php-general Digest 30 Aug 2010 15:34:44 -0000 Issue 6918
Topics (messages 307754 through 307757):
Caution Fraud Alert about Antony Papamichail
307754 by: Lenin
Re: Secure Communication?
307755 by: Bostjan Skufca
307756 by: Per Jessen
Re: Making multiple RSS feeds for the blog website
307757 by: Paul M Foster
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
I really didn't want to publish this at this moment to this list. As this
list is going to die for this sort of mishaps. Though I should at first let
you all know that this didn't happen from this list at all. But informing
about a fraud will always help.
I have all the proofs and records of chat in skype with this client. And the
party seems to be making good money as well. This greek guy named
Antonis Papamichail (papa...@gmail.com) skype(a.papamichail) contacted me
from the www.getshopped.org WP consultants list. And asked me to solve his
problem of single page theme he had. Though I insisted to allow me 2days but
he at the last moment of agreement allowed me only 1 day. I have taken $100
as advance of 50% of total deal. Then I delivered him the full work. I had
to trust him because he seemed to have a renowed and well established
business. Who would have thought that when I submitted the whole work and he
thanked me, he'd just go away without any talks about the rest of the
payment? I have sent him paypal invoice and sent mail reminders. I found
that he probably has blocked me on Skype after he reported me that the
work/modification by me is working fine. I had no access to his resources as
he mailed them and I sent that back after proper work.
Anyways I wont write more as, not everyone has the patience to hear it all.
The job I worked for is of an humanitarian guy
http://store.machinegunpreacher.org/index.php
Upto this I wrote on 22nd August but as there was a conversation over Skype
with Dan Milward (founder of instinct.co.nz the WP eCommerce Plugin owner),
he suggested me to not to say anything(as this is something negative) about
this guy in mailing lists, I kept myself off from the tendency to publish
this fraud act(and now I am suffering for not doing this). He is now taking
chances as I didn't take action against him at all. This guy seems to be
related with www.redshift.gr which is also www.psdgator.com
-----------------
Latest update is he not only fled away from giving me the rest 50% money as
in $100. Now, he even claimed back the first $100 over to paypal. Which not
only forcing me put dispute against him but also I think every developer
should be warned about such a miscreant and liar. I have all the proof of
chat conversations, emails and the sourcecode I worked on.
I wonder if he can be such mischievous with a tiny amount of money as $200
and a work of only a single page theme design for WP eCommerce, then what he
is serving to the clients of his company? If I show you all the
conversations he had with me you'll see his attitude problem(acts just like
a teenager phreak) as well.
Thanks
Lenin
http://twitter.com/nine_L
http://zend.com/zce.php?c=ZEND009985
--- End Message ---
--- Begin Message ---
Hi tedd!
Reading this thread I assume you are doing RPC stuff when you are expressing
yourself as "the access" to database, which normaly describes direct access
to database.
In your case, you should divide the phrase "hacked server" into two separate
types of incidents (let's talk about your "master" server here):
1) server gets cracked and your code gets exposed in read only mode
2) server gets cracked and cracker can modify your code
(read the definitions of hacker vs cracker for further communication:)
In case 2) there is not much you can do, because they have everything they
need to access database in a fashion of their desire.
However, in a case 1) your protection works fine. But it is wheel
reinvented, for 99% of a population. Why?
When most of people are thinking of security, one of the first thoughts is
getting off shared hosting. When you do that, all you need to set up is two
way SSL authentication and IP checking. Which could be done without the RPC
layer (for example MySQL can check cert against with host IP, cert against
CA and CN checking and all).
Anyway, what you are trying to achieve is to connect two systems which are
shared hosting based. In this case your solution is somehow "secure", if
there is such a thing. That means that it is secure by it's nature. But what
you have to be careful about is implementation and things that are out of
scope of setup you have described.
One possible breach of your "secure" setup is here: on your master server
(shared hosting) HTTP server runs PHP scripts as single user (usually
www-data, www or nobody). Your script HAS to have writable permissions to
folder where it publishes tokens. Should malicious user have an account on
the very same machine, she can also put files in folder where only you
should be able to do so. This way, she can publish token, request stuff from
your database and decrypt it using your keys.
I hope I have understood your intentions correctly. Best regards,
b.
PS: Probability of hacked server.
>From my experience majority of successfull breaches come from 3 methods (in
order of decreasing frequency):
- password collection with viruses/trojans and such (operates against client
machine)
- stupid users writing passwords all around (post-it, forwarded email, etc)
and/or social engineering (operates against user)
- brute force password guessing (operates against server)
Only tiny fraction of breaches are whole servers being hacked/rooted.
On 29 August 2010 23:18, tedd <tedd.sperl...@gmail.com> wrote:
> To all:
>
> Part of the problem in discussing security is that there are all sorts of
> security issues.
