About the Author

Chris Shiflett

Hi, I’m Chris: entrepreneur, community leader, husband, and father. I live and work in Boulder, CO.


All posts for Sep 2005

eDonkey's Retirement

My former employer, MetaMachine, is retiring from the P2P industry. I think Sam makes some very good points in his testimony to the Senate Judiciary committee:

First: Because the Grokster standard requires divining a company's "intent," the decision was essentially a call to litigate. This is critical because most startup companies just don't have very much money. Whereas I could have managed to pay for a summary judgment hearing under Betamax, I simply couldn't afford the protracted litigation needed to prove my case in court under Grokster. Without that financial ability, exiting the business was our only option despite my confidence that we never induced infringement and that we would have prevailed under the Grokster standard.

Second: The court specifically cites that Grokster's marketing to "former Napster users indicates a principal, if not exclusive intent to bring about infringement." Is this really proof of intent to induce infringement? Does this mean that every advertiser that has advertised in the eDonkey software also has a similar intent? I should hope not, because last summer the campaigns of both President Bush and Senator Kerry ran advertisements on eDonkey. Were they really both courting the "swing infringement vote" or could they have had some other "intent?"

My final point on Grokster is that its inducement standard cannot serve as a long-term equilibrium. Imagine if since eDonkey's inception not only had we not made any statements inducing infringement - but also that we made no statements at all - and instead simply put up a website that read "eDonkey is a peer-to-peer file-sharing application." It seems to me that would not qualify as "affirmatively and actively inducing infringement." If we had never made any other statements would we be in the clear now? If so, new P2P applications will inevitably spring up and easily satisfy Grokster in this way. If we would not be in the clear then the effect of Grokster will go far beyond merely chilling innovation - it will almost certainly freeze it in its tracks.

He wraps up by making a few additional points, one of which is the increasing pressure that innovators are under to do business outside of the US:

As it is, many companies and would-be entrepreneurs simply cannot be sure of where they will stand with respect to the law. As you know, eBay recently acquired the P2P company Skype for more than two billion dollars. Note that Skype was founded offshore; it would be a real tragedy and a blow to our economy should all technology entrepreneurs take their innovations offshore.

In the past decade or so, I've observed an increasing tendency for big businesses to depend on litigation rather than innovation in order to remain relevant. Microsoft, the MPAA, the RIAA, etc., are all guilty of this. I suppose it's the path of least resistance, but it's really hurting the US's position as the technology leader. In fact, I'm sure some would argue that the US has already lost that crown.

Terry Chay on Remote Scripting (Ajax)

If you missed Terry Chay's OSCON talk this year, you're in luck - he has made the talk temporarily available from his web site. Because Brain Bulb has plenty of bandwidth and disk space, I offered to host the video there, so that it has a permanent home:

The video is great - it's really almost as good as seeing the talk live, because you get to see Terry speaking as well as his slides (the slides are shown every time there is a transition or some of Terry's famous Keynote magic happening). I guess it helps that Caitlin happens to be an expert at this video stuff. :-)

Here is Terry's original abstract:

Remote Scripting has been with us for five years now, but Google Gmail and Google Maps have brought it to the forefront. The XMLHTTPRequest object is the most common implementation of the Remote Scripting Pattern, which empowers the web developer to turn their websites into rich client-side applications; all it takes is a little bit of server-side programming and a whole lot of Javascript.

This talk hopes to answer: What do we gain by Remote Scripting? What do we lose? How does one implement it? What is the XMLHTTPRequest object? What are the pitfalls of Remote Scripting? Why do I hate all browsers?

In this talk, Chay shows how Plaxo has used Remote Scripting for the last year in its web client to create a dynamic web-based PIM. Through some toy demonstrations, Chay also shows how one can do this on the server-side using PHP and on the client-side using Javascript and a whole lot of patience.

User Group Tour

I'll be speaking at NYPHP tomorrow night (Tue, 27 Sep 2005). Directions and other details are available on the web site. If you're in (or near) New York, I hope you'll join us.

I'm also going to be speaking at BostonPHP next week (Thu, 06 Oct 2005). I've never been to Boston, so it should be fun.

