[ale] OT: Why Big Sites Run Drupal

Michael H. Warfield mhw at WittsEnd.com
Sun May 6 16:18:50 EDT 2012 

On Sat, 2012-05-05 at 21:24 -0400, Michael Trausch wrote:
> I fail to see how that relates to and/or mitigates the use of an
> interpreter that has a very shaky past, in terms of security. Yes, it is
> possible to shoot yourself in the foot as with C, but that's beside the
> point. Many vulnerabilities published are against PHP or its standard
> library.

> Point is, even the safest and most defensive programmers have no hope of
> security if the underlying components aren't themselves secure.

You assume that there is a way to discriminate this and you assume that
the state in the past and it's history is reflective of its current
state.  Neither can be unambiguously substantiated or supported.

At one time, Sendmail was considered the buggiest piece of crap on the
face of the planet.  Buggier than a Florida swamp, it was call,
varyingly, the "Bug of the Month Club" or the "Bug of the Week Club".

There was a vastly more secure, solidly coded, monstorously HUGE
substitute for sendmail called MMDF (Multiplart Memo Distribution
Facility aka "Military Mail" thanks to it's use by the DoD and use on
high security Unix systems).  At one point, MMDF could easily be
declared the most used E-Mail transport thanks to SCO Unix ODT (Open
DeskTop or Open Death Trap, depending on who you ask).  It was the
default mailer on SCO Unix systems around the world and heavily used in
India back in the 80's and early 90's.  In the entire history of MMDF
dating back 25 or 30 years or so, I can recall only 1 minor security
advisory, less than even QMail.

So...   When have you last used MMDF?  Have you ever even seen an MMDF
installation?  Trust me...  You don't want to.  It's still out there.
You can still download it and install it.  Not sure it's still supported
but there is a site for it.

So...  Now we have Postfix and that's certainly a credible secure
replacement for Sendmail.  QMail is a joke.  Oh, it has it's adherants
and proponents and it claims to still be maintained but, really?  I've
still got one QMail installation and it's high on my priority to get rid
of that non-standard crap.  Oh, and smail is still around too.  :-P
Still, Sendmail rules the roost and it's stable and supported and been
pretty darn secure for a long time.

Same thing can be said for BIND.  Early days, it was horribly insecure.
Still, it's ubiquitous.  Who's still using DJBDNS / TinyDNS?  Still a
few.  Most that I've known fall into the category of those who have
dumped TinyDNS for BIND and those who will.  I think OpenDNS still uses
it but they're also supporting DNScurve as opposed to DNSsec.  That
horse left the gate a long time ago and their's came in "also ran"
AGAIN.  Time moves on.

PHP has certainly had it's problems but remains popular.  It is what it
is what it is.  Deal and move on.

Regards,
Mike

> - mike
> On May 5, 2012 6:50 PM, "Leam Hall" <leamhall at gmail.com> wrote:
> 
> > PHP can be very secure and performant. However, like many good things it
> > is easy to get started and people don't always do the work to get better.
> >
> > Leam
> >
> > On 05/04/2012 03:23 PM, Jim Kinney wrote:
> > > PHP = Page Hijack Protocol
> > >
> > >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20120506/07fd84d7/attachment.bin

More information about the Ale mailing list