What do you build Web Applications with?

I wonder what the 'Other' was?



Last edited by EricP at Oct 30 2002, 04:26 PM

Hi,

for most of our online stores I prefer php/mysql for the software.

Real stable and fast. Of course good old perl/cgi works great too:)

PHP and MySQL are solid...but ASP.NET using VisualBasic.NET with a backend SQL Server is my preferred choice.

Not only can you now program with full object orientation using VB.NET, but you can also program using other OO languages that all interact with the CLR (Common Language Runtime Environment)

Whats neat about it is the .NET Framework is open for any programming language and more and more vendors are porting their language to interact with the CLR.

With .NET you can build ASP.NET pages with:

C++
C#
COBOL
EIFFEL
Jscript
Perl
Python
VisualBasic.NET

...And Many More.


By accessing the CLR, one language can basically do everything the others can...so its just a matter of preference.

Web Services are a whole other ball game too....but I will spare you on my rambling.

The power once only seen in Desktop Applications is now right in a ASP.NET web page.

Some very powerful things are in the works :) Just wait and see :)

There are some things I do in PHP only because not everyone has a Windows Server.


PHP is a good scripting language....but the way of the future it truly .NET.


I hear people are working right now on getting a port of ASP.NET to run on Nix servers.

I'll still take PHP/mysql over ASP. It's free, it's fast, it runs on almost every system, it's easy to make secure and I don't haver to worry about Microsoft's track record of security. It :rokk: Not to mention Microsoft usually takes a couple of generations to get a technology right.

Originally posted by JerryW@Nov 3 2002, 06:38 PM
I'll still take PHP/mysql over ASP. It's free, it's fast, it runs on almost every system, it's easy to make secure and I don't haver to worry about Microsoft's track record of security. It :rokk: Not to mention Microsoft usually takes a couple of generations to get a technology right.
Hi JerryW,

While I do agree PHP is a good scripting language, it does not compare to the power of using a full blown OO language like C#, C++, or VB.NET right in a web page.

As far as the security issues are concerned, a large majority of current security cases are caused from inexperienced admin who do not follow MS Security Recommendations properly, thus the reason Microsoft put out such FREE software as;

The " v4 Windows Update (http://v4.windowsupdate.microsoft.com/en/default.asp) " Their latest version that updates your system or network automatically.

The " Baseline Security Analyzer (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/MBSAhome.asp) " that will probe your entire system (or Network) and tell you how to fix security vulnerabilities.

The " IIS Lockdown Tool (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/locktool.asp) " that locks down IIS from well known mis-configurations that could allow a breach in security.


Now, if very well paid Sys.Admin were as smart as their 4 year computer degree says they are, they would be using the tools above to help secure a W2K Server.

I stay on top of updates, I know how to configure a Tight W2K Server, and I have never had any problems with Security.

I do agree PHP/MySQL are tight, and would probably be using them now If I never saw the power of .NET.



Last edited by EricP at Nov 3 2002, 07:59 PM

Eric,

I'm a long time C++ programmer (since '87, C since '77 :wnw: ), so I know the power of a full OO language. If I was doing a major web project, on the scale of cnn.com or yahoo.com, with a team of developers, such tools would be useful.

But for the projects I work on, the power would be overkill. Things like the stores at photogregg.com and contentbroadband.com and most projects I've seen on the adult web, the power is overkill and PHP/Mysql works very well. The only thing missing from Mysql that I would want is transactions and the latest version has that. Or I could switch to Postgresql for them.

The OO features of PHP are quite adequate for smaller projects and I very rarely miss things like templates and such.

With Security as you say the admin can keep a system secure. But it's the undiscovered holes I worry about.

Hi Jerry,

Wow, I envy your experience as a long time programmer. I can't wait until I can say that one day! :wnw:

The only thing I really have to say to your response is:

The internet is changing. Machines are more powerful, connections are faster. The future of the internet is going to be a whole different ball game from where I am sitting :)

Why not stay one step ahead of the rest? After all, it can only get better :)

You want me to trust a Micro$oft development enviroment when they can't even release a mail client, web browser, or web server that is mildly secure?

Last head to head comparsion I saw showed php to be a least 125% to 200% faster than Java, ASP, .Net or ColdFusion.

PHP and MySQL are the way to go. Just do the proper bounds checking.

Originally posted by Snowone@Nov 6 2002, 03:14 AM
You want me to trust a Micro$oft development enviroment when they can't even release a mail client, web browser, or web server that is mildly secure?

Last head to head comparsion I saw showed php to be a least 125% to 200% faster than Java, ASP, .Net or ColdFusion.

