I mostly disagree on your disagreement unless the entire project was based on top security practices and good code in the first place. The vast majority of these web panels are a security nightmare.
These PHP systems be it cPanel, wordpress or PHP itself are most likely the biggest target besides windows. It's incredibly uncool stack especially here but it is running most of the "independent" small web.
They cannot be that bad if they are managing to be ductape of the internet.
I've done PHP development for over 20 years, including some pretty large projects. I've never had a situation where a security flaw in PHP itself forced me to scramble to patch something before it got hacked.
On the other hand, for my Linux servers, I had to do that twice in the last month with CopyFail and DirtyFrag.
That's a fair point, using 'interpreter' specifically was imprecise language on my part. My main point was php-fpm is developed by the core PHP team and is often the default in how PHP projects deploy these days, and that CVE was very similar to the recent 'fail' LPE vulnerabilities in the kernel.
> They cannot be that bad if they are managing to be ductape of the internet.
Oh, it very much can be that bad. Most "security" relies on the Hungry Tiger Theory of Security(tm).
My system doesn't need to be "secure". My system simply needs to be more secure than yours. As long as there is an easier and/or more valuable target somewhere, I'm "secure". I don't need to outrun the hungry tiger; I only need to outrun you outrunning the hungry tiger.
That theory, of course, doesn't hold anymore when there are enough tigers to simply eat everybody. And that's what AI did; it multiplied the tigers enough that they can just gorge on everything.
Now, people are going to have to put in "actual security" or lose real money over and over and over. And since everybody has outsourced everything, nobody knows how to fix it quickly. The lawyers are going to have a field day.
At the end, however, we'll have real security on our internet facing systems. But man, it's going to be painful for a while.
Every time I venture in the the web server's error log, I see all of the skiddie's attempts at accessing the most common things with most of them being .php files. Lots of /wp/admin.php and /phpadmin/ type requests. Of course, none of those are available which is why the requests are in the error log. I've never paid attention, but I wonder how long (as in how little time) for a new server to come online before it starts to get probed by a skiddie. Whether they are just war dialing IPs or paying attention to new domain announcements but I'd put it on a few hours tops.
Dismissing these as script kiddie attempts is no longer correct. This is a real industry now. It’s not like the large scale actors are going to pass up a valid unpatched vector just because it’s old hat.
Imagine this; ~40% of public websites run wordpress. (based on some AI-gen summary, even if fewer it is still an important percentage).
So you might be spinning up a new instance with 40% probability. It makes sense in mass vulnerability explotation and detection to aim for highest success rate first.
Especially when the IPv4 space is so easy to scan nowadays. And you have services like Shodan that do just that daily.
I’ve tested this recently (this post week). Had a dns entry up and pointing to an nginx server for ~12 hours, zero requests. 17 seconds after the letsencrypt cert was issued, the floodgates opened. Over a dozen of requests per second.
I don't think it's necessarily specific to LE but rather to public certificate transparency logs. LE being free and easy to automate means it's very widely used these days, but if you theoretically go to a "pay" root CA and get a cert that covers thing.com and www.thing.com , the same probing will happen on the same time scale.
> When was the last time they declined your subscription because they have no compute?
Is that a serious question? There have been a bunch of obvious signs in recent weeks they are significantly compute constrained and current revenue isn't adequate ranging from myriad reports of model regression ('Claude is getting dumber/slower') to today's announcement which first claims 4.7 the same price as 4.6 but later discloses "the same input can map to more tokens—roughly 1.0–1.35× depending on the content type. Second, Opus 4.7 thinks more at higher effort levels, particularly on later turns in agentic settings. This improves its reliability on hard problems, but it does mean it produces more output tokens" and "we’ve raised the default effort level to xhigh for all plans" and disclosing that all images are now processed at higher resolution which uses a lot more tokens.
In addition to the changes in performance, usage and consumption costs users can see, people say they are 'optimizing' opaque under-the-hood parameters as well. Hell, I'm still just a light user of their free web chat (Sonnet 4.6) and even that started getting noticeably slower/dumber a few weeks ago. Over months of casual use I ran into their free tier limits exactly twice. In the past week I've hit them every day, despite being especially light-use days. Two days ago the free web chat was overloaded for a couple hours ("Claude is unavailable now. Try again later"). Yesterday, I hit the free limit after literally five questions, two were revising an 8 line JS script and and three were on current news.
Just last week. They cut off openclaw. And they added a price increased fast mode. And they announced today new features that are not included with max subscriptions.
They are short 5GW roughly and scrambling to add it.
Mate. None of the companies is worth such stress. I feel rage in you. It is just a tool. You choose what works best. That's it. No need to overthink it.
A smartphone is a tool that is all but required for modern life, it gets it's hooks into every detail of your life, and you have very little choice in providers, features, and