About a week and a half ago I go my hands on a shiny new Macbook pro and after a week of tinkering and getting used to this beastie I must say that Windows looks like an ever bigger kludge then it did before. I mean WOW, an interface that actually works, certainly a step beyond Windows and even KDE, which I've used in the past. Perhaps the biggest plus is that things just work, without having to spend extra effort on figuring out obscure error messages that tell you nothing or changing a gazillion settings just to do simple task. The application installation is also very neat, where each app. is a folder and installing a program with few exceptions is nothing more then drag & drop. Uninstall is equally simple, just delete the folder. Another very neat feature is the spotlight search that allows you to very quickly through virtually any kind of document and has little if no delay in getting results, very neat. Lots of other neat things as well that would take too long to describe, so just need to try it for yo...

Finally got a few moments to recap the PHP Quebec 2006 Conference, which as usual, was a great success and a great deal of fun. I’d like to thank the organizers for doing an amazing job and bringing a great group of people together from both the development and user communities. My talks during the conference went quite well, and I am especially happy with the PDO talk, this topic seemed of particular interest to the audience and I hope we’d get a couple of new PDO users out of it ;-) The slides from my talks are now available online and can be found here: PHP Security: PowerPoint || PDF Introduction to PDO: PowerPoint || PDF

Yesterday, I went to the see “Thank You for Smoking” a satirical look at the whole lobbying process in the US (and I suspect not all that different in other countries) through the eyes of Nick Naylor, a Big Tobacco lobbyist trying to defend disfranchised corporations ;-). Despite the lack of the overwhelming special effects and gazillion dollar budget, the movie is still extremely enjoyable and amazingly funny. I’d definitely recommend going to see it, even if it requires a bit of travel since not all theaters show Indie movies :/

Chris Schifflet has transferred me the reigns of the PHP|Architect's Security Corner; hopefully I will be able to keep up with the tradition of interesting and informative articles on the topic of PHP Security. The first issue was released on March 20ths and takes you on a road of discovery about Cross-Site Request Forgery (CSRF). My approach was to identify the various means of exploitation possible via CSRF and the possible dangers it presents. By taking this approach not only can the uniqueness of the attack's approach can be demonstrated, but the hacking methodologies used by malicious users can seen as well. In my mind, understanding of the problem is half the solution, of course the other half involving prevention techniques design to avert CSRF are covered as well. If you are interested in learning more about CSRF you may want to grab an issue of the magazine.

While talking with PHP developers this morning I thought of another way unverified serialized strings could be abused. This exploit can only affect PHP 5 installs though, but given the growing market share of PHP 5 it is certainly something worth noting. As you may know classes in PHP are allowed to implement a magic method called __wakeup() that contains operation that are to be performed when a class is deserialized. Some native classes like PDO implement this function with a goal of preventing database serialization and throw an error when it is used. Herein lies the abuse, the attack simply needs to specify a short serialized string that looks like a serialized version of a supposed PDO object. [code] O:3:"PDO":0:{} [/code] When PHP tries to unserialize it, it determines that PDO class has a __wakeup() method and promptly calls it. However, since the method is disallowed, it triggers an exception which, if left uncaught terminates the script with a fatal error. Since most people do not expect unseri...