PHP and MySQL are the way to go. Just do the proper bounds checking.
Back to the Security thing eh? Man, that argument is really getting old.

I have used all versions of Windows since 95 all the way up to Windows .NET Server 2003 Beta.
I have used all versions of Microsoft Office since 97 to 2002.
I have used IE since 4.0 to 6.01.

If you don't know how to use Windows Update, a Firewall, or Virus Protection, you should not be on the Internet. If you don't secure your system properly, you will have problems. Tell me, what type of Security problems have you had?

As far as the Benchmarks are concerned, read my previous posts carefully.
Just because a PHP script can load in 000002.54 seconds and a ASP.NET script loads in 000002.76 seconds....do you really think that matters much to a surfer? Comparing PHP to a full blown OO language is like comparing an 88 Dodge Aries to a new Hummer :)

Anyway, I have already agreed that PHP is tight, and I use it on a Regular basis, but it is not in the same league as .NET, or Java for that matter.


http://www.vbasic.net/media/poweredbyaspnet.gif (http://www.microsoft.com/net/)



Last edited by EricP at Nov 6 2002, 11:13 AM

The fact that you need $100's of third party software to make windows secure doesn't really make it a better choice in my mind.

FreeBSD|LINUX|OpenBSD && PHP are cheaper, faster, and run on cheaper hardware, plus they're easier to administer than windows.

For most web projects, you don't need a full-blown Object Oriented interface, and even if you do want one, Perl and PHP both have fair to moderate object orientation (Ok, so no data hiding, but they do inherritance and modularization.)

Plus, PHP since 4.2 even comes with a nice big Object Library (PEAR) that does XML-RPC, and all of the neat stuff that .NET is supposed to address.



Last edited by GreyLurk at Nov 6 2002, 11:05 AM

Originally posted by GreyLurk@Nov 6 2002, 01:55 PM
.... that does XML-RPC, and all of the neat stuff that .NET is supposed to address.
Do some research and then come back and say that please :)

http://msdn.microsoft.com/library/default....cpref_start.asp (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/cpref_start.asp)

The .NET Framework has over 3400 Classes.

:rokk:

Originally posted by EricP@Nov 7 2002, 01:47 AM
Just because a PHP script can load in 000002.54 seconds and a ASP.NET script loads in 000002.76 seconds
I feel the need for speed... LAMP 4 me... and Fuck Microsoft.. .net is a TLD not their property imho

.22 seconds adds up and = less sales

Originally posted by Opti+Nov 7 2002, 03:19 AM--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Opti @ Nov 7 2002, 03:19 AM)</td></tr><tr><td id='QUOTE'><!--QuoteBegin--EricP@Nov 7 2002, 01:47 AM
Just because a PHP script can load in 000002.54 seconds and a ASP.NET script loads in 000002.76 seconds
I feel the need for speed... LAMP 4 me... and Fuck Microsoft.. .net is a TLD not their property imho

.22 seconds adds up and = less sales[/b][/quote]
Okay Opti.

:wnw:

Originally posted by EricP@Nov 6 2002, 11:35 AM

The .NET Framework has over 3400 Classes.
:zoinks: Overkill much?

3400 Classes = a really steep learning curve, or else peope end up re-writing a lot of the funcitonality that's already in a class somewhere, resulting in a lot of spaghetti code.

ANyways, looking at that list, I can't help but wonder just how much of that i"m actually going to use while web-programming... "System.Drawing.Printing.Margins?"

You still haven't addressed the fact that *NIX + PHP is easier to configure and runs faster on cheaper hardware...

Or that the development tools for Microsoft tools ( VS.NET, .net Server, etc...) are several thousand dollars each, putting them outside the range of most small businesses.

Originally posted by GreyLurk@Nov 7 2002, 02:11 PM
You still haven't addressed the fact that *NIX + PHP is easier to configure and runs faster on cheaper hardware...

Or that the development tools for Microsoft tools ( VS.NET, .net Server, etc...) are several thousand dollars each, putting them outside the range of most small businesses.
Actually, I'm not going to :)

I could spend all day long trying to explain the benefits of .NET....

BUT....I have a project to complete.

You can do your own research if you like; http://www.microsoft.com/net

Like I said, PHP/MySQL are tight, but not in the same league as .NET.

Its a shame that some people take this so much to heart :blink:




Last edited by EricP at Nov 9 2002, 07:31 PM

Originally posted by EricP@Nov 8 2002, 07:47 AM
Its a shame that some people take this so much to heart

Sorry.
If it helps at all you made me stop and think EricP B)

Originally posted by Opti+Nov 9 2002, 11:57 AM--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Opti @ Nov 9 2002, 11:57 AM)</td></tr><tr><td id='QUOTE'><!--QuoteBegin--EricP@Nov 8 2002, 07:47 AM
Its a shame that some people take this so much to heart

Sorry.
If it helps at all you made me stop and think EricP B)[/b][/quote]
Okay Opti.

