
Phpfog "Down for maintenance" - jeisc
http://www.phpfogsucks.com/
======
pjhyett
Even at 16, you should be mature enough to know that this is classless. I hope
for their sake they never start their own business and never fuck up, because
that'd be awfully sad if the next kids to come along decided to show them the
same courtesy they've shown here.

~~~
acangiano
Agreed. 5 days ago one of the hackers wrote on Twitter:

"Wow, heroku for PHP. I thought of this once, sadly I wouldn't be able to get
1.2 mil in funding :(".

Well, at least we didn't have to look too hard for a motive.

~~~
beaumartinez
Do you have a link for that tweet? Or a screen-capture?

~~~
antonioc
<http://twitter.com/compwhizii/status/48172082667864065>

(I had to create a different account because I have no_procrast activated on
my main account. It'd be awesome if no_procrast would be automatically
disabled during the weekend.)

~~~
darklajid
During which weekend? For my new place of work that would be on Friday &
Saturday..

(Just a quick note that some features are harder than it seems at first)

~~~
acangiano
I realize that it's harder than it looks. However, it would be trivial to
allow people to choose the days they don't want the procrastination setting
enabled (based on a standard timezone like PST.)

~~~
eneveu
In this case, I'd simply use LeechBlock or the Chrome equivalent, which has
the features you want.

------
ElliotSpeck
Hey guys,

I'm Elliot Speck, one of the guys (let's be realistic, the main guy) behind
the phpFog hack, I guess the record needs to be set straight about exactly
what went down.

phpfogsucks.com isn't mine, I never contributed directly to it and any work
credited by me is assumed by the creator and owner of that site.

My work was slightly different, I was proving that the system was horribly
exploitable. Throughout the process I burnt into the box, gained root access,
and took a screenshot. I also gained access to the phpFog Twitter account and
posted a bit. I didn't damage any files, and when I finally came into contact
with Lucas, I explained my methodology directly and gave him a few security
pointers for immediate causes for concern. As a result, the project is now on
standby as they fix up the issues that were made apparent by my break-in.

I don't consider what I did to be a bad thing. It's better me break in and
make the fact I did public, than someone break in silently and wipe the box,
losing hundreds of hours of both the team's and clients' time. That is below
any moral standard I could possibly even consider upholding.

What I did not do:

-Damage or otherwise alter any of the system files

-Damage, alter or view any client files

-Post or otherwise make public the methodology behind my access

-Post or otherwise make public the engine code for phpFog, this was done by someone else who I showed the code to in order to investigate further potential security holes before I alerted the phpFog team.

I'm posting here to clear the air, but if you have any questions you can
contact me on Twitter: @ElliotSpeck.

~~~
webwright
"It's better me break in and make the fact I did public, than someone break in
silently and wipe the box, losing hundreds of hours of both the team's and
clients' time."

It's better yet to break in and discreetly notify the folks involved. Show a
screenshot at Twitter.com that you COULD have tweeted. Voila-- you've done
something positive.

Going public is an immature ego play that doesn't consider the feelings of
lots of folks. Even if you want the the ego boost, post a "How I saved PHPfog"
post-mortem when the issue is resolved.

Shame on you.

------
shykes
What a dick move. Did these idiots actually publish their names in relation to
this? Coming from "security experts" this is the most unprofessional thing
I've ever seen.

~~~
lastkarrde
A mirror of the code dump (referred to in a tweet linked in this discussion)
is hosted on a 16 webdev from Australia...

Atleast they were kind enough to remove all API keys and passwords from the
code dump.

~~~
kajecounterhack
Actually, I don't know if they did. If you check the config dump, there are
some passwords left.

This can't be legal.

------
sriramk
Heroku, NodeFu and now PHPFog. All the Heroku-style clones have had security
issues in the last few months. Security in this space is very, very hard work
(I think NodeFu made an checkin mistake and it wasn't a 'jail/isolation
breakout' scenario).

Edit- wow - they just pointed phpfog.com at phpfogsucks.com. I feel bad for
the phpfog guys - they have a long weekend ahead.

------
jarin
This is a pretty good lesson: when you have that little niggling feeling in
the back of your head about something security-related, take care of it.
Otherwise, someone WILL exploit it.

Seems like they were using the load balancer as a way to obfuscate the
existence of the individual EC2 instances. Also, that has gotta be really
expensive to have an EC2 instance-per-customer.

