I decided to not be all self-deprecating as I usually am with things like this, and admit that I’m really happy and proud to say that I was interviewed by Cal Evans for the Zend Developer Zone.

I guess the first question that comes to my mind is “Why did you build this?”
I built it because there was no good way to audit the security settings in your PHP.INI or your PHP environment. The average PHP user I feel is someone who can use an installer to install scripts on their server, get them running and do a little customization or hack up some code but they are not educated developers. These users have no easy way to check how secure their environment is. So I wrote PHPSecInfo to give these uses something easy to run and present the information in a format they are already familiar with.

Read the rest »

Also, I uploaded a new build of PHPSecInfo this morning.  This version fixes the errant Notices we were getting, makes it easier to extract test data for your own nefarious purposes, and fixes a bug with the curl file protocol test on PHP4.  The latter unfortunately just skips the test on PHP4 because I’m not sure how to do the check; suggestions are welcome.

Download: http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip

Docs: http://phpsec.org/projects/phpsecinfo/docs/

What’s new:
v0.1.1
- Added PhpSecInfo::getOutput(), PhpSecInfo::loadAndRun() and PhpSecInfo::getResultsAsArray() methods
- Modified PhpSecInfo::runTests() to fix undefined offsent notices
- Modified PhpSecInfo_Test::setMessageForResult() to fix undefined offset notices
- Modified PhpSecInfo_Test_Curl_File_Support to skip if PHP version is

So we finally went public with PHPSecInfo as an official project of the PHP Security Consortium.

• http://phpsec.org/about/news/20oct2006.html
• http://phpsec.org/projects/phpsecinfo/
• http://phpdeveloper.org/news/6543

I just was interviewed by Cal Evans for the Zend Developer Zone, which was pretty cool—it was nice to talk to him again.  He said the story should be posted sometime this weekend or Monday.

In my earlier posts on passwords, I noted that I approach on-line password “vaults” with caution.  I have no reason to doubt that the many password services, secure email services, and other encrypted network services are legitimate.  However, I am unable to adequately verify that such is the case for anything I would truly want to protect.  It is also possible that some employee has compromised the software, or a rootkit has been installed, so even if the service was designed to be legitimate, it is nonetheless compromised without the rightful owners knowledge.

For a similar reason, I don’t use the same password at multiple sites—I use a different password for each, so if one site is “dishonest” (or compromised) I don’t lose security at all my sites.

For items that I don’t value very much, the convenience of an online vault service might outweigh my paranoia—but that hasn’t happened yet.

Today I ran across this:
MyBlackBook [ver 1.85 live] - Internet’s First Secure & Confidential Online Sex Log!

My first thought is “Wow!  What a way to datamine information on potential hot dates!”  

That quickly led to the realization that this is an *incredible* tool for collecting blackmail information.  Even if the people operating it are legit (and I have no reason to doubt that they are anything but honest), this site will be a prime target for criminals.

It may also be a prime target for lawyers seeking information on personal damages, divorce actions, and more.

My bottom line: don’t store things remotely online, even in “secure” storage, unless you wouldn’t mind that they get published in a blog somewhere—or worse.  Of course, storing online locally with poor security is not really that much better…..

See this account of how someone modified some roadside signs that were password protected.  Oops!  Not the way to protect a password.  Even the aliens know that.

ZUG: Comedy Articles: Electronic Road Signs and Me:

We’ve made some significant changes to how people can view our Security Seminar Series:

• We’re now offering h.264/mp4 versions of the seminar videos, both as downloadable files and in a spanking-new video podcast.  Look us up in iTunes or the Democracy channel guide, and you’ll find us.  The 320x240 videos are not only higher-quality than what we’ve previously offered, but are also playable on portable players than support h.264 (we’ve tested it on 5G iPods)
     
• We will also look at encoding all of our previous recorded seminars to h.264/mp4 in the next few months.  Those that we have on DVD will be easy, but the ones more than a couple years old we only have on VHS, so they will likely take a lot longer.
• In the near future — at latest by summer 2007 — we will stop encoding our videos in RealMedia format.  The popularity of Real has faded a lot over the years, and most folks (including us) aren’t interested in installing it.  This would leave us without a streaming video format, but we’re not sure there’s a lot of demand for one now.  If there is, we will likely go with an embedded Flash video player rather than something like Windows Media.

If there is strong interest in providing other video formats, please let us know.  We may consider moving to 640x480 resolution for our videos now that iPods support the larger size, but we don’t want to push the file size to high and make for lengthy downloads.

If you have problems or feedback, please let us know in the comments section.