B)

Twitter uses Ruby on Rails.

I love .net for building webapps, but I don't think that it is practical for most sites that only need smaller amounts of scripting. For that, PHP is king. I've used Ruby and Python for other tasks (security tools, bots, etc), but I would never use either for websites.

I'm not a professional web developer though, more like a hobbyist so I make no claims to absolute wisdom, I just have my preferences I guess.

The Windows security problems stem from the fact that its codebase dates back to the days before the web became prevalent, therefore, you are looking at an architecture that was not designed with security in mind. Attempting to secure a Windows system is similar to trying to bail out a boat with a sieve. For proof of that, Google is Your Friend.

By accessing the CLR, one language can basically do everything the others can...so its just a matter of preference.


That's not accurate, while it can be said that all Turing Complete languages are equivalent, they are most definitely not so, as some languages do not support certain programming paradigms properly (OOP is neither the only nor the best, by far) and expressiveness and succinctness are not equal across all languages.

The CLR RESTRICTS what you can do more than it empowers you. That's from experience.

Try Lisp/Haskell/Erlang without an IDE, on a Unix/Linux/*BSD machine, and you will see what I am talking about.

As far as Web Applications, try Python + Django/TurboGears. Those, in the right hands, are unbeatable by anything M$FT has done, does, or will ever do.

Attempting to secure a Windows system is similar to trying to bail out a boat with a sieve. For proof of that, Google is Your Friend.

This isn't entirely true. I work in security and a majority of web based vulnerabilities over the last couple of years have been found in linux based systems and not windows. There have been numerous vulnerabilities found in PHP itself over the last couple of years that lead to all kinds of privilege escalation issues (and some famous incidents). Microsoft has done a much better job with locking down it's more recent product lines (2003 on). It is also a lot easier to over look input sanitisation in PHP applications which lead to SQL Injection, Remote File Includes, Null byte attacks, and cross site scripting. Here's a list of vulerabilites found in PHP ITSELF during may of this year alone.

PHP 5 'php_sprintf_appendstring()' Remote Integer Overflow Vulnerability (http://www.securityfocus.com/bid/28392)
2008-05-28
http://www.securityfocus.com/bid/28392

PHP Multiple Input Validation Vulnerabilities (http://www.securityfocus.com/bid/19582)
2008-05-28
http://www.securityfocus.com/bid/19582

PHP 5.2.5 and Prior Versions Multiple Vulnerabilities (http://www.securityfocus.com/bid/29009)
2008-05-28
http://www.securityfocus.com/bid/29009

PHP cURL 'safe mode' Security Bypass Vulnerability (http://www.securityfocus.com/bid/27413)
2008-05-28
http://www.securityfocus.com/bid/27413

PCRE Character Class Buffer Overflow Vulnerability (http://www.securityfocus.com/bid/27786)
2008-05-23
http://www.securityfocus.com/bid/27786

PHP 5.2.4 and Prior Versions Multiple Vulnerabilities (http://www.securityfocus.com/bid/26403)
2008-05-20
http://www.securityfocus.com/bid/26403

PHP .Htaccess Safe_Mode and Open_Basedir Restriction-Bypass Vulnerability (http://www.securityfocus.com/bid/24661)
2008-05-20
http://www.securityfocus.com/bid/24661

PHP 5.2.3 and Prior Versions Multiple Vulnerabilities (http://www.securityfocus.com/bid/25498)
2008-05-20
http://www.securityfocus.com/bid/25498

PHP Chunk_Split() Function Integer Overflow Vulnerability (http://www.securityfocus.com/bid/24261)
2008-05-20
http://www.securityfocus.com/bid/24261

PHP Glob() Function Arbitrary Code Execution Vulnerability (http://www.securityfocus.com/bid/24922)
2008-05-20
http://www.securityfocus.com/bid/24922

PHP EXT/Session HTTP Response Header Injection Vulnerability (http://www.securityfocus.com/bid/24268)
2008-05-20
http://www.securityfocus.com/bid/24268

T1lib intT1_Env_GetCompletePath Buffer Overflow Vulnerability (http://www.securityfocus.com/bid/25079)
2008-05-13
http://www.securityfocus.com/bid/25079

GD Graphics Library PNG File Processing Denial of Service Vulnerability (http://www.securityfocus.com/bid/24089)
2008-05-13
http://www.securityfocus.com/bid/24089

PCRE Regular Expression Heap Overflow Vulnerability (http://www.securityfocus.com/bid/14620)
2008-05-05
http://www.securityfocus.com/bid/14620

There hasn't been a vulnerability found in ASP.NET since 2007 and even then there were only two found that year both relatively minor issues.

