iBlog - Ilia Alshanetsky

It appears that exploitation of the public's paranoia is not unique to us, North Americans, it's something our Trans-Atlantic friends in the UK have adopted as well. According to a recent article I've read on BBC Federation Against Copyright Theft (Fact) in UK is launching a new anti piracy campaign under the slogan that Movie piracy supports terrorists. They claim that illegal movie copies are being distributed by IRA and Afghans Sikhs to sponsor their insurgency activities. They even made a nice poster.

It would appear they hope that capitalizing on the public's somewhat irrational fear of bad man hiding behind every corner they will accomplish what all other methods have failed so far. Good luck to them...

It would seems that some good does afterall come from the rampant paranoia in the United States. The recently created Department of Homeland Security, through it's mouth piece, CERT has recently made a recommendation that people consider alternate browsers to IE. It seems someone in the US government has finaly realized that the whole IE infrastructure is flawed and frequently rushed fixes from Microsoft are nothing more then bandaid solution for a dam that's about to burst (some may argue it has already burst).

This the first time a US government agency went out and publically recommended an alternative to a Microsoft product (to the best of my knowledge), could it be that MS slush funds are not getting to the right hands and perhaps not enough of them?

Ultimately, this is a good thing from just about all respects, first of all it'll hopefully convince people to switch to Mozilla, Opera, etc... which offer greater standards compliance, security and other neat features like tabs and popup blockers. There is also a slim chance that this move will force Microsoft to restart IE development (preferably from scratch) which will not only resolve security issues but also bring up IE's standards compliance up to par. However, given past Microsoft history that seems unlikely, the likely recourse is more band-aid solutions, FUD and silly suggestions such as "don't click hyperlinks". However, that's fine too since that'll lead to further user frustration eventually forcing them to switch to a different browsers. Perhaps once they come with Microsoft's unwillingness to properly address the problem face to face, they'll realize that this is a company with whom they'd rather not deal and that may spill into decisions affecting usage of other MS products.

A few years ago PHP developers decided to address a problem not their's to solve by implementing a configuration directive called safe_mode. To those unfamiliar with this wondrous invention, this setting is primarily intended to provide file access limits to prevent users from accessing files that do no belong to them. This supposedly should make it impossible to access files of other people in a shared server environment, a common operating environment for PHP where PHP runs as an Apache module and as such has read access to all files accessible by the webserver regardless of the owner. When enabled, safe_mode will perform a uid/gid (user id and group id) check on the file/directory to be accessed and compare it to the uid/gid of the script that is trying to access the file. If the two match then the file operation will proceed as normal and in all other cases it will fail. In theory this is a fairly simple hack to a problem that is not otherwise easily addressed without significant performance penalties such as running PHP in CGI mode, whereby the scripts are executed under the user's own user/group id. However, as with virtually all hacks there tend to be unforeseen problems that further prove that temporary solutions only escalate problems. So let's examine the safe_mode problems and hopefuly demonstrate why it should be avoided. Continue reading "PHP's safe_mode or how not to implement security"