I like how people that write these types of stories always justify it as trying to help out... "In the hope that digg would now listen, I sent them a second email."
So digg was supposed to jump on this problem and not worry about anything else apparently.
It always seemed akin to saying
"I saw an unlocked vehicle today and I think its important that all vehicles remain locked. Since they didn't come running out when I told them to lock the car, I put it in neutral and let it roll down a hill so that they will now heed the warning"
While warning about possible vulnerabilities is helpful I have a hard time believing exploiting them is as well.
"So digg was supposed to jump on this problem and not worry about anything else apparently."
Quite frankly, yes they should. If you have an XSS hole in your web application your other user-facing security measures are worthless. If you're a social application of any sort it's even worse; you're just asking to be hit by a worm.
XSS is a Big Deal. XSS holes also really easy to find, so if a security researcher spots one it's not unlikely that a Bad Guy will find them as well.
A better analogy would be "I saw an unlocked vehicle today and I think its important that all vehicles remain locked. Since they didn't come running out when I told them to lock the car, I opened the car and left a note on the dashboard stating I'd been in the car."
I disagree. I think the better analogy woudl be: "I saw an unlocked vehicle today and I think its important that all vehicles remain locked. Since they didn't come running out when I told them to lock the car, I [opened] the car and left a note on the dashboard stating I'd been in the car."
"And then I went into the bad part of town and distributed fliers all around about how the car at the corner of Main and Screwed had been left unlocked for a while and how it had a great stereo and iPod in it."
Still a bit off. "[going] into the bad part of town" would imply he went on some devious message board and there released the information with a flashy heading.
An unlocked car only leaves the owner vulnerable to break-ins. This is more like noticing that Honda Civics can't be properly locked, and leaving a note on the dashboard of each and every one, so that Honda will experience pressure to fix the problem.
The full-disclosure community used to believe in this philosophy but for different reasons. They were trying to disclose the bug as a form of motivation with little regard to what else the company was working on. I suspect this message is not well understood now and the notion of full-disclosure being good is all that's left.
a better analogy would be:
your car may be locked but other people have keys that unlocks your car.then someone proves it by unlocking the car with his key
While I support full-disclosure, I don't think the author acted responsibly. He didn't give them enough time to respond, he didn't make any extra effort to contact digg's engineers and he also very publically bragged about it.
He didn't try to act modest and he used the buzzword 'hack' which appeals more to non-technical than to technical people. Publicity stunt if you ask me.
This is exactly what happens when you get a bit too excited about mixing presentation and logic. It's easy for "$foo" to slip into the HTML, and then your site gets hacked. This isn't really a PHP problem, but PHP certainly goes out of its way to encourage you to write bad code like this.
If you ask me, mixing presentation and logic is the core of most web development. They just missed a lot of opportunities for sanitizing data.
I also don't see how PHP goes 'out of its way'. It doesn't do anything, neither do most other web languages, you build or use existing frameworks and libraries to help with such tasks.
I personally think PHP it blurs the line between a language and framework. The "framework" part is the 20,000 builtin functions and the mechanism it provides for executing code as part of a dynamic web request.
In any case, my intent wasn't to compare Django to PHP, it was to point out that PHP's default way of outputting things really does make it inconvenient to write secure code - hence answering the parent post that argued that poor security had nothing to do with the language used.
You are comparing apples to oranges. Django is a framework built on Python. Python doesn't provide anything to escape strings. I'm sure there are also PHP frameworks and templating languages which make this very easy.
I realize I'm playing devil's advocate because I love Python, but you shouldn't put blame nor give credit where it isn't due.
I've used this exact function in my own code, though I call it "h". Really sucks that we have to do this - not to mention that PHP's global namespace for functions means it's better to have long names that are more likely not to clash with third party code.
You can't write code for redistribution like that though as most PHP installations have that option disabled since ti inteferes with XML processing instructions.
You've inspired me for some reason to defend the site (I'll admit to bias, check my profile). Digg is very highly trafficked site, and the content might not be to the liking of the people here, but it started just like most of the companies that inspire everyone here that I've interacted with. Along the way it's done some cool stuff, created jobs for coders and inspired a raft of imitators.
Don't know why you inspired me to speak up.
And concerning the current problem, avoiding XSS and CSRF holes demand vigilance, especially with the many, many demands put on programmers at startups. Perhaps only with php, but I think programmers are often clever enough to work around almost any constraints, and sometimes they see security as a constraint. Digg always attracted users interested in proving their mettle by finding security holes, and as a result the developers are pretty vigilant about fixing holes.
Concerning the content of digg, well, it's an adventure ;-). As it's grown, it's left lots of room in its wake for other (maybe better) communities to develop.
So digg was supposed to jump on this problem and not worry about anything else apparently.
It always seemed akin to saying
"I saw an unlocked vehicle today and I think its important that all vehicles remain locked. Since they didn't come running out when I told them to lock the car, I put it in neutral and let it roll down a hill so that they will now heed the warning"
While warning about possible vulnerabilities is helpful I have a hard time believing exploiting them is as well.