Dr. Christopher Kunz

That was a weird week. I think I rarely changed locations that often, and I kinda lost track of what time zone, currency and/or event I was currently at. However, it turned out to be a very rewarding week, too.

All in all, I roughly travelled around 5600 km, which is probably quite a lot given the fact that I otherwise leave Hannover rarely. I changed timezones twice, currencies 4 times (including transit airports), and spoke at two different (un-)conferences. There were nights in school gyms, Sofia park bars, hostel dorms and for 2 nights, I even slept in my own home (tue->wed->thu).

My overall perception was that the security topic is still kinda “hot” and although most attendees (naturally, those at PHP Vikinger were more on top of things) seemed to have a firm grasp of what could go wrong with PHP applications, there is still a lack of trustworthy and well-designed solutions to the various security dilemmas. As Kris Köhntopp said on the PHP Vikinger, using stuff like mod_security, our Hardening Patch or other assorted security products is not a real solution, since there is no programmatical and wellformed approach to them. Instead of having a defined and limited outer and inner area for applications (like, an array of all possible URL entries to the application, as well as all possible output it generates), we are putting out fires as they emerge. Of course, we do that because we currently have no other way of keeping our boxes alive and the attackers out as long as possible, but still, Kris has a point.

So there we are in Bulgaria, and two of the PHP Vikings actually made it here: Derick and me. As I write this, he’s having his first session about the eZ Components. The conference is very well-visited (with around 300 people attending to 2 tracks and some workshops) and so far has been pure fun. Bogomil, the organiser, and his wife have everything under control and they really know how to celebrate

Yesterday evening, we experienced the mighty power of Thor first-hand: A huge thunderstorm went down over Sofia and literally flooded everything. In a brave attempt to get to the hotel, me and some other attendees ran from the restaurant, only to be greeted with lots of car alarm sirens (due to the hailing) and lots of water from every direction. The roads were actually converted to rivers with water flowing about 10-20 cm deep. I am not kidding you.

Around 1pm, I’ll be in for my first session, talking about how to harden PHP and about the Hardened-PHP Project.

For about 4 hours now, the PHP Vikinger is in full swing. Everyone arrived between 10 and 11, and together we hacked up a makeshift agenda. Remember that this is an “unconference”, so attendees are in full charge of the whole event. Our lead viking Zak, inspired by the mighty power of Thor himself, took it upon him to moderate the scheduling and get everything started. Now, everyone who wants gets up and does a presentation, starts a discussion or - as Kris is currently doing - stipulates brainstorming with the attending core developers and other PHP nerds.

The current discussion is even somewhat strategic, pointing things out that PHP still lacks, things that need to adopt to changes in our environment and stuff that is really good in comparison to other languages. Kris is creating a list of everything that’s thrown at him and every item so far has been diligently discussed.

After that, Ilia and me will do some security stuff, with him doing introductions and me likely focusing on the server side. My obsession with securing servers without touching apps is well-known, plus it’s a good place to show off the Hardening patch.

Plane’s booked, train connection shouldn’t be a problem, and the crash pad (local school) is said to be open on friday, too... did I forget anything?

To everyone who’s coming: See ya on friday.