~~~
X-Istence
Depends on the type of instance they spin up, but I would definitely tend to
agree with you!

Security in shared hosting is extremely hard (I used to be a sys admin for a
hosting company in a prior life), especially since there is no good way to
separate everyone from each other without making performance suck completely,
FreeBSD jails alleviate some of it, but you start having scalability issues,
PHP running in php-fpm works, but uses up a lot of resources keeping spare
instances around, there are a whole bunch of other ones as well.

Individual virtual machines per user isn't such a crazy idea but it is really
expensive. What I would really like to know is how Google has accomplished it,
at scale, with AppEngine. How are they able to do their security separation so
well that at this point I am not even aware of any security breaches.

There has to be a better way to do it, and securely, but it may require
rethinking how the entire architecture fits together, PHP, a web server, and
the database engine.

~~~
sriramk
Heroku has done it reasonably well too and they seem to do it only with POSIX
permissions for the most part.

~~~
moe
Ahem. There have been multiple exploits for heroku, some of which enabled
access to code and data of other heroku customers (google for "heroku
vulnerability").

From what I read about their virtualization (which may not be up-to-date) they
seem to rely on the security of chroot(). If that is still the case then there
is a big problem in their future.

~~~
sriramk
Could you expand on the last sentence? Why is relying on chroot+file
permissions inherently bad?

~~~
baq
chroot has not been designed as a security feature but as a system testing
tool. you only need a local root exploit to get out of chroot. you need
additional protection to have a proper jail; freebsd does this, openbsd used
to, not sure how it is now.

------
blocke
Not the first "you've been pwned" message on the Internet and won't be the
last.

It just happens to be the first I've seen use Google Analytics to track the
lulz with CSS and @font-face. With that layout I was expecting to see a
customer rant, not a "pwned" message.

On a more serious note are they going to be able to afford to have a separate
EC2 instance per customer to avoid having to write a proper sandbox?

~~~
_phred
After serious reputation damage… will they still have customers?

~~~
tomjen3
Sure if I need a place for scalable php code, and they explained how they
fixed they security issues I would be willing to go with them.

But I would properly become a fisherman before working with php...

------
tsigo
It didn't take long for someone to use that vulnerability to open up the
entire server. People are posting from the @phpfog Twitter account and someone
posted the entire codebase:
<http://twitter.com/#!/communistcake/status/49340298677075968>

Edit: Actually, the links in that message appear to just be mirrors of the
links at the bottom of the article.

Edit 2: Links in that last status are now dead. Wonder if the young Elliot
Speck is trying to walk it back a bit.

~~~
X-Istence
They put them up on Amazon S3, I am guessing they didn't want to pay for the
hosting fees.

~~~
Maxious
Looking at the reverse dns, the website is hosted on a someone's home server
at the moment (Internode ADSL: Sydney, Australia)

I hope they're not using phpfog's AWS credentials to pay to distribute dumps
of their own site.

------
JonnieCache
_Ouch._ Certainly one way to make a name for yourself when you're sixteen.
Probably not exactly the kind of name you want however.

------
sucuri2
Their phpfogsucks is hosted with tomato.compwhizii.net:

<http://sharingmyip.com/?site=phpfogsucks.com>

The guy ( <http://johnduhart.me/> )could be in trouble if they decide to go
with legal action.

------
Kilimanjaro
"Hey guys, I didn't rob the bank, I just opened the vault and my friends took
all the money"

------
AgentConundrum
Not particularly related to the post, but seeing "phpfog down for maintenance"
- a seemingly innocuous title - on the domain phpfogsucks.com gave me an idea.

If I ever have a semi-successful site, I'm going to register _sitename_
sucks.com as well, and use it as a status blog to explain downtimes, etc.

