Tag Archives: Security

MySQL App User Privileges

Here is a basic MySQL tip regarding application users:

When building applications that use MySQL, it is a best practice to create a MySQL application user that is dedicated to your app and has privileges to access only the database it is assigned.

With the latest version of phpMyAdmin, you can do this all in one step in the Add New User screen. Look for this fieldset and check the “Create database with same name and grant all privileges” box:

Database for user

You can then retract privileges from the given database, i.e. like if the app is only going to need SELECT and you are uploading tables manually, then you can uncheck everything except the SELECT box. Or maybe the user needs only standard CRUD operations, in which you can assign it SELECT, INSERT, UPDATE, and DELETE. As a best practice, you want your user to only have the minimum amount of privileges it needs for the app to function.

Toothpaste

Today I had my toothpaste confiscated from the airline security people as I went through. They said my toothpaste tube was too big. I pointed out that it was 90% empty, and only a few CCs of product remained in this flattened tube, but they were convinced that this dangerous piece of contraband was too risky.

We live in a very strange world where toothpaste and shampoo are not allowed on airplanes. I already had to take off my jacket, my coat, my belt, and my damn shoes. Now they deny me the ability to conduct basic personal hygiene. Flying is now an exercise in abject humiliation. Being rushed through the line while you fumble for your flight pass and try to get your laptop computer out while throngs of stressed out and impatient travelers and DHS employees watch you practically strip to your underwear. Imagine how much money is spent on placebo airport security. In some sense here, the terrorists have won, because I’m sure they are laughing their asses off at us every time we disrobe at the airport.

Google Spam Filter

An interesting byproduct of a workaround I recently did to temporarily patch a buggy issue with downloading my email has resulted in a dramatic decrease in volume for spam coming in to my email account, and I like it.

I’ve been a big fan of SpamSieve to filter out 99% of the crap that gets thrown at my inbox, and it works beautifully. However, as time has marched on, a recent trend in spam headers has caused my default email reader Microsoft Entourage 2004 to get stuck on occasion. Those occasions have increased from sporadic to daily to now hourly in the past couple of days. Aggrivating. I have to go into the server and unstick it by finding potential spam messages with the bad headers and deleting them.

I’m not really sure what the header in question is, or why Entourage throws up it’s hands every time it encounters this thing, but as of today I officially don’t care. Because to get around the problem for a few hours and to save my sanity, I decided to activate POP3 access for my Gmail account, and to just have my sanbeiji.com email get forwarded to there.

Since I hadn’t really used my Gmail account much since setting it up, I wasn’t really familiar with how well it worked or how much I’d like the features. Truth is now, I love it for one thing: The spam filtration rocks.

Finally, some server-side relief that I can depend on. I was wondering why I was getting so little email all of a sudden. It seemed to work if I sent test messages, but where was all the spam going?

Aye, to the heap it went.

Goodbye, you whores of the spam netherworld! No longer do I have to waste my bandwidth on downloading another “Warmest Greeetings and Salutations!!!” letter from His Royal Highness the Captain Cornholio of Lagos, Nigeria. Gone are the ridiculous and misspelled offers for mortgages, Viagra, and pr0n.

Privacy Concerns

If you don’t like the idea of all your email getting passed through Google’s servers and getting sniffed because Google might one day arbitrarily hand over records about you to the authorities, you could always encrypt using PGP or S/MIME. Granted they have a marginally better track record going than other ISPs and Yahoo, but better to be safe than sorry.

Update: There’s even an S/MIME extension for Gmail. Also, my PGP key is listed in the PGP Global Directory.

Music Teachers: Fraud Alert

There is a new scam going around that targets music teachers. The assholes trawl Craigslist and other sites looking for independent private music teachers to rip off. Basically they pretend to be sending a child from another country to the your location to study, vacation or whatever, and they want to set them up with music lessons while they’re in town. They then send you a supposed check which invariably turns out to be way too much money, they mention they sent too much, and just ask you to deposit the check and send them a refund. Of course the check is fraudulent, and you wind up sending them free money and getting in trouble at the same time.

Yingwen got one of these today and luckily she saw some earlier reports posted on Craigslist that resembled the pattern. Some of the obvious signs are:

  • Email is from another country sending a child to your town.
  • Spelling, punctuation, grammar is crap.
  • Name of sender is totally improbable

More info:

Scam Alert at PianoTeachers.com
Violin Teacher Scam at joewein.de
Teachers.net Classifieds Fraud Alert

Zend/PHP Conference, Days 1 & 2

I’ve been here the past couple of days at the Zend PHP conference in Burlingame. Quite a good show all around so far. This is the first event of a planned annual series, and from what I hear the attendance has greatly exceeded expectations. Looking forward to many more of these.

Yesterday I attended an all-day refresher session given by Marco Tabini. This was actually a really helpful session – reviewing all the basic nuts and bolts of PHP to provide myself with a more well-rounded understanding of all that hacking I’ve been doing over the past few years.

Did get to briefly talk with Chris Shiflett to discuss some security-related issues as well as get his take on PHP books. His own book Essential PHP Security is due out any day. Looking forward to his presentation this coming Friday morning.

The nice thing about this event has been it’s relatively small size, and the openness of the people that are attending. I have met a bunch of really cool, really intelligent PHP developers, and was able to discuss some real meaningful issues at a high level.

Today was a full day of breakout sessions and keynotes. I think my brain is reaching capacity for now. Thankfully it’s about time to wind down to open the exhibit booths and get some free snacks and libations.