Category Archives: Security

Raising kids in this crazy world

Posted on by
3

As I’m about to have my first child, I’ve been thinking about the public education system he will probably suffer through just as I did, so it was well-timed that a Reddit commentor found this little gem about how school prepares us for a life of servitude and not one of leadership, free thought, or creativity.

It reminded me of the book by Charles J. Sykes: Dumbing Down Our Kids, Why American Children Feel Good About Themselves But Can’t Read, Write, Or Add (worth it for the title alone). I found this book in my bookshelf today, and noticed that I had written some sort of poem-like thing on the back page, presumably after reflecting on what I read in the first few chapters (I’m pretty sure that’s as far as I got). I’ll reproduce it for you here:

knowledge is important.
applying knowledge is also important.
knowledge is a necessary prerequisite.

learning is hard work.
making this seem untrue or avoidable
is popular and lucrative.
often, the result of catering toward this
interest is something other than learning.

we are not learning.
our laziness and desire to feel good
have obscured this.
we are being sold our own stupidity.
we pay a little for nothing instead of a lot
for something, and we believe this
to be a great deal.

Something to think about.

PMA Scanbots

Posted on by
Reply

I can’t think of any good reason why you’d want to put your phpMyAdmin installation in any of the following locations:

  1. /MYADMIN/
  2. /MYadmin/
  3. /MyAdmin/
  4. /PHPMYADMIN/
  5. /PHPMYadmin/
  6. /PHPmyadmin/
  7. /PMA/
  8. /PhPmYaDmIn/
  9. /admin/
  10. /admin/mysql/
  11. /admin/phpmyadmin/
  12. /admin/pma/
  13. /db/
  14. /dbadmin/
  15. /myADMIN/
  16. /myadmin/
  17. /mysql-admin/
  18. /mysql/
  19. /mysqladmin/
  20. /pHpMyAdMiN/
  21. /phpMYadmin/
  22. /phpMyAdmin-2.2.0/
  23. /phpMyAdmin-2.2.3/
  24. /phpMyAdmin-2.2.6/
  25. /phpMyAdmin-2.2.7-pl1/
  26. /phpMyAdmin-2.2.7/
  27. /phpMyAdmin-2.5.1/
  28. /phpMyAdmin-2.5.4/
  29. /phpMyAdmin-2.5.6/
  30. /phpMyAdmin-2.6.4-pl4/
  31. /phpMyAdmin-2.6.4/
  32. /phpMyAdmin-2.7.0-pl2/
  33. /phpMyAdmin-2.7.0/
  34. /phpMyAdmin-2.8.1/
  35. /phpMyAdmin-2.8.2.1/
  36. /phpMyAdmin-2.8.2.2/
  37. /phpMyAdmin-2.8.2.4/
  38. /phpMyAdmin-2.9.0.1/
  39. /phpMyAdmin-2.9.0.2/
  40. /phpMyAdmin-2.9.0/
  41. /phpMyAdmin-2.9.1/
  42. /phpMyAdmin/
  43. /phpmyADMIN/
  44. /phpmyadmin/
  45. /phpmyadmin2/
  46. /pma/
  47. /pmamy/
  48. /web/phpMyAdmin/

It’s a jungle out there.

Better password hashing for PHP

Posted on by
1

I’ve been reading and re-reading this article, which explains the problems with MD5 as a password encryption technique and gives alternatives that are more secure. The author declares bcrypt the winner, though it seems to only be practically available on BSD. I did some searching around for a PHP solution and found a library called phpass, which will use the BlowFish-based bcrypt method if available, otherwise it will fall back on a hardened MD5- or crypt-based approach. The library is really easy to use, and I think I will start using it on future projects where I can control the password hashing scheme.

Also, apparently, I’ve had the wrong idea about what a “salt” is. Appending a constant string to the password before encrypting it is not a salt, it just creates a different hashing function that is just as easy to attack with a rainbow table, assuming you know what that constant string is (i.e. security through obscurity). To use a salt correctly you need to generate a random salt each time and store it in the clear along with the encrypted password. This is what crypt has been doing for decades.