------
masnick
Lucas notes some of the security improvements they plan on:
[http://help.phpfog.com/discussions/questions/84-details-
on-t...](http://help.phpfog.com/discussions/questions/84-details-on-the-
attack)

 _1) Every environment is going to be chrooted and Apache will be running
under per-user mpm_

 _2) The dedicated ec2 servers will be running in a way that has no security
credentials of any sort, a walled garden that will not have access anywhere
else._

~~~
dexen
Chroot will only delay an attacker a bit of time [1]

\----

[1] [http://serverfault.com/questions/19473/does-using-chroot-
for...](http://serverfault.com/questions/19473/does-using-chroot-for-a-
publicly-exposed-service-provide-any-real-security-benefi/19483#19483)

------
nestlequ1k
Anyone actually read the exploit? This is not so much hacking as it is PHPFog
being extraordinarily stupid. The fact is that such an obvious vulnerability
(that I'm sure many of their experience customers have noticed) went ignored
by the PHPFog team.

The phpfogsucks site is tasteless and mean spirited, but it is good
information to have for potential PHPFog customers that the service they are
shipping their valuable code too is extremely poorly managed.

------
bhickey
Are these guys trying to get arrested?

------
gexla
Not sure what the hack was for the main server, but I'm not even sure I would
consider the steps mentioned at this site as hacks so much as "server
administration." It's a pretty obvious thing to try. It was only a matter of
time before someone decided to poke around and see what they could do.

------
marksands07
At least the staff is now aware: <http://phpfog.com/maintenance.html>

------
tsigo
Looks like their Twitter account is getting cleaned up, so they're at least
aware of it now.

------
gaoshan
Actually, I'm going to go sign up for an invite over at phpfog... it looks
like something I could make real use of. In a way, this incident may turn out
to be a boon for the folks over there.

------
hmart
from the @phpfog timeline : "Time for a contest! How many security
enhancements were in PHP 5.3.6? First correct answer gets into the beta
immediately." 4:22 PM Mar 18th vía Twitter for Mac
<http://twitter.com/phpfog/status/48856795669737472>

------
datums
the main site now has this as the homepage <http://min.us/ljEyGE>

~~~
X-Istence
Their Twitter account looks like it may have been hi-jacked as well!

<http://i.imgur.com/Pl127.png>

~~~
datums
They seem to have access to their zerigo dns account.

------
drivebyacct2
Can someone elaborate? I was at a baseball game and now all I see is
"Goodnight sweet prince".

~~~
syaz1
It had details on how they exploited it.

------
thomasdavis
When is the funeral of phpfog being hosted?

~~~
thomasdavis
also the funeral of the hackers lol i was stupid at 16 but not that stupid

------
jonursenbach
How can they possibly recover from this?

------
clojurerocks
Is this at all incriminating against php itself? Tumblr which is written in
php had a security issue and now php fog. Is php hard to secure as opposed to
other languages/platforms?

~~~
slig
Did you RTFA? This had nothing to do with php.

~~~
jwh
Did you not RTFA? The article is about a PHP hosting company that is getting
merc'd because of the security flaws inherent in PHP that lead to their design
decision to use Amazon EC2.

~~~
clojurerocks
Whats up with the attitude? Seriously. The arrogance and self righteousness on
HN is ridiculous sometimes and really kills the conversation.

To your point though no i didnt read the article because there was so much
noise between it and the flamewar going on here that it was difficult to
figure out what was even going on. However, to quote you, "The article is
about a PHP hosting company that is getting merc'd because of the security
flaws inherent in PHP that lead to their design decision to use Amazon EC2."

Ya wasnt that the question i just asked? Seriously maybe you should read the
question before just downvoting it and replying with no reply. My question was
actually a serious question. I want to know if there are security flaws in php
as i am looking at it for a few projects and would like to know if there are
issues with it before i start them.

~~~
joshfng
PHP is just as secure as any other language. It's the programmer's best
practices (or lack of) and implementation that can make the code secure or
insecure. The language is mature, actively maintained, and has a nice standard
lib (debatable). Whether or not YOUR program will be secure depends on you the
PROGRAMMER not the language.

~~~
daeken
PHP is, by no means, just as secure as any other language. It has a horrid
security track record when compared to _any_ other language.

~~~
RossM
While there are some features of PHP which are inherently _a bad idea_
(register globals for example) these are, for the most part, deprecated and
removed in the most up-to-date version.

I agree with other views that it is the programmer's code that is insecure,
not the language itself.