>
> There is the obvious cleaning and scrubbing of data coming into your site
> from outside sources such as from POST, GET, COOKIES, and such.
>
> There's the security problem of communication between your users and your
> server, thus HTTPS and SSL's come into play.
>
> There is the security problem in what access your users have to your data,
> such as in setting directory permissions, placing files out-of-the-root,
> placing data in a database and controlling users access to such data.
>
> And then there is the security involved in what happens *if* your server is
> hacked and all your "private" data is seen by a third party. What does all
> that entail -- and -- how you might be able protect yourself should be
> paramount in every developer's mind.
>
> Now, I'm not a server guy, nor do I know what happens when a server is
> hacked, nor do I know what data might be exposed. I will say it would be
> nice to have a server guru, like Daniel Brown, wade in on this and tell us
> what is the range of things that can actually happen and what data might be
> exposed and how we might protect ourselves.
>
> At this point, I don't know the answers to those questions, but in my
> readings I found that if a server is hacked, then all data contained on the
> site can be read by a third party. Even encrypted data can be decrypted *if*
> the keys are exposed. In addition, access to the database can happen if the
> user-name and password are kept in a file, or code, that is exposed to the
> hacker after hacking. Everything is exposed.
>
> As such, that was my recent concern and my subsequent "Secure
> Communication?" post -- it was a way to protect data.
>
> Now, how likely is it that a server might be hacked -- again, I don't know.
> However, I sent numerous emails corresponding with GoDaddy.com as to what
> they would do *if* their servers were hacked and their customer's sensitive
> data was exposed to a third party, which caused their customers harm.
>
> I assumed that GoDaddy.com had insurance policies and procedures in place
> to mitigate damages for their customers, but unfortunately they responded
> that each case would be handled on a "We'll see" basis -- and I think we all
> know what that means.
>
> So, if you want to secure your data on a server, it means that you should
> take steps to do that and not rely upon the host to do that for you. Like I
> said, it would be nice to have a server guru wade in on this to clarify
> things.
>
>
> Cheers,
>
> tedd
>
> --
> -------
> http://sperling.com/
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
tedd wrote:
> And then there is the security involved in what happens *if* your
> server is hacked and all your "private" data is seen by a third
> party. What does all that entail -- and -- how you might be able
> protect yourself should be paramount in every developer's mind.
IMHO, not in a normal context. A developer needs to be able to trust
that the server is as secure as the organisation expects.
> In addition, access to the database can happen if the user-name and
> password are kept in a file, or code, that is exposed to the hacker
> after hacking. Everything is exposed.
If somebody gains unauthorized access to your system, assume the worst.
> Now, how likely is it that a server might be hacked -- again, I don't
> know.
If it's not secured, 100%.
> So, if you want to secure your data on a server, it means that you
> should take steps to do that and not rely upon the host to do that
> for you. Like I said, it would be nice to have a server guru wade in
> on this to clarify things.
There isn't really a lot to clarify. To reduce the risk of a server
being compromised:
impose physical access controls.
limit the open services, and run a firewall.
make sure your open services are secure (latest patches etc).
To reduce the impact should it get compromised anyway:
run your server in a DMZ.
run SElinux or AppArmor for access control.
do not store important passwords on the server.
If all of that isn't really within your reach because you don't have
your own server - get your own server and secure it. A leased server
is available for e.g. EUR50/month and that money is better spent than
you spending hour after hour trying to secure your application to run
on an insecure server.
--
Per Jessen, Zürich (10.4°C)
--- End Message ---
--- Begin Message ---
On Sun, Aug 29, 2010 at 04:30:08AM +0200, Michelle Konzack wrote:
> Hello Andre Polykanine,
>
> Am 2010-08-27 12:55:51, hacktest Du folgendes herunter:
> > Hello Michelle,
> >
> > Hm. link rel="alternate"... that's a good one, thanks (btw, you say me
> > that I should RTFM, but if I knew what to read....).
> > Now there are two questions:
> > 1. How do I do those .RSS files with PHP? All of mmy blog entries and
> > other stuff are in MySql. There are classes that can echo the
> > appropriate data as RSS, but there will be more .PHP files, not
> > .RSS/.XML ones. So how do we manage that?
> > 2. Should I make a separate .RSS file for each type of feeds (blog
> > feed, comments feed, timeline feed, news feed)?
>
> The Internet is full of HOWTOs which explain HOW-TO-MAKE-A-RSS-FEED...
>
> However sometimes back I asked HERE IN THIS LIST the same IDIOTQUESTION!
>
> You could have searched THIS LIST... :-P
I've seen sites which detail all the posts to this list. Do you know of
one which has *search* capabilities?
Paul
--
Paul M. Foster
--- End Message ---
