Recently, a severe SQL Injection vulnerability was found in Drupal 7. It was fixed immediately (and correctly), but there was a problem. Attackers made automated scripts to attack unpatched sites. Within hours of the release of the vulnerability fix, sites were being compromised. And when I say compromised, I'm talking remote code execution, backdoors, the lot. Why? Like any attack, it's a chain of issues, that independently aren't as bad, but add up to bad news. Let's talk about them: What went wrong? What went right? And what could have happened better? There's a lesson that every developer needs to learn in here.
Friday, October 31, 2014
Wednesday, October 29, 2014
It's quite easy to mix up terminology and talk about making "easy" systems and "simple" ones. But in reality, they are completely different measures, and how we design and architect systems will depend strongly on our goals. By differentiating Simple from Easy, Complex from Hard, we can start to talk about the tradeoffs that designs can give us. And we can then start making better designs.
Monday, October 27, 2014
To some of you, this may not be new. But to many of the people preaching "Agile Software Development", Agile is not what you think it is. Let me say that again, because it's important: You're Doing Agile Wrong.
Friday, October 24, 2014
There has been a lot of talk about typing in PHP lately. There are a couple of popular proposals for how to clean up PHP's APIs to be simpler. Most of them involve changing PHP's type system at a very fundamental level. So I thought it would be a good idea to talk about that. What goes into a type?
Wednesday, October 22, 2014
I've never been a rock. I'm about as passionate as someone can be when I choose to do something. Unfortunately that means I tend to throw myself (my raw unadulterated self) at my interests. It's just who I am and who I've always been. This has positives and negatives associated with it (especially from a personal perspective).
Throwing yourself at a passion has enormous benefits. You get a lot done, you can truly touch people's lives. You can really change the world. But you also take on a lot of risk. Putting yourself out there is the easiest way to get burned. When you're passionate, it's hard to not take things emotionally. It's hard to not care. After all, caring is where you draw your power from.
I have always been held up by those that I knew were rocks. I always leaned on people who I know weren't just abiding a flight-of-fancy, but who could wear the tide. But what happens when you start to see those who you thought were rocks, falter...?
Monday, October 20, 2014
Recently, there has been a spout of attention about how to deal with eval(base64_decode("blah")); style attacks. A number of posts about "The Dreaded eval(base64_decode()) - And how to protect your site and visitors" have appeared lately. They have been suggesting how to mitigate the attacks. This is downright bad.
Friday, October 17, 2014
A few days ago, I wrote An Open Letter to PHP-FIG. Largely the feedback on it was positive, but not all. So I feel like I do have a few more things to say.
What follows is a collection of followups to specific points of contention raised about my post. I'm going to ignore the politics and any non-technical discussion here.
Wednesday, October 15, 2014
Please stop trying to solve generic problems. Solve the 50% problem, not the 99% problem.
Monday, October 13, 2014
Last weekend I gave the opening keynote at PHPNW14. The talk was recorded, and no, the video isn't online yet. The basis of the talk was centered around community and how we can come together (and how we are drifting apart). But there was one point that I mentioned that I think requires further thought and discussion. And that point is that there is far less trolling going on than it may seem at first glance.