Let me be clear, I'm actually a linux guy and I hate using windows as an operating system outside of certian tasks. Internet Explorer and other items not included, Windows severs have actually become a very easy platform to secure especially in relation to the IIS/.Net webapp world in comparison to the alternatives.

I could also go into linux kernel vulns vs windows OS vulns but which is much the same story.

I still use linux and PHP for webapps, but I have to stay on top of it like a hawk.

Note this thread was the first ever posted on Oprano when it was changed over from the flat board. Good to see it has legs 6 years later.

This isn't entirely true. I work in security and a majority of web based vulnerabilities over the last couple of years have been found in linux based systems and not windows.

There hasn't been a vulnerability found in ASP.NET since 2007 and even then there were only two found that year both relatively minor issues.

I could also go into linux kernel vulns vs windows OS vulns but which is much the same story.

I still use linux and PHP for webapps, but I have to stay on top of it like a hawk.

Well, how many vulnerabilities do you think would be found in Windows if everyone had access to the source code? Seriously. The very permissions model windows uses is flawed.

From the user's point of view, the inability to see the source code is a security flaw in and of itself.

Now, about programming languages being insecure, I find that it is the programmer's skill that determines whether software is secure, not the language itself, if it were totally a language issue, then Ada would be the only safe language to write applications in, period.

It really is funny that you claim M$FT products are more secure than open source - when was the last time the world witnessed one of the many security disasters we have all seen (do I really need to list them?) in the M$FT camp in relation to FOSS? Seriously man, please enlighten me, because I seriously can't remember the occasion.

If you truly have to constantly watch something like a hawk, you are doing something wrong friend. Software security is not something which you implement by watching over something at all times.

Funny, this is the only board I have ever seen on the web where M$FT products are safe (and powerful) and MAC addresses do not exist, or behave according to the whim of whatever jackass is posting.

Laughable.

Oh hell its about to be on now.

:1partytim

Oh hell its about to be on now.

:1partytim

lol

Actually, I will clarify, I don't find the board laughable, I find some people's ignorance to be laughable.

I mean, seriously, some things are simply too obvious.

Remember how I offered those characters some software that would, if they chose to use it in that manner, allow them to engage in their board shenanigans anonymously and they did not even reply? So much for all that dough they claim to make, I offered them a deal.

:1partytim

Where's the bar maid, I want to run a tab. :waving:

I'm telling you all...BASIC is the future! :okthumb:

10 INPUT "What is your Oprano username: ", U$
20 PRINT "Hello "; U$
30 INPUT "How much Oprano board abuse would you like: ", N
40 S$ = ""
50 FOR I = 1 TO N
60 S$ = S$ + "FUCK YOU"
70 NEXT I
80 PRINT S$
90 INPUT "Would you want more abuse? ", A$
100 IF LEN(A$) = 0 THEN 90
110 A$ = LEFT$(A$, 1)
120 IF A$ = "Y" OR A$ = "y" THEN 30
130 PRINT "Now Piss Off ";U$
140 END

I'm telling you all...BASIC is the future! :okthumb:

10 INPUT "What is your Oprano username: ", U$
20 PRINT "Hello "; U$
30 INPUT "How much Oprano board abuse would you like: ", N
40 S$ = ""
50 FOR I = 1 TO N
60 S$ = S$ + "FUCK YOU"
70 NEXT I
80 PRINT S$
90 INPUT "Would you want more abuse? ", A$
100 IF LEN(A$) = 0 THEN 90
110 A$ = LEFT$(A$, 1)
120 IF A$ = "Y" OR A$ = "y" THEN 30
130 PRINT "Now Piss Off ";U$
140 END

hahahahah
C:>basica

Well, how many vulnerabilities do you think would be found in Windows if everyone had access to the source code? Seriously. The very permissions model windows uses is flawed.

From the user's point of view, the inability to see the source code is a security flaw in and of itself.

Now, about programming languages being insecure, I find that it is the programmer's skill that determines whether software is secure, not the language itself, if it were totally a language issue, then Ada would be the only safe language to write applications in, period.

It really is funny that you claim M$FT products are more secure than open source - when was the last time the world witnessed one of the many security disasters we have all seen (do I really need to list them?) in the M$FT camp in relation to FOSS? Seriously man, please enlighten me, because I seriously can't remember the occasion.

If you truly have to constantly watch something like a hawk, you are doing something wrong friend. Software security is not something which you implement by watching over something at all times.

