Back in the early 90’s, yes back even before most had even heard of the Internet and the geeks spent most of their time on BBS’s there were a few online services trying to get going. AOL, Prodigy and CompuServe were fairly well known, but there was one other that stole my heart. It was the ImagiNation Network and primarily MedievaLand and its first game The Shadow of Yserbius.

Way back before World of Warcraft, Never Winter Nights, Ultima Online there was The Shadow of Yserbius which really set the bar for online gaming.

The whole network was unbelievable in its scope. You could play the D&D style Yserbius, card games at the club house, gamble at CasinoLand, have simulated dog fights in the Red Baron game, play the popular Boogers game, and ever get help with your home work.
To this day I have not seen anything to match the fun and variety that I had the privilege to experience back in the days when I was spending thousands of dollars and endless hours experiencing life “online”.

I have cherished my memories of those days and have copies of all the old software and hacks which I have kept faithfully for the last 15 years. I have joined a couple efforts to re-create the world, but all have failed… until now. A guy that goes by the name of byoung was able to re-create the server so that the old client software is able to work in DosBox which redirects the modem calls over TCP/IP. His website has all the software and directions to get setup very easily. It took me all of 10 mins to get everything installed and working. **To make it even easier to get started use the installer I created**

I spent about 4 hours online yesterday playing The Shadow of Yserbius with a few other people and building up my character. Oh man have I forgotten a ton, but the memories flooding back are a total blast. Even if you never played back in the day, I encourage you to get setup with it and join the growing community of users. If you let me know you will be in, I will be glad to join you for any game you like. Im having fun re-discovering all the cool stuff in this world of ImagiNation.

Its crazy… I really just dont get this crazyness over an insanely priced cell phone. Now keep in mind, I live with my video iPod, it goes everwhere with me and most of the TV and movies I see these days are on the thing. I also look forward to the day that I can have a single device so that I dont have to carry the iPod and cell phone.

However, the iPhone just isnt it for me. Its cool, and its heading toward the dream of having a single device, but for $600 and having to switch to a crappy cell phone carrier, NO THANKS. Aside from the price and cell phone carrier monopoly, I really just cant stand touch pad phone buttons. I need to be able to dial without looking, and can only do that with actual buttons. Touch screens wear out, and become a pain to push the button you want. Im sure you are all experienced in using the touch screens at the market when you pay by debit card, and the hassles when they start wearing out. Do we really want that on our cell phone, where we have a $600 price tag to replace the thing. No me.

For those trying to follow the latest news of our web app sec community, someone has finally setup a feed planet called Planet Websecurity that I’m really impressed with. No, at this time MightySeek is not yet part of the RSS mashup, but I do hope to be at some point.

For those not familiar with Planet sites, they are basically RSS readers which download other RSS feeds and merge together into a single feed. This means you can subscribe to one and get all the postings from all the feeds in the Planet.

Visit Planet Websecurity to see this in action

   After my run in with vBulletin I began a search for a secure and stable open sourced forum solution. My first thought was to find out what was running on sla.kers.org so I put in a call to rsnake and was told to keep looking because his solution sucked as well and that he was still on the hunt for a replacement. I’ve been looking at a bunch of the apps out there and so far I havent been all that impressed with the security design of the forum apps I’ve looked at.

This makes me wonder if web app sec is ever going to succeed, or if the web is just doomed to have problems for all time. Forum software is a very good example of the problem with many web apps, and web app development in general. To start its a very simple application, which if done right can be done securely. Of course the major challenge is that your taking user input and displaying it to other users. This immediately means your storing the data most likely into a database, which means you must secure against SQL Injection attacks. OK, thats not too hard, so that can be done. Next you need to make sure your filtering the inputs on the way in to remove any HTML tagging and escaping on the way out to be safe. The XSS part is a bit harder because there are clever people out there using a ton of different ways to bypass any filtering/escaping you do. However, this can be accomplished with some focused attention, and you will then have a simple, secure and stable forum application.

So whats wrong with this? Feature creep.
Now that you have a basic forum in place, people will want to be able to format their text, which means you need to allow some HTML tags, or have some custom tags like BBCode which you then convert to real HTML tags. At this point things are starting to get a little tougher, but with diligence its still all workable. Next users want to upload attachments, have avatars, have all sorts of moderation features, and so on and so on. Then to make matters even worse, new developers join the project and they are not always as aware or concerned about security issues, and soon the application is as buggy and vulnerable as the forum software you are trying to replace.

