Thanks Rick.
This is why I have such great respect for the members of this list. You
have such valuable experiences that you are willing to share. I regret
that I have had the experience of server issues occurring at bad times
(right after talking about our product at a trade event), but thus far
none have been PHP or MySQL related, so I very much appreciate the
insights of others.
Thanks again,
Dr. Larry Ozeran
President, Clinical Informatics, Inc.
(530) 671-9244
On 6/2/2016 18:46, Rick Moen wrote:
Quoting Dr. Larry Ozeran (loze...@clinicalinformatics.com):
Rick, thanks again for your insights.
You are most welcome.
You are, of course, correct that we would not redesign our software
without a significant and deep assessment of benefits and costs
(money, time, resources, etc.). Most of the PHP, MySQL, and related
code has been developed in house. I probably coded 10-15% myself.
The intent of my comment was simply to indicate that we do not
blindly accept that there is no better option than what we are
doing. If there are strong arguments to support considering making a
switch, I would not exclude that possibility without reviewing the
pros and cons simply because we have a large legacy investment. I
consider your response (below) to fall into the 'cons' (to
switching) category and will definitely compare your PHP security
recommendations against what we currently are and are not doing.
I am very glad to be of help -- and certainly was trying to be at pains
to avoid advising anyone to merely redesign, especially without
knowledge of the particulars.
My own disaffection with PHP was markedly increased when I boarded a
cruise ship with my wife from San Francisco to Sydney, and right on the
day of my departure my logcheck reports started indicating a serious
attempt to break security on my server via (what turned out to be)
mod_php -- exactly at a time when I had just boarded an ocean vessel
with only satellite Internet at very high prices.
Somehow with a painfully thin straw of ssh bandwidth and only one hour
of high-latency, low-reliability Internet access each evening, I was
able to kludge together a lockout of the kiddies within a couple of
days and before they were able to compile an exploit kit. When I
reached Sydney, one of the first things I did from my hotel room was rip
out the last bits of public-facing PHP exposure so I'd never have to
worry about that again.
My _own_ view is that PHP is entirely too much like the scenario
Marcus Ranum described in his rather caustic 'What Sun Tsu Would Say'
essay, i.e., as Ranum phrases it, 'If patching hasn't been working, why
are we still doing it?' I stopped needing to apply the PHP patch du
jour by no longer exposing it to public networks.
But whatever works for you is of course great.
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech
