Epogee

[EccentricAnomaly]

Hmm, all the more reason to keep Javascript disabled, IMHO.

Actually, what has this got to do with JavaScript? As far as I can see, all the JavaScript did was open a popup which did not, again as far as I know, cause any actual security problems. If somebody's got write access to the file system behind the server then they don't need JavaScript to exploit that access - at most JavaScript helps make the exploit more obscure.

And may also turn out to be a good example of why not to use systems written in PHP. I understand it's a nightmare to keep sites secure.

That comment, though, is consistent with my limited experience.

[martin]

What gets my goat is in this case that Google do their God bit, so muggins races around, goes to the "Google webmaster tools", and finds that the site is shown as not hosting any malware,  and there is no link to request the barring be removed as it's scanned as "clean", nor is there any indication of details as to the problem, so you waste hours banging your head against their brick wall

[profp]

And may also turn out to be a good example of why not to use systems written in PHP.

Poor workmen blame their tools.
There is nothing inherently insecure about PHP *IF* you know what you are doing.
It's also worth noting that it would appear that this issue could have been avoided by following security best-practices - i.e. avoiding the use of unaudited, untrusted code from third parties.

[wookey]

martin, google brought a genuine problem to your attention that could otherwise go unnoticed for some time. I don't think you can really blame them for that. Their 'brick wall' was quite right to continue to assert that the site was infected until it was fixed.

Profp, quite true that you _can_ use php in a secure manner (Drupal is a good example) but the combination of it defaulting to use some very insecure features _and_ being targetted at web newbies is the recipie for the repeated disater we see in real life.

So far as I know there is no evidence of its involvement in this issue so far, though.

[martin]

Let's reiterate why (hopefully with more clarity) I got cross with Google - I have no problem with them "pointing out" a problem, but it is to do with their patronising arrogance and the manner in which they act.
Firstly, if they do discover a problem (due to hacking or similar activities), then warning the owner of the page is entirely reasonable - I would think that any warning pages should be far more tactfully worded (something along the lines of "there would appear to be a security problem with the page you are trying to visit, probably due to hacker activity, we have informed the site owners, and they're working on fixing it"), rather than the information that the page is "hosting malware" or giving links thereto, which would suggest to most people that it was deliberate on the part of the website owners.
Then from my point of view, if you check all the immediately obvious sources of problems, find none, and then use Google's own "malware" scan which shows the page as "clean", and there's no way of contacting them to ask what/how/where/why, then you can waste some hours going round in circles....... With their enormous resources, and desire to control all the world's data, it would not be unreasonable for them to include software that could at the very least point out "where to look for the problem" (as Wookey did with the javascript) - I think it's another manifestation of "power corrupts, absolute power corrupts absolutely", rather like their cavalier arrogance over privacy and "Streetcam" - they care not a jot or tittle about anyone, they're rich and powerful enough to be able to ride roughshod over the 'oi polloi, and they do..............

[wyleu]

Welcome to the wonderful world of we framework prejudices, the PHP people hate the django people, the django people hate the ruby on rails people and so it goes on. Actually the truth is the differing communities learn from each other and benefit by the comparisons. That said PHP, despite it's popularity can be viewed in it's simplistic form as a web page on steroids, and as such leads to fairly impenetrable code which can be difficult to debug. Modern frameworks tend to be a little bit more defined in their separation of functions and this makes them a little easier to defend. But a well written site in any of them passes modern security audits so it is unlikely to be the framework that is compromising a system. If any of them have a vulnerability it tends to be closed pretty quickly.

This has been an advert for the open source frameworks movement. Other philosophies exist.

[profp]

Let's reiterate why (hopefully with more clarity) I got cross with Google - I have no problem with them "pointing out" a problem, but it is to do with their patronising arrogance and the manner in which they act.

I don't think it's malice on google's part - I'm guessing, but I don't think they can afford to provide support backed by human interaction because of the scale of their operation. Knowing something of how google do business, I'd also guess it is an economic decision not to proactively notify sites that have issues, on the basis that they'll react to complaints from their user base sooner or later. I'd wager there are millions of people in Martin's position every day... the cumulative cost of tracking & emailing those users automatically, let alone providing real support, has been deemed prohibitive.

[Ivan]

Sorry for late appearance. I've been immobilised in bed for the last two days - which is pretty unlike me.

Thanks for the help - very much appreciated. I don't know the first thing about this kind of issue, so when it goes wrong, I've no idea where to start. Wookey, will make it up to Ian, if he lets me know how!