NYCPHP Meetup

NYPHP.org

[nycphp-talk] "The Web is broken and it's all your fault."

tedd tedd at sperling.com
Thu Sep 14 09:22:52 EDT 2006 

At 8:37 AM -0400 9/14/06, michael wrote:
>http://www.internetnews.com/dev-news/article.php/3631831
>"
>	Those are the words that Rasmus Lerdorf, the creator of PHP,
>	said to kick off his keynote at the php|works conference under
>	way here.
>	...
>	"The Web is pretty much broken, we can all go home now,"
>	Lerdorf said somewhat sarcastically to the capacity crowd.
>	"Luckily most people don't realize that it's broken."
>
>	Part of the reason Lerdorf considers the Web "broken" is that
>	it is inherently insecure for a variety of reasons. One of those
>	reasons sits at the feet of developers.
>
>	"You don't know that you have to filter user input," Lerdorf
>	exclaimed.
>"
>
>Everybody is preaching security (gurus on this list included).  So, why
>hasn't it caught fire?  Here's my quick-list..
>
>1. it is easy to ignore it and the app still works in your test
>	environment.. and you didn't waste valuable time auditting!
>	(tongue in cheek)  "Despite your Herculean timetable,  Mr.
>	Client, the app is ready.  Now I'm going to have to bill you
>	extra hours to do a security audit and documentation."
>	"umm.. no thanks, Mr. Developer.  I don't have the budget for
>	your bill padding".
>
>2. php is easy to use and popular; low adoption barriers.
>	a. newbies haven't been burned yet or don't know best practices
>	b. popularity brings the dark side for low hanging fruit
>	c. terms like 'x-site scripting' and 'db injection' are
>		confusing buzzwords to the newly introduced and (despite
>		efforts) are not defined well enough; besides,
>		buzzwords get ignored anyway.
>	d. "eewww.. that can/will not happen to me"
>
>3. it isn't preached enough


Not that my comments solve anything, but wasn't the web was designed 
by newbies?

No disrespect meant, but every step forward in web development was 
new and obviously done without full consideration for what was being 
developed and the hazards that might accompany each step.

So what we have now, as I see it, is dealing with a gamut of problems 
that weren't properly addressed in the beginning, such as spam, 
security, and legacy ASCII issues.

The history of "why", might help in the "how" to solve the problem.

Just my $0.02.

tedd
-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

More information about the talk mailing list