funkatron.com

After experiencing the inspiring atmosphere of php|tek 2008, I vowed to write a blog post a day to hone my writing skills.

Whoops!

Building Desktop RIAs with PHP, HTML & Javascript in AIR

Note: The ZIP on the php|tek 2008 site didn’t have the AIR code in it, so until that’s fixed I’m linking to my locally hosted copied

• Slides (PDF)
• Code

Securing the PHP Environment with PHPSecInfo

• Slides (PDF)

Anyone who gets me liquored up knows that I’m not a fan of Wordpress. I think it’s great from a user (that is, the person writing the content) standpoint, but it has lagged behind severely in terms of security, and I don’t believe its popularity is the sole reason WP has been the subject of dozens of vulnerability reports every year. That being said, the WP 2.5 release appears to offer significant improvements in a couple areas: password hashes and cookie data encryption. From the WP blog:

Salted passwords — we now use the phpass library to stretch and salt all passwords stored in the database, which makes brute-forcing them impractical. If you use something like mod_auth_mysql we’ve created a plugin that will allow you to use legacy MD5 hashing. (The hashing is completely pluggable.) Users will automatically switch to the more secure passwords next time they log in.

Secure cookies — cookies are now encrypted based on the protocol described in this PDF paper. which is something like user name|expiration time|HMAC( user name|expiration time, k) where k = HMAC(user name|expiration time, sk) and where sk is a secret key, which you can define in your config.

These are good steps, and while I think they took way too long to happen, I’m glad they finally did. I do still feel that WP suffers from an architecture that makes it too easy to make input filtering mistakes, and I would strongly recommend a tool like WPIDS for all self-hosting Wordpress users.

The experience of SXSW

• Unlike other conferences I’ve been to, which were mostly tech confs SXSWi is not about nuts and bolts — it’s about higher level issues of people using technology
  • A couple exceptions, like the Secrets of JavaScript Libraries. This was good, and I’d like to see more like this. I don’t expect hardcore advanced code talks, but good intro-level stuff would go a long way, I think.
• At most confs I attend, I’m the “weird” dude, with my earrings and black t-shirts. At SXSW I’m another asshole with a fauxhawk.
• Way, way, way more women at SXSWi than any tech conf. Someone on a panel I attended complained that the % of females has been going down at SXSWi, and I’d guess it’s maybe 35-40% female. At most of the tech conferences I go, it’s 5-10% female, tops.
• Despite the fact that web apps are one of the primary points of attacks for malicious users, security was really not talked about much at SXSW (although I heard there was some in the OpenID panel). This was disappointing. People running web apps are the stewards of their users security and privacy, a responsibility not to be taken likely. I’d wager under 20% of attendees and panelists could describe basic techniques for architecting software with security in mind (but I hope it’s higher). Definitely need to propose a panel for 2009.

The culture of Austin

• People really do seem more hospitable. Locals will ask a stranger how there night’s going. This is pleasant, but a little weird for a yanqui when it happens in the men’s room.
• Austin embraces being different. They like it, from the top down. This is so unlike most other communities.
• Austin doesn’t feel like a big city. It has some big, cool buildings, but you’ll see flop houses a couple blocks away.
• Closest thing I’ve experienced to Austin is Portland. I think PDX has better public transportation. Austin’s weather doesn’t cause city-wide suicide watches, though.

Other tidbits

Introduced Clint Ecker to Jason Perkins, both Chicago-based web devs. They discover that they work literally next door from one another.

Had lunch with Jason Perkins and the rest of the Pixish crew. Surprisingly was not mocked incessantly for not using Rails. They’re good peeps, and Pixish is a cool site.

I wonder how far the Zuckerberg “keynote” set back female journalism. That’s a hari-kari situation right there.

If you are unwilling to say to someone’s face what you say in your little gadget (or otherwise) blog, you need to shut up. Stop being a punk.

I was really happy to see ExpressionEngine and CodeIgniter represented as strongly as they were at SXSW. I still feel strongly that EE is the strongest CMS product in its market (which includes Drupal, Joomla, Wordpress and the like), and the improvements in EE2.0’s administration system will increase productivity considerably.

Holy shit, I have never seen as many iPhones as I did there. And it’s taking some effort on my part to not go get one now. I could have left my laptop in the hotel room if I’d had one, which would have reduced my fatigue considerably. Since I am doing about 4 conferences a year, it’s starting to make more sense. I’m making myself wait for a new hardware revision, though (and I really can’t afford one atm).

The panel on the success of icanhascheezburger.com was interesting, and I think underlines that luck is a (the?) key component for almost all of these rags-to-riches stories

Being with someone — or a small group — seems key to me. I think I would have enjoyed SXSWi a lot less if I was not able to always count on the two friends I was with.

Do not be afraid to come up and talk to people. It’s hard for me to do, but I was always glad I did. I got to meet old internet-only friends like Violet Blue because of this (so glad I did!). I also got a hug from Halcyon, which was awesome — more dudes should be down with hugs.

Meeting Alex Payne was another highlight of SXSW for me. What a great guy; I wish we’d had more time to hang and talk. And there were so many others, like Derek Allard, Jonathan Snook, Ken Fisher (thanks again for dinner Monday night), Thomas Myer, C. Eric Smith, Obie Fernandez (I wish he’d written Rails), Stephanie Booth, and many others whom I’m too forgetful to remember at the moment.

Frank Warren’s keynote on his PostSecret project was the highlight of SXSW for me. It was funny, tragic, inspiring, and compelling. One could not help but be inspired, as exemplified by the man who asked his love to marry him in front of the entire audience. Technology empowering us to express ourselves, communicate, and aid one another is so much of what the last few years in web dev has been about, and we would do well to follow the example set by Frank Warren.

Oh hell yes I’m coming back next year

Just a quick note that I wrote an article for the new C7Y PHP community site on Inspekt:

• Step Away From the SuperGlobals! An Introduction to Inspekt

If you’re interested in Inspekt and have questions or would like to contribute, please check out the Inspekt user group.

I’ve uploaded the 0.3 release of Inspekt, the input filtering and validation library for PHP4 and 5. With this release, Inspekt completes the goals of the original specification for the OWASP SpoC007 project . I believe it is ready for “real-world” use.

Along with this release, there are new support and install options:

• Brand new user documentation - written by an actual human (well, me, so close enough)
• Updated API documentation generated with phpDocumentor
• A PEAR channel (pear.funkatron.com) for quick packaged installs
• A discussion group/mailing list for support, suggestions and discussion

What’s new in this release:

• Automated filtered via external config files
• Cleanup and fixes to docblocks
• More example code
• A fruity logo

What’s in the future:

• Interact with developers to get feedback and implement suggestions
• Add new options for URI, email, phone # validators
• Work with framework developers to integrate Inspekt with their platforms
• Better support the special requirements of session data
• Integration with PHP5’s filtering API when available
• Integration with other filtering and escaping systems like PHPIDS and HTML Purifier

If you are interested in contributing to Inspekt in any way, I highly encourage you to join the mailing list. I’m especially looking for development assistance and “real-world” feedback.