Funny, this is the only board I have ever seen on the web where M$FT products are safe (and powerful) and MAC addresses do not exist, or behave according to the whim of whatever jackass is posting.

Laughable.

Your post makes it obvious that what you understand in relation to security and what you think you understand are two different things.

I'm not holding security class today.

If you admin all your boxes and haven't been applying a shitload of updates over the last year to your linux boxes (in reference to watching things like a hawk.) then LOL @ you. I hope you're not storing any credit card data. If you're in a shared hosting environment, you better hope that the hosting provider is doing more than just updating cpanel.

I'm not new to the internet, I know what kind of situation this is. It's kind of like a political debate where one side digs in to argue their point with out really understanding the issue. It doesn't matter what you tell that person, they're still going to try and argue their side. Participating in those kinds of arguments are a big waste of time.

Based on your post it is obvious that you have a very very rudimentary understanding of security and what leads to vulnerabilities. When I made the post above, I was simply stating facts (which you're obviously not interested in, or unable to understand), not trying to get into an "z0mg which OS is bettar!?!?!" flame war.


Now, about programming languages being insecure, I find that it is the programmer's skill that determines whether software is secure

So, the long and short of it is. I'm not here to teach security class and there are some huge gaps in your understanding that would take a lot more time than I'm willing to give in order to fill them in.

Your post makes it obvious that what you understand in relation to security and what you think you understand are two different things.

Interesting that you would say that, I stated the obvious - not an opinion or interpretation.


I'm not holding security class today.


Good. I certainly don't need one from you.


If you admin all your boxes and haven't been applying a shitload of updates over the last year to your linux boxes


Right, because we ALL know that security is simply all about applying patches, therefore, a large number of patches implies the absence of security (when it is actually the opposite!!!!!!!! this means that vulnerabilities are BEING FOUND AND ADDRESSED) and - as you implied in your earlier post - if vulnerabilities aren't found by an EXTREMELY LOW number of people (the group that the source code is available to) THAT MEANS THOSE SIMPLY DON'T EXIST. Right. Nevermind, the history of the code base in question . . . nevermind the track record involved, with scriptkiddy teenagers wreaking havoc on a global scale . . . once again, I invite you to please cite an analogous example on another OS.


(in reference to watching things like a hawk.)


Oh, ok, that must mean that buffer overflows in the code - for example - are fixed by applying patches . . . no need to get it right in the first place, right man, right. As I said, it is like trying to bail out a boat with a sieve.


then LOL @ you. I hope you're not storing any credit card data.


Yeah, because if I were storing CC data, I would rely on other people's patches, I wouldn't ENCRYPT it all to begin with. Right.


If you're in a shared hosting environment, you better hope that the hosting provider is doing more than just updating cpanel.


Oh sure . . . because I would not simply get my own dedicated server running OpenBSD, sitting behind a hardware firewall with some tight filtering rules AND an IDS (to begin with) . . . no, I would RUN WINDOWS! RIIIGHHHHTTTTT


I'm not new to the internet, I know what kind of situation this is.

Yeah, that. I can tell. Sure.


It's kind of like a political debate where one side digs in to argue their point with out really understanding the issue. It doesn't matter what you tell that person, they're still going to try and argue their side. Participating in those kinds of arguments are a big waste of time.


Sure, because I haven't made reference to several obvious facts related to the question at hand. No, I just . . . made it up, yeah, I admit it man, it's not true, yeah, the windows code base does not date back to the pre-web era and thus was designed with network security in mind, and no, Mr. Mitnick (who is a friend of Oprano btw) did not know what he was talking about when he found that a Windows SBS 2003 server was compromised EIGHT HOURS after being on the net . . . what would HE know about security right? RIGGGHHHHTTTTT


Based on your post it is obvious that you have a very very rudimentary understanding of security and what leads to vulnerabilities.


So I just need to apply patches, RIGHT?


When I made the post above, I was simply stating facts


Just repeating what you read someplace, you most certainly don't UNDERSTAND IT . . . that.is.obvious . . . I can't imagine how someone could ever possibly conclude that a closed source system, the security of which was designed before the web became widely used, is CAPABLE of being secure. That's beyond me.


(which you're obviously not interested in, or unable to understand)


Right again, because I did not provide LINKS to stuff, therefore, that means that what I made REFERENCE to never happened, yeah. Oh yeah, and I am unable to understand that applying patches is the way to implement security. Right.


not trying to get into an "z0mg which OS is bettar!?!?!" flame war.


Do you realize that I never made a comparison to ANY other operating system when I commented on the lack of proper security in Windows? Do you? Please read my initial post on this topic. So. Who attempted to kick off a flame fest?


