2007-05-01 12:28:36

Month of PHP Bugs: Please refrain from reporting them!

PHP is buggy

The PHP security consortium recently held the «Month of PHP Bugs». During this phase, everyone was called to submit bug reports to the PHP team.

However, Ed Finkler from the PHP security team had officially announced earlier that there were no security bugs in PHP. Of course, the announcement was padded up with the typical anti-Esser propaganda (See also «Bye Bye, Esser» on «PHP is broken»).

However, Esser himself had previously written notices of about 20 unfixed PHP vulnerabilities to Finkler. When looking at it from this angle, it appears that the entire statement itself was a big lie.

Thus, Esser submitted 45 serious PHP security bugs to the PHP month of security bugs. He got toasted immediately for disrespecting the rules of «responsible disclosure». However, the majority of these bugs had already been known in advance by the PHP security consortium, rendering the claim somewhat absurd.

Responsible disclosure is only possible if the maintainer of the affected product also keeps a responsible time to reaction. This is why it is impossible to play the game of responsible disclosure with a lot of bigger companies, namely Microsoft, Apple, Cisco Systems and Oracle. (Actually, cooperation with Cisco Systems does work ok as long as you're a Cisco customer. However, lots of people who discover security problem in Cisco IOS actually aren't.)

And all that remains is this truthful logo...

Read the full story on http://blog.php-security.org/[...]-PHP-Bugs.html.

Posted by Tonnerre Lombard | Permanent link | File under: programming, news

2007-04-30 22:49:55

Another note on PHP and errors

I had to debug a rather large piece of PHP code today, and discovered a bunch of weird behaviors:

First of all, if the pgsql.so PHP plugin is not loaded and PostgreSQL functions are called, PHP does not produce any errors, it just fails silently.

Then, pg_connect may fail. This, of course, generates error messages. These error messages can be retrieved by calling pg_last_error() after pg_connect(). This produced the following output:

Could not connect:

Ah, so that's why.

Posted by Tonnerre Lombard | Permanent link | File under: programming

2007-04-26 21:38:43

Microsoft closes deal with Samsung

Microsoft has closed a patent cross-licensing deal with Samsung on April 19th.

Both Microsoft and Samsung are companies which are heavily armed with patents in the software area. Samsung is one of the major sellers of tech equipment, especially embedded devices. For quite some of their devices, they use Linux as an embedded operating system.

Microsoft however has its own embedded operating system called Windows CE. It is mainly a big, barely portable chunk of code which uses their famous microkernel approach in order to be able to load drivers for the hardware it runs on. However, Microsoft owns a couple of patents on several software techniques deployed also by Linux (so-called trivial patents). Based on these patents, many of which haven't seen an examination in court yet, Microsoft claims ownership of nothing other than the Linux operating system itself.

This approach is not new. Microsoft has recently convinced Novell to give in to a «extended partnership», which included a patent deal. In the course, Novell removed such useful things as laptop optimized font rendering from their Novell Linux (formerly SuSE Linux) distribution. The question remains whether this was actually in the interest of the customers.

As a side note, in terms of annual turnover, Microsoft and Samsung play about in the same league.

Posted by Tonnerre Lombard | Permanent link | File under: news

2007-04-25 21:44:36

IPRED2 adapted

Today (Apr 25, 2007), the European Parliament has signed off the IPRED2 directive relatively unchanged, despite the heavy resistance from Open Standards lobbyists.

IPRED2 is the second part of the Intellectual Property Rights Enforcement Directive. It proposes criminal sanctions for infringements on intellectual property rights, such as copyright, patent law or trademark law. However, these specific infringements aren't defined very clearly, so this law actually creates a great legal incertainty about what kinds of infringements are actually criminal.

Following the introduction of this directive in a couple of years, a great period of legal incertainty is bound to follow. IPRED2 will support greatly the current strategies of big mega corporations to dry out innovation by suing the small companies out of business. Also, it is highly probable that this directive is going to harm free and open source software, because there is an ongoing attempt to try and flood the market with trivial patents that apply to Open Source software, so that it practically has to be licensed to litterally thousands of companies who hold patents on such simple elements as click buttons.

The problem is that IPRED2 is going to be handled in criminal law, not civil law. This means that, for example, an invalid patent is going to be examined in a «shoot first» manner, where the CEO of a small company goes to jail first for infringing on a patent, and then has to challenge the patent from jail in order to rehabilitate. This is because patents are supposedly not handled by criminal law, even though they are effectively creating criminal law.

Also, this has weird implications since the European Patent Office is now capable of creating criminal law by granting patents. On the other hand though, every government official is supposed to be capable of telling you whether or not you are a criminal. If you now go to your favorite government official and ask him whether you are a criminal, he can't give you a definitive answer without going through millions of patents and reading through millions of books, assessing whether or not you are actually infringing on intellectual property rights.

Since this is impracticable, IPRED2 clearly puts one of the major properties of a constitutional state out of order, which is legal certainty...

More information can be found on http://www.ipred.org/. FFII press release is on http://press.ffii.org/Press[...]%2C_Innovators

Posted by Tonnerre Lombard | Permanent link | File under: general, chaos, news, politics

2007-04-24 12:17:48

Happy Birthday, ZX Spectrum

The ZX Spectrum home computer is celebrating its 25th birth day today!

The ZX Spectrum has been officially released by Sinclair on April 24th, 1982. It featured a Zilog Z80 processor clocked at 3.5MHz, 16kB ROM and 48kB RAM. With its resolution of 256x192 pixels, it could display games such as Rebelstar II, and even run the CP/M operating system.

So if you still have an old ZX Spectrum in the attic, take it out today and hug it.

Posted by Tonnerre Lombard | Permanent link | File under: chaos