About "Spiral"

This might not be the best place for this post but since Spiral considers himself a security expert and the majority of his posts are security related, I figure this will be as good of a place as any.



Not to get too much into what I do for my “normal job” but I work with, for and around IT security “experts” everyday of my life (on a much higher level than most people). Note that I am not a security expert myself (at least not in this field). Like most extremely dedicated and extremely driven IS guys Spiral often lacks a little tact in the way he comes across but that’s because in his world security is very black or white.You’re either secure or you’re not and no one wants to hear that their data might be at risk. The truth is that it is and its not always easy telling someone that. Its like the elephant in the room and there is never really an easy way to give bad news, so he just says it.



So anyway, I did a little digging around into his credentials, and spoke with him at length in private. I contracted him to do some security analysis, back end optimization, and PCI compliance configuration on a new site. I wanted to give it a little time before I posted anything about the guy but with the recent heat he is getting I felt now would be an appropriate time to post this.



The bottom line is that Spiral is the real deal. He knows his stuff and he practices what he preaches. I only know of a handful of people I would put up on the same level as him in regards to his knowledge and expertise on this subject matter.



This isn’t an advertisement for him, in fact I do not even know if he is accepting work and he certainly didn’t approach me about looking for work or asking me to post this. If you want a little more about my background what I feel qualifies me to make an assessment of his ability then please shoot me a PM.

I should change his name to “The Enigma formerly known as Spiral” LOL



:stuck_out_tongue:

[quote name=‘ETInteractive’]I should change his name to “The Enigma formerly known as Spiral” LOL



:p[/QUOTE]



Wish I could think of something witty! :roll: LOL

The advice he’s given me in the past has been right on the money. I wouldn’t doubt him, he definitely knows what he’s talking about.

[quote name=‘ETInteractive’]I should change his name to “The Enigma formerly known as Spiral” LOL



:p[/QUOTE]



I actually kind of like that! :slight_smile:

Hello ET,


[quote name=‘ETInteractive’]I should change his name to “The Enigma formerly known as Spiral” LOL



:p[/quote]



Spiral is like all of us here. He is as afraid as us of hackers.



Maybe he is much more afraid of hackers than us, because his business is security.



Imagine Spiral communicates the URL of his website. Imagine his website falls at the hands of hackers.

Imagine the laughter that this would bring…



Therefore Spiral prefers to remain anonymous because he is afraid of hackers. As much as any of website owner.







Lee Li Pop

[quote name=‘Lee Li Pop’]Therefore Spiral prefers to remain anonymous because he is afraid of hackers. As much as any of website owner.[/QUOTE]

Keep on dreaming, Lee Li Pop! :smiley: :rolleyes:

Hello Spiral,



Spiral, would you bet with me that my next post “More About Spiral” will be censored?



Indeed, many of your messages (or messages on you) are censored, removed and deleted… Strange, no?



Everybody will understand why…



See you next time Spiral :wink:





Lee Li Pop

[quote name=‘Lee Li Pop’]Hello Spiral,



Spiral, would you bet with me that my next post “More About Spiral” will be censored?



Indeed, many of your messages (or messages on you) are censored, removed and deleted… Strange, no?



Everybody will understand why…



See you next time Spiral :wink:





Lee Li Pop[/QUOTE]

??? I don’t understand…Just hope CS2.x is secure enough…

Joe, relax dude.



Both 1.3.5 SP4 and the latest v2 are secure enough. In his thousands of words, Spiral failed to prove anything regarding CS and so far, his knowledge is limited to CHMOD 777.



CHMOD should be understand by every user of PHP scripts before trying to start with them. If you don’t know how and what to secure, ask here and ask your host to help you. Always read the manual and KB. Don’t think that any of PHP scripts will install in a 101% secure way. They won’t. That’s why is good to understand CHMOD and htaccess.



If you drive a car, you must know road rules and basics about your car. Same here. Otherwise - ask.



Good luck.

Ok, I finally found the “issues” Spiral told about. Another our user, leftnode, published them



[url]http://leftnode.com/vulnerabilities-in-shopping-cart-software-cs-cart/[/url]



Actually, ANY web software has these “issues”. The solution is simple: you just need to rename the default “admin.php” script to something like “hackers_go_home.php”.



Also, CS-Cart 2.0.12 will include the notification about default admin script name.



P.S.



Magento did the same:

[url]http://www.magentocommerce.com/blog/comments/csrf-vulnerabilities-in-web-application-and-how-to-avoid-them-in-magento/[/url]

Changing admin.php to something else was mentioned here dozens of times and it’s common for all PHP applications. The only thing I would say is to add a note on the last Installation screen and advice people how and why to do it.



Same like with Installation directory to be removed. Not a rocket science.