Is this solvable? Yes, but only with diligence, hard work and auditing. Did I mention hard work?

I had been using vBulletin for a little over a year when I started podPress and wanted a place for users to create a community and to provide support. The forums have been very successful and tend to have on the order of 20-30 postings a day, with many more viewers.  Now vBulletin is commercial software, so I had to pay $85 to use it, and figured that donations would cover the costs and I mistakenly had thought the way the licensing worked is that after one year I could keep running the forums, but could no longer get updates which seemed fair enough to me.
Well, the license I did buy doesnt allow for that, and I had to find out the hard way. After my license had been expired a couple months I received an email saying I was in violation, which I ignored on the assumption that it was a mistake or SPAM. I mean, why would software I paid for become invalid to use? It does when you purchase leased software! Read the rest of this entry »

Every once in awhile I try and find out if anyone is noticing my podcast. Well I stumbled on a mention of the SQL Injection hands on episode on hype-free.

Today I had the pleasure of meeting up with a celeb of the web app sec world…. rsnake of the ha.ckers.org website. I hope you enjoy the interview, but I made a huge mistake with the recording. Here I was with my first interview, I hook up my mic and load up the recording software and then completely forget to switch to the mic input to my good mic, and end up doing the recording on the lame mic thats built into my laptop.

In any case, here ya go.

 

 Standard Podcast [41:57m]: Play Now | Play in Popup | Download (15124)

In this episode is discuss PHP security. Up till this point I have talked about web app sec in general, but I break from this in honor of the Month Of PHP Bugs that is going on through March.

PHP has frequently been blamed for security problems in applications written in PHP which really is no fault of the language and engine itself. It would be like everyone blaming C and C++ as being insecure, and the cause of tons of security problems. Most of the time the problem is the developers who use the languages, not the languages themselves. However, there are security problems in the PHP codebase which need to be fixed and is what is being highlighted by the Month Of PHP Bugs.

So in this episode I discuss these issues, some of my past projects and some various other issues in PHP… Its so good to be back at the mic, even tho I am still recovering from the flu and had my voice start failing me at the end.
Enjoy!

 

 Standard Podcast [65:34m]: Play Now | Play in Popup | Download (9081)

Today I was pondering the success of the podPress project since it started which got me to trying to remember how long its been. So a quick look at the change log shows that I released the first version on Feb 2nd of 2006.

So, its only a year and one month old!

What started as a quick hack to wordpress that I wanted to use to bring attention to my little podcast, has become far more widely appreciated and used than I could have ever guessed.
I want to thank you all for your support and thanks that I get in forum posts, emails and paypal donations. They all matter very much to me, and encourage my development to continue.

A special thanks also to macx who, over the last couple of months has really taking the initial quick little stats feature and turned it into something impressive. Its always great fun when I can chat about code with another developer and enjoy the collaborative artistic effort that software development can be.

As a long time podcasting fan and supporter of the community I have been a fan of many shows, and impressed by a bunch of them. Some of my favorites (and I know I’ll end up forgetting some) have been Slice of Sci/Fi, Escape Pod, Filmspotting, The Signal, The Bitterest Pill, Verge of the Fringe, zeFrank, TikiBarTV and numerous Podiobooks (Sigler, Selznick, JC Hutchins, etc), along with many many more.

So when I say I was blown away by the efforts of Stranger Things (http://www.strangerthings.tv), its not from a lack of experience with the brillance and creativity in this community. Its because its quite an impressive accomplishment. Audio is one thing, and it takes skill and hard work to do it well. Short video clips like those from zeFrank andTikiBarTV are also quite a bit of work and take great talent. But to produce a 30 minute long episode with decent acting, a cool story (from self-pimping Sigler) and very nice special effects… and to make it a free podcast. Wow.

I have a hell of a time just trying to get my show out once a month, and even that is wayyy behind on getting some episodes out (one is coming soon btw).

Anyways, my props to the Stranger Things team, and I hope you are able to continue gaining an audience and some sponsorship/donations to help keep your show going.