NYCPHP Meetup

NYPHP.org

[nycphp-talk] September Talk

Peter Sawczynec ps at pswebcode.com
Tue Aug 16 18:14:31 EDT 2005


I follow your thread entirely and empathize marginally with the
observations. 

Further, though, I'll note that we all understand that we must pass a
written test and road test to get a license to drive and almost the entire
emphasis is on safety in this driving learning curve. We don't let newbie
drivers just careen about unsafely at first just to get them on the road and
adapted to driving. We don't let new electricians wire away till they get it
right.

I believe that the defacto standard for out of the box product and
programming will become more like "locked down, instant secure setup", "data
encrypted", "all SSL" and "no anonymous access".

We will all be reading on newbie forums questions like: "How do I let my
users access their admin site without a strong password or Smart card." And
the answers will be: "Typically impossible. Why would you do that anyway,
newbie?" 

I can only hope. Because I really want to use and trust the internet for
banking, personal storage, controlling my home and appliances, and using a
"safe" ATM without concern that my PIN is being scarfed by the staff behind
the counter.

Doesn't it bother you that emails and web sites have become digital
ambushes. That dealing with your own bank has become caveat emptor.

This is our personal privacy at stake and the forward reputation of our
entire industry is in the cusp. 

I think we will need to look towards some self regulation or at least a
common set of minimum standards for large-scale opensource projects. Maybe
even have code get an association's security endorsement similar to
Underwriters Laboratories, say.

I'd certainly like to hear from more programmer's who believe that insecure
programming methods can still be endorsed in any way.

We need a security spearhead, one programmer, one product at a time, if that
is what it takes.

Peter


-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of inforequest
Sent: Tuesday, August 16, 2005 5:20 PM
To: talk at lists.nyphp.org
Subject: Re: [nycphp-talk] September Talk


Peter Sawczynec ps-at-pswebcode.com |nyphp dev/internal group use| wrote:

>E.g.: kudos to MySQL for their most recent installer that clearly 
>enjoins a password on root before deployment.
>
>Why are installs by default too insecure and users have to stumble onto 
>the secure methods after the fact. Why not install locked down and let 
>users stumble onto the loosening methods after the fact.
>
>Peter
>  
>
Because it is desired to have new users functional and appreciative of 
the system immediately, so they can see the good, and what 
differentiates the product from other options which are likely already 
professionally installed and configured on site.

I suspect the looseness of default security is proportional to the rate 
of adoption by new technology users. Loose defaults = more initial 
adoption, strict defaults = more dropped users. I also suspect MySQL's 
imposing a default root pw has more to do with their lessened need to 
accommodate new users now that they are "established", than the call for 
increased default security. As many can attest, a strong root pw on a 
fresh install of MySQL does not a secure environment make.

-=john andrews
www.seo-fun.com





_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org





More information about the talk mailing list