This glitch affects ALL applications, not only CS!

[quote name=‘zeke’]Ok, I finally found the “issues” Spiral told about. Another our user, leftnode, published them[/QUOTE]

Actually those are 2 totally different subjects and unrelated. The issues you just mentioned presumably also on the 1.3.5 discussion in the other thread are a whole entirely different set of “issues” though it was interesting to read the details on those additional problems found out there as well.


[QUOTE]Actually, ANY web software has these “issues”. The solution is simple: you just need to rename the default “admin.php” script to something like “hackers_go_home.php”. [/QUOTE]

Security through obscurity alone is unwise and incidentally won’t do you much good either.



There are many, many ways to have the web server tell you the new name plus I don’t know about the issues you are discussing but on the ones I’ve been talking about, the problem isn’t even with the “admin.php” file anyway.


[QUOTE]Also, CS-Cart 2.0.12 will include the notification about default admin script name.[/QUOTE]

Probably wouldn’t hurt but won’t help all that much either! :rolleyes:

Ok, Spiral, I thought you and leftnode is the same person. I was wrong. But I did not hear from you any details about the vulnerabilities you found. So, here’s my decision: if you won’t send me the details in 3 days, you’ll be banned from forums for the calumniation.

[quote]

There are many, many ways to have the web server tell you the new name

[/quote]



Very interesting… I don’t know any. Tell me?

[quote name=‘Spiral’]

There are many, many ways to have the web server tell you the new name plus I don’t know about the issues you are discussing but on the ones I’ve been talking about, the problem isn’t even with the “admin.php” file anyway.





Probably wouldn’t hurt but won’t help all that much either! :rolleyes:[/QUOTE]



I personally believe that the admin(your_name_for_it_here).php shouldnt even be in the root. It should be in its own directory so that an additional level of directory password protection can be added. I’ve suggested this, whined about it, feature requested it, but apparently no one at CS agrees with this.



Sure you can make it so your static IP address is the only one that can access it… but then again, I believe there are multiple ways to spoof addresses.





Security of something like a shopping cart is huge… especially from a liability standpoint. Hopefully CS is listening to some of the concerns being raised here and by the post regarding risk reported by the website that reports security issues.

[quote name=‘zeke’]Very interesting… I don’t know any. Tell me?[/QUOTE]

Well this would be just one of a great many things I could actually teach you!



By your own statement right here and now, this very minute, you show an example that there are in fact a lot of things you don’t know that could actually be of great benefit to you which as a result of you learning may change the way you think about many things and perhaps even effect the way in which you programming your code in all the programs you write.



I am sorry that I was so very hard on you in my previous post above but I feel it was necessary



And just so you know, I don’t have to be here. It’s not even profitable for me to be here but I made a promise to a certain set of people here and I am doing what I can to fulfill that promise and the biggest part of that was that I would do what I could to help you even if you yourself don’t realize just how much you actually really do need it.



Unfortunately, I have wasted so much time dealing with much childlike ignorance and pettiness around here to the point that I am not even certain at this particular juncture if I can even continue to try to keep my earlier promise to a few certain CS-Cart users as I am already putting in very long days each and every day in my normal daily work schedule and I have already lost significant valuable time from important projects dealing with some of these issues and items around here.



However, If you ask me and actually really do want the help, I will do everything in my power to stay and do as much as I possibly can to assist you and I could show you many, many things that might be of great help along the way if you are receptive enough and actually open and willing to learn.

Hello Spiral,



Somebody write this in 2007:


[quote][…] is unprofessional and arrogant individual. he loves putting people down and putting himself up. thats what my stand on him. good to see him gone.[/quote]



Do you remember?





Lee Li Pop

[quote name=‘Lee Li Pop’]Hello Li Lee Pop



Somebody wrote this in 2009:


[quote] Lee Li Pop is an idiot [/quote]



Do you remember?





Jesse-Lee Stringer[/quote]



Obviously you don’t remember the stupidity that existed from your own threads. For the love for the forum, will you guys quit *****ING?

Sure, he’s not good with inter-personal communication, but he KNOWS how to work servers. (HE IN FACT RUNS MY OWN).



Choices people

A) Keep *****ing

B) Ignore the posts

C) Keep *****ing and complaining and get no-where, it’s High-School over for the lot of you?

D) Accept that people are different, in different areas, of different professions.

JesseLee,



Relax, and keep your bad words for yourself.


[quote name=‘JesseLeeStringer’]he KNOWS how to work servers. (HE IN FACT RUNS MY OWN).[/QUOTE]



Hoooo… I see, you’re not smart enough, so you need him. I see, I see.



So, you know Spiral’s fees are as low as $50 a month, right?



I have dozens proofs what I say.



Who wants I publish it?






Lee Li Pop