So, the long and short of it is. I'm not here to teach security class and there are some huge gaps in your understanding that would take a lot more time than I'm willing to give in order to fill them in.

You are not qualified to teach security bud, so don't even go there . . . please . . . I most certainly do not need information from you, your understanding of the topic is limited to applying patches anyway, friggin' home users can do that . . . but I know what kind of a "security" guy you are. Your world is limited to a very narrow, fenced off segment of it, one where the core concepts, the fundamental, architectural facts are not an issue, you just read some bulletins, apply some patches, and call it good. Please. I am amazed that you are actually convinced.

You know, I don't even care that you disagreed with my post, I simply find it outrageous that anyone would make the claims you have made, in face of years of history, thousands of pages written on the topic, and the experiences and opinions of MOST technology professionals (and by professionals I don't mean former construction workers with MCSEs) along with a gargantuan number of available examples. I find it incredible. Outlandish. Unreal. In other words, you can't possibly be serious.

yeah, I admit it man, it's not true, yeah, the windows code base does not date back to the pre-web era and thus was designed with network security in mind, and no, Mr. Mitnick (who is a friend of Oprano btw) did not know what he was talking about when he found that a Windows SBS 2003 server was compromised EIGHT HOURS after being on the net . . . what would HE know about security right? RIGGGHHHHTTTTT


I can hardly contain myself for the pending rebuttal.

Oh man I LOL'd for about 20 minutes straight after that one. That post was funny on so many levels.

1) you don't know what you're talking about
2) you don't know who you're talking to
3) obvious troll is obvious
4) I really don't care enough to correct you, it's funnier not to.

Good stuff though, next you should watch a documentary on brain surgery and then go troll some neurosurgeons with your wisdom. You kind of argue like a drunk guy though, all over the place, rambling, not making any sense, implying someone is saying one thing when they're not and then basing your whole argument on that. With a little perfection of technique you could be a much better troll.

I should not keep this going and I know I'm wasting my time on you but...
List of funny points:
Now, about programming languages being insecure, I find that it is the programmer's skill that determines whether software is secure, not the language itself,
A majority of the vulnerabilities I posted links to were in regards to how the language itself handled data.
Oh, ok, that must mean that buffer overflows in the code - for example - are fixed by applying patches
If the vulnerability exists in a programming language's function and not how that function is implemented then yes. Examples of this were in those links I provided in the first post.
If you truly have to constantly watch something like a hawk, you are doing something wrong friend. Software security is not something which you implement by watching over something at all times.
All of these quotes clearly indicate that you don't understand what leads to buffer overflows and other issues that different languages are prone to or why. Each depends on how the language is written and then how the language is implemented by the coder. Different languages produce different types of vulnerabilities. Webapps are not typically vulnerable to "Buffer overflows" (congrats on knowing a security term, here's your cookie) unless the language it's written in is vulnerable. Are you allocating buffers and doing memory management in php or does php handle that genius? Secure coding practices address known issues and are not implemented by telepathy. Are you starting to realize what kind of asshat you put on by acting like you know it all? I see this kind of shit all day everyday, it's ok, people don't know what they don't know, but when you act like you do, you run the risk of looking like a real idiot.

Yeah, because if I were storing CC data, I would rely on other people's patches, I wouldn't ENCRYPT it all to begin with. Right.
If you can decrypt it, so can whoever just pwn3d your box.

EXTREMELY LOW number of people (the group that the source code is available to) THAT MEANS THOSE SIMPLY DON'T EXIST
You have no idea how many people MS employs looking for bugs, you also have no idea how many people or what kind of equiptment they're using to look for bugs through fuzzing and other techniques. I'm not saying there's no bugs, I'm saying they've become so rare they sell for 6 figures easy and this is well known in the security industry. With all your knowledge of windows exploits, you must be sitting on a freaking goldmine over there man, what are you doing wasting your time on oprano!?!?


Mr. Mitnick (who is a friend of Oprano btw) did not know what he was talking about when he found that a Windows SBS 2003 server was compromised EIGHT HOURS after being on the net . . . what would HE know about security right? RIGGGHHHHTTTTT
This was hilarious for many many many reasons. I'm only going to state the most obvious. It was a default install, from..... 2003.
"While receiving more attacks, the Microsoft XP SP2 machine and the Macintosh OS X 10.3.3 were not compromised by (http://www.avantgarde.com/ttln113004.html)"

The friend of a friend name dropping was pretty funny too, reminded me of elementary school.

The rest of your post was assumptions and made up personal attacks further leading me to believe you were drinking when you posted it. Either that or mommy put your helmet on too tight you tell me.

In order to truely understand the flaws in your argument you really need a full course in secure coding practices, buffer overflows, and how programming languages handle memory allocation and management. That's what I meant by I'm not here to teach security class, hopefully this post will clear up a little bit of your confusion. If it doesn't that's your problem, not mine. I'm not here to hold your hand just because you talked shit on the internet, there's nothing to gain by proving to every idiot they're an idiot.

I can hardly contain myself for the pending rebuttal.

You're like the referee, I know you have to be laughing your ass off. I'm tempted to print it out, frame it, and hang it on my wall. This is the funniest shit I've seen in a while.

You're like the referee, I know you have to be laughing your ass off. I'm tempted to print it out, frame it, and hang it on my wall. This is the funniest shit I've seen in a while.
Social engineering at it best!

Darci cant moderate us here! hahaha

See twitter.

I need my depends.

There are some great unsolved codes and ciphers (http://elonka.com/UnsolvedCodes.html) listed maybe we could have a contest on oprano or something and crack a few.

Oh man I LOL'd for about 20 minutes straight after that one. That post was funny on so many levels.


I can see you sidestepping the issue, which is "are MSFT products secure?", the answer to which is NO. Have the news for the last 8 years simply gone over your head?


1) you don't know what you're talking about


You obviously haven't a clue. But hurry up and apply those patches, since you have to watch your PHP apps "like a hawk". LOL


2) you don't know who you're talking to


That's whatever all the guys like you say.


3) obvious troll is obvious


Look who's talking about a troll. Go on, insist that Windows is secure.


4) I really don't care enough to correct you, it's funnier not to.


You keep believing that your patches and bulletins are the answer.


Good stuff though, next you should watch a documentary on brain surgery and then go troll some neurosurgeons with your wisdom. You kind of argue like a drunk guy though, all over the place, rambling, not making any sense, implying someone is saying one thing when they're not and then basing your whole argument on that. With a little perfection of technique you could be a much better troll.


Funny, you have not provided a factual rebuttal to any of the references I have brought into the discussion. Not a single one.


A majority of the vulnerabilities I posted links to were in regards to how the language itself handled data.


Thus my point, twit, programming skill INCLUDES knowing the language and its interpreter/compiler well enough to know those things, I can see that your definition of programming skill is limited to skill driving an IDE.


If the vulnerability exists in a programming language's function and not how that function is implemented then yes. Examples of this were in those links I provided in the first post.


Once again, thus my point. I stated the code, not the interpreter or the compiler, thus, I was referring to the implementation.


All of these quotes clearly indicate that you don't understand what leads to buffer overflows and other issues that different languages are prone to or why. Each depends on how the language is written and then how the language is implemented by the coder. Different languages produce different types of vulnerabilities.


It all comes down to the programmer's skill, as I stated. Programming skill, once again, implies a little more than driving an IDE, which is apparently your definition of it.


Webapps are not typically vulnerable to "Buffer overflows"


Now, I wasn't specifically referring to web applications there, however you are dead wrong cocksucker! Webapps are indeed vulnerable to buffer overflows . . . if someone has the parameter in question, and the buffer size, he/she can overwrite the stack pointer and ram home shell code . . .


(congrats on knowing a security term, here's your cookie)


You'll remember this when you get owned Jack. You will.


unless the language it's written in is vulnerable. Are you allocating buffers and doing memory management in php or does php handle that genius?


Once again, I wasn't initially referring to webapps, but how pathetic of you, latching on to a strawman just to sidestep the issue.


Secure coding practices address known issues and are not implemented by telepathy. Are you starting to realize what kind of asshat you put on by acting like you know it all? I see this kind of shit all day everyday, it's ok, people don't know what they don't know, but when you act like you do, you run the risk of looking like a real idiot.


Acting like I know it all? Gee, that's funny, I only stated the obvious, and you come back with "I work in security" - laughable.


If you can decrypt it, so can whoever just pwn3d your box.


Your windows box perhaps.


You have no idea how many people MS employs looking for bugs, you also have no idea how many people or what kind of equiptment they're using to look for bugs through fuzzing and other techniques.


they evidently don't employ enough, just look at Vista, what planet do you live on? Do you smoke crack dude?


I'm not saying there's no bugs, I'm saying they've become so rare they sell for 6 figures easy and this is well known in the security industry. With all your knowledge of windows exploits, you must be sitting on a freaking goldmine over there man, what are you doing wasting your time on oprano!?!?


ROFLMAO - how pathetic of you, once again, sidestepping the issue with a strawman . . . did I say I knew windoze exploits? Did I? HAHAHAHAHAHA


This was hilarious for many many many reasons. I'm only going to state the most obvious. It was a default install, from..... 2003.
"While receiving more attacks, the Microsoft XP SP2 machine and the Macintosh OS X 10.3.3 were not compromised by (http://www.avantgarde.com/ttln113004.html)"


Right, because we ALL KNOW that the windows codebase has been completely rewritten since 2003, RIGHT . . . you are smoking MSFT crack kid, you are amazing, referring to a default install from 2003 AS IF IT WERE NOT MOSTLY THE SAME CODEBASE IN USE TODAY.


The friend of a friend name dropping was pretty funny too, reminded me of elementary school.


Friend of a friend? Oh, that did not really happen, nooooo, Mitnick did not find that, and he's not a friend of the board, RIGHT . . . I actually found both facts to be an interesting coincidence, that Mitnick conducted that study, and that (according to Gonzo, I was surprised when he mentioned that) he's a friend of the board.


The rest of your post was assumptions and made up personal attacks further leading me to believe you were drinking when you posted it. Either that or mommy put your helmet on too tight you tell me.


That's coming from the character that is convinced that Windows and MSFT products are safe. Laughable. By all means, you should sum up your expert findings in a blog post, and submit them to /. and HN . . . do it, please do it.


In order to truely understand the flaws in your argument you really need a full course in secure coding practices, buffer overflows, and how programming languages handle memory allocation and management.


That's interesting, considering that my core arguments were simple references to the obvious . . . which you are evidently unable to see, or worse, you ignore the obvious, in the name of referring to yourself as a security expert, sticking to the safe little bulletins and patches, since that is so much easier than learning about the fundamental issues at work.


That's what I meant by I'm not here to teach security class, hopefully this post will clear up a little bit of your confusion. If it doesn't that's your problem, not mine. I'm not here to hold your hand just because you talked shit on the internet, there's nothing to gain by proving to every idiot they're an idiot.

You are obviously incompetent at what you claim you work at, and it is sad to see that you truly have no clue, the whole track record of a technology has completely eluded you. That's pathetic dude. But, please, by all means, go on in full faith that your bulletins and patches are the answer, and that as long as MSFT does not DIVULGE (now do you understand? still don't get it?) information about security flaws, then that must mean that there aren't any . . .

http://www.forumammo.com/cpg/albums/userpics/10071/picard-no-facepalm.jpg

Friend of a friend? Oh, that did not really happen, nooooo, Mitnick did not find that, and he's not a friend of the board, RIGHT . . . I actually found both facts to be an interesting coincidence, that Mitnick conducted that study, and that (according to Gonzo, I was surprised when he mentioned that) he's a friend of the board.

http://www.amazon.com/gp/reader/0471782661/ref=sib_dp_ptu#reader-link

http://www.oprano.com/msgboard/picture.php?albumid=6&pictureid=46

http://www.oprano.com/msgboard/picture.php?albumid=6&pictureid=45

http://www.oprano.com/msgboard/picture.php?albumid=6&pictureid=50

You lost me with that Jenna photo. The industry created a real bitchy monster in that one.

Free Gonzo !

You lost me with that Jenna photo. The industry created a real bitchy monster in that one.
She dont look like that anymore for sure!
And I agree 100% Danny.

Did it sound like I doubted Mitnick was a friend of the board? I didn't. I was surprised however, since this is a porn board and Mitnick works in security.

?

Did it sound like I doubted Mitnick was a friend of the board? I didn't. I was surprised however, since this is a porn board and Mitnick works in security.

?
Theres more than one security expert that follows this board.
They have the right to get a nut too!

This reminds me of that pee-wee herman song "La la la la la, connect the dots" anybody remember that song? Pee-wee was awesome.

Theres more than one security expert that follows this board.
They have the right to get a nut too!

Once again, I am surprised . . . not that I don't think they have a right to get their nut on . . . just didn't see the correlation.

Theres more than one security expert that follows this board.
They have the right to get a nut too!

Hackers & Porn go hand and hand. Hmm, that may not sound right.

She dont look like that anymore for sure!
And I agree 100% Danny.

Oh, I thought you posted two hacker pics and then someone you'd like to root their box if ya know what I'm sayin (wink wink). :awinky:

Oh, I thought you posted two hacker pics and then someone you'd like to root their box if ya know what I'm sayin (wink wink). :awinky:

Got Root?

Got Root?

In her case, I'd like to brute force a backdoor . . .

http://www.jinx.com/Content/Member/1ec9f2d73abd4cb098e1b.jpg

Damn need panty hax, must overflow the buffer!

This thread reminds me of the documentary on sex ed for waterheads....

This thread reminds me of the documentary on sex ed for waterheads....
Im sure Kevin is amused.

DJpczeKtpmI