Kauft das PHP-Sicherheitsbuch!

Dritte Auflage

Jetzt bestellen!

ISBN-13: 978-3898643696
€ 36,00

Links

XING
(Profil nur für Xing-Mitglieder sichtbar)
Rootserver, Colocation, Hosting
My amazon wishlist
VServer Hosting

Pages

Frontpage
About Christopher Kunz
Kontaktformular

Syndicate This Blog

Monday, July 3. 2006

Conference Wrapup - busy weeks lie behind me


That was a weird week. I think I rarely changed locations that often, and I kinda lost track of what time zone, currency and/or event I was currently at. However, it turned out to be a very rewarding week, too.

All in all, I roughly travelled around 5600 km, which is probably quite a lot given the fact that I otherwise leave Hannover rarely. I changed timezones twice, currencies 4 times (including transit airports), and spoke at two different (un-)conferences. There were nights in school gyms, Sofia park bars, hostel dorms and for 2 nights, I even slept in my own home (tue->wed->thu).

My overall perception was that the security topic is still kinda “hot” and although most attendees (naturally, those at PHP Vikinger were more on top of things) seemed to have a firm grasp of what could go wrong with PHP applications, there is still a lack of trustworthy and well-designed solutions to the various security dilemmas. As Kris Köhntopp said on the PHP Vikinger, using stuff like mod_security, our Hardening Patch or other assorted security products is not a real solution, since there is no programmatical and wellformed approach to them. Instead of having a defined and limited outer and inner area for applications (like, an array of all possible URL entries to the application, as well as all possible output it generates), we are putting out fires as they emerge. Of course, we do that because we currently have no other way of keeping our boxes alive and the attackers out as long as possible, but still, Kris has a point.



Today at around 7pm, I returned from the WebTech 2006 in
Sofia, Bulgaria. As I posted earlier, it was a brilliant event. The
organization on both conference days was flawless, there was Wifi all
around and supposedly, the other (mainly bulgarian) sessions were quite
good, too. As Derick pointed out
already, the simultaneous translation left something to be desired, and
while I didn’t spot many obvious errors, the translators seemed
somewhat disinterested and were switching back and forth quite often.
Plus, it’s just weird trying to listen to someone and get the voiceover
for his gestics and pointing with a 20-second delay.


I already received some positive comments on my session (thanks for
that!), as well as the request to put it online for further perusal.
You can find the PDF version of my presentation here. Pictures are here.

Once
again, I’d like to thank the organizers, especially Bogomil and
Hristina, who went out of their way to make the conference a top class
experience. They would not only see to it that the conference itself
was executed in a proper manner, but also go out with us each night,
find us places with english menus (since bulgarian is not really
readable for an uneducated westerner) and even escort us to our hotel after the beer-drinking and networking events. Since Derick’s flight today was extremely early and they supposedly got home at around 4, they didn’t have any sleep whatsoever. Still, they dropped him (and me, at 1pm) off at the airport. Exceptional.

I got to talk with local web developers (and hosters, for that matter) quite a lot and it was all very interesting. The owner of host.bg started an interesting discussion with me - is it faster to have 1000 virtual hosts in a plaintext file or do mod_rewrite style preg-vHosting?

Some days earlier, I took the plane to Sandefjord Airport to attend an event called an “unconference”. Since I usually don’t go to events like FrOSCON or Linuxtag, unconventional gatherings of knowledgeable people were new to me - I wasn’t disappointed. Again, somebody left no stone unturned to make the “PHP Vikinger” a success - this time it was Zak Greant. Thanks, man, it was great!

Basically, an unconference is not at all different from a traditional conference, only that there is no distinction between organizers, attendees and speakers. The schedule was formed with a couple of Post-It notes, which had been handed out to every attendee to jot down session proposals. With a quick hands-up interesting stuff was selected, not-so-interesting stuff (or just stuff that didn’t sound that interesting) was dropped. I mean, literally. :-)

After that, everyone in turn stood up to tell others what he knew (sorry, no women around) and try to stir up a discussion. I found Kris’s item “things that have no name” very rewarding, because it got everyone going about stuff that is still lacking in PHP, or good stuff that should be better documented/publicised. Since lots of the core developers (Rasmus, Marcus, Edin, Derick, Ilia) were present, the discussion was led on a very high and very thorough level.

I gave my usual “how to fix your server but not your applications” blurb that was - not surprisingly - met with some (mostly justified) skepticism at the Core (Quote RL: “You might wonder why this stuff isn’t in PHP yet - because it’s SLOW!”), but was otherwise quite well-accepted. Again, it’s importing to me to point out that I’m not presenting actual solutions, but merely suggestions how to mitigate problems quickly and as cost-effectively as possible. I know that not everyone can use the Hardening Patch or mod_security, but those that can (and didn’t try one of the products yet) might still gain a lot of additional server-side security with little downsides.

However, the PHP Vikinger conference was pure fun. Sleeping in a school gym gave it a very class-trip-like feel and the other attendants were a very nice bunch too. The mighty power of Thor was with us.

The conferences were overshadowed by an equally mighty case of scheduling conflicts, since we had major migration/maintenance work at our two colo facilities on both weekends, and i wasn’t even there to help. That put me in a tight spot sometimes, since I at least tried to be near Wifi as often as possible, to put out the fires that our two onsite crews overlooked (or just couldn’t extinguish since only I have SSH keys to some servers). We hope everything’s up and running by now and no major fallout has been incurred for our customers. My colleagues have been working 24+ hour shifts to get everything done, and I know that this is a very, very tough job. I’m sorry I couldn’t be there to help them, but both the Vikinger and the WebTech were planned and booked well before we knew that we’d have to migrate on those 2 specific weekends. (Basically, the colo facility that we’re downsizing told us that they wanted the racks back by July 1st).

Now, university will have me back by tomorrow, and I’ll need to get back into my learning schedule very quickly. First exams are around the 15th, there’s some more work on my latest tattoo going on on the 18th, and then there’s Wacken. Yay. I still hope Zak might be able to make it ;-)

Posted by Christopher Kunz at 09:33 | Comments (0) | Trackbacks (0)
Defined tags for this entry: , , , , , , , , , , , , ,
Related entries by tags:

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA