11 posts • joined Friday 26th February 2010 15:31 GMT
"The Full Disclosure posting was brought to our attention by three Reg readers who described it as unverified but potentially noteworthy."
I verified that the details of the advisory are correct. Checked this afternoon. In my opinion at least as bad as the security advisory details.
Well, I guess you storing the password in the cookie technically "...would not allow access to our online services on their own..." (That's what the Alias is - your passphrase.)
Nope, to logon you would also need the UserId. Oh, wait! Santander user Id's follow the SurnameInitials pattern. Or SurnameInitials1 or SurnameInitials2 if you have more than one account. And I guess you could get that from the full name which is also stored in the cookie.
But on the face of it, reassuringly, the pass number is not stored in the cookie. Of course having remembered your UserID and your passphrase, a substantial number of people will have used 12345 or something similar as their number. And at first glance it does not look like Santander locks you out of your account after multiple login attempts. So I guess you could brute-force that number.
Well at least they require a one time pin/password before setting up a new payee. Sent via a phone. But that's quite a recent development.
In my opinion, if there is _anyone_ who has lost money prior to the one-time-pin number from their online account, then Santander can not claim that the user is at fault and Santander should reimburse them; provably Santander stored their login details insecurely - that passnumber only happened about the same time as the change to OTP.
I'd call this a pretty big deal, despite the attempt of Santander to downplay. It should be at the top of the BBC business and technical news, and the FSA should be all over them.
And I'd also like to see the Santander UK managers personally fined for this appalling lapse. Bankers get paid huge salaries and this sort of amateur-hour stuff should never ever have happened. They should also donate a seven figure sum to the security researcher who published this stupendous fail and write a public letter of thanks.
That might make the case of The Robot Receptionist In The Lobby Of The International Electromatics Building the first documented code-injection attack.
Yes, as usual the Reg knows WTF they are talking about
TheReg is probably right.
Here are the Google trends on Wordpress vs Joomla vs Drupal.
The claim that Drupal powers more than 1% of the web comes from Dries Buytaert, leader of the Drupal project. He started a project to build a crawler to categorise sites, and Marc Seeger finished it. Marc wrote his thesis about the crawler. In Dries's April 2010 Drupalcon speech, he revealed that a crawl of the top million sites showed Drupal at 1%. His slides are online. It doesn't say so on the slides, but he also spoke about Joomla and Wordpress stats. I was in the audience, and I remember WP being at about 8%, and Joomla being at about 3. I'm fairly sure about WP, I'm less certain about Joomla. However, Drupal at that stage was definitely behind Joomla.
This also feels right - Drupal is typically used for more complex sites than Joomla. Naturally there will be more less complex sites, so we can expect that there would be more Joomla sites.
The Google trends graph shows that Joomla is dropping in the search rankings, but it's still well above Drupal. Of course this isn't necessarily a reflection of the use of the different CMSs, but I can't think of any sensible reason that it couldn't be.
With regard to whether Wordpress is a CMS. The majority of my business is built around Drupal and I'm heavily involved in the Drupal project. However, one of my clients uses WP very successfully to run their online industry specific newspaper. It's not a heavyweight CMS, but it's definitely improving all the time, and the latest version supports structured data. Remember that it wasn't Habitat that bought Ikea; it's the job of us Drupal developers to make Drupal easier and nicer to use than Wordpress. Drupal 7 is a good step in that direction. The user interface is better, but we still have a way to go to meet Wordpress. On the other hand, the structured data handling in Drupal 7 is in another league compared to Wordpress.
No title is required
In fact there are at least two ways to do this that immediately spring to mind, and possibly as many as five, depending on the amount of customisation required.
Page template naming, template programming using a section identifier, Context module, Composite Node module, Panels module. And if you want to be much more exotic: multisite installation with shared sessions, multisite with shared database, multisite with Domain Access.
And I reckon that's probably not a complete list. It is _very_ unusual in Drupal that you are the first person to be facing a particular problem.
Drupal has served us well for sites with more than 80,000 pages, at moderate traffic levels. And with some work on the caching infrastructure it can deal with quite heavy traffic.
There's more to it than that
Drupal uses OOP in specific places - for instance the Views module (a graphical point-and-click query generator). But beyond that, it's always had an object approach - for instance, the key content type, node, is an interface in the object sense: by implementing the interface for any new content type you care to make automatically gains all the advantages of being a node - the revision system, searchability, taxonomies, and much more.
But it doesn't use OOP to do this. It uses naming conventions for overrides and extending, rather than a pure object system. It works this way for a few reasons:
- while the API is not frozen, in practice it almost always evolves, which is to say that many, if not most Drupal 6 modules will probably work on Drupal 7 with only minor changes. Certainly that was my experience of all the transitions since 4.5. A change to pure OOP would have made module upgrades a great deal more difficult.
- it runs on a wide variety of platforms - everything from shared hosting to the cloud, and with a wide range of PHP versions; Drupal 6 continues to support PHP 4.4+ as its minimum requirement. But before PHP 5, OO was not robust. Taken together with the previous point, it would not be sensible to introduce OO as a language structure in a big way into the core for D7.
But I'm certain that Drupal will continue to use more and more OO structures with the improvement of the performance of OO in PHP, and as the need to support Drupal 6 fades.
Where there are API changes, it's not 'mashed up for no reason'. There are major advances in the capabilities which mean the API needs to evolve - for instance the database now has a much better abstraction layer. As a result there is support for SQLLite, an experimental module for using MongoDB, and work going on on SQLServer support.
That figure is not entirely representative
The 114 bugs were/are critical blockers to release.
You might get a better feel for the amount of work that's gone into version 7 if you look at the number of issues closed in the last year. Excluding feature requests and support requests, about 2,500 have been dealt with.
Drupal 7 will be released when it's polished though I think there are already some light-use sites already using it in production. But of course that's foolhardy for any site which matters. Meanwhile Drupal 6 and 5 continue to grow. Last week there were about 5,000 modules available, spread out over those two versions.
And I'm pretty sure the bulk of us working on Drupal are professional.
Thanks Reg for covering Drupal.
Or perhaps no wing mirrors
One of the improvements in Drupal 7 is to move image handling into the core.
Drupal is heavily darwinistic. It's also very modular. Before something goes into core, it's implemented as a module. Actually, typically there are several competing modules implemented. Eventually the best ideas embodied in these are brought into the core as a common framework that lots of modules can use.
Almost all the major features in Drupal have evolved this way as responses to user needs, and it's one reason that Drupal hits a sweet spot.
Conference in Copenhagen next month
I suspect that this article came out of some PR: we have this year's European conference in a month. A punt that appears to have been cut/missed/dropped from the article.
We hold two conferences each year - one in Europe and one in the USA. Last USA was about 3,000 attendees, I think. Something like 600-700 registrations so far for Copenhagen.
I'm not sure about the Reg policy on links, so I won't. But if you are interested in the details, search on drupalcon.
Disclosure: you can probably tell from this that I work on Drupal.
Jobs for President
A few weeks ago the US Supreme Court decided that corporations were allowed to invest in the political process, supporting candidates and lobbying.
It's not a big leap to imagine a corporation deciding that they wanted to be President and $40B is enough to get Apple elected as prez, with Mr Jobs as Apple's Representative on Earth.
With Apple as President, the people of the USA would enjoy a well designed health-care system. There would be no more crashes. The government would focus on a single issue until it was satisfactorily sorted, or something more important happened; there would be no multitasking. Only glowingly positive press would be permitted. All grievances would have to form an orderly queue but Apple's decision would be final. It would be expensive, but citizens would universally agree that it was easily worth the trouble. Small changes would be treated as major revolutions and would be required to be written about in breathless tones. The military would have stylish, glossy hardware.
No opposition would be brooked.
Uh-oh. I may have given Ballmer an idea. The MS Presidency: a celebration of the mediocre with a lot of marketing about the innovation but no changes. 'I'm a voter and an MS President was my idea.'
- Facebook offshores HUGE WAD OF CASH to Caymans - via Ireland
- Microsoft teams up with Feds, Europol in ZeroAccess botnet zombie hunt
- Justin Bieber BEGGED for a $200k RIM JOB – and got REJECTED
- Review Bigger on the inside: WD’s Tardis-like Black² Dual Drive laptop disk
- Inside Steve Ballmer’s fondleslab rear-guard action