My Google?

Google is now redirecting users to My Google (or "Personal Home" or whatever they call it) if you happen to be logged in. I'm not a big fan of this behavior, but there's a link at the top to return to Classic Home, and this preference is persistent. It's still a bold move for a site that has a solid reputation for simplicity.

If you Add Content and choose Create a Section, you can search for content to add to your personal home. I was happy to see my blog listed for php security:

Chris Cornutt Has a Blog

Chris Cornutt (enygma), of PHPDeveloper.org fame, finally has his own blog. In his words:

I figure that being able to express things here (without having to worry too much that people won't think it's news) will be a nice change. There's been a lot going on in the PHP community - really the web as a whole - and having more of an open forum to express some ideas about it all will be a nice change of pace.

Are you subscribed?

New Design

For those of you who visit my personal web site, you'll notice that things look a bit better. Thanks to the design talent of Amy Hoy, both shiflett.org and brainbulb.com have had a bit of a makeover.

This has actually been finished for a while, but I've been far too busy to deploy it. I expect quite a few things to be broken, but I'll hopefully have everything running smoothly again in a few days.

Now it's time to redesign the code. :-)

PHP Security by Example

I gave three talks at this year's phpworks conference. The most popular was PHP Security by Example, a talk that consists entirely of exercises. This approach is unique in the sense that the focus is on first exploiting vulnerable code and then fixing it. I think seeing how easy some exploits are gives people a better appreciation and understanding of the safeguards.

The slides are available in PDF and Flash format:

I'll post the slides to the other talks soon.

Essential PHP Security Is Finished!

A little over a month ago, I finally finished writing Essential PHP Security, a guide to secure PHP programming that I've been working on in my spare time for quite a while.

I'm really happy with the results. The people at O'Reilly have been great to work with, and I was lucky enough to have some of the best technical reviewers an author could ask for (Adam, David, George, and John). The result is a lean 150 page guide that covers what I feel are the most important topics with which a PHP developer should be familiar.

The book is due to be published in October (in time for the Zend PHP Conference and Expo), but you can buy it from Amazon today. As Adam jokingly suggests in his infamous email signature, "avoid the holiday rush - buy your copy today!"

I focus on Apache and MySQL, but the principles apply to any platform. In fact, web developers using languages other than PHP might learn something. I hope so. :-)

Each chapter focuses on a specific category of PHP development, and you are shown the most common and dangerous attacks associated with that particular category. Here is the final table of contents:

Preface
    Foreword by Andi Gutmans

1. Introduction
    PHP Features
        Register Globals
        Error Reporting
    Principles
        Defense in Depth
        Least Privilege
        Simple Is Beautiful
        Minimize Exposure
    Practices
        Balance Risk and Usability
        Track Data
        Filter Input
        Escape Output

2. Forms and URLs
    Forms and Data
    Semantic URL Attacks
    File Upload Attacks
    Cross-Site Scripting
    Cross-Site Request Forgeries
    Spoofed Form Submissions
    Spoofed HTTP Requests

3. Databases and SQL
    Exposed Access Credentials
    SQL Injection
    Exposed Data

4. Sessions and Cookies
    Cookie Theft
    Exposed Session Data
    Session Fixation
    Session Hijacking

5. Includes
    Exposed Source Code
    Backdoor URLs
    Filename Manipulation
    Code Injection

6. Files and Commands
    Traversing the Filesystem
    Remote File Risks
    Command Injection

7. Authentication and Authorization
    Brute Force Attacks
    Password Sniffing
    Replay Attacks
    Persistent Logins

8. Shared Hosting
    Exposed Source Code
    Exposed Session Data
    Session Injection
    Filesystem Browsing
    Safe Mode

A. Configuration Directives

B. Functions

C. Cryptography

I plan to launch a companion web site in time for the book's publication, and I will post code samples (I created a few utilities in order to demonstrate some attacks) and aggressively keep up with any errata that is discovered.

Now, I can finally start contributing to other things again. :-) I hope you enjoy the book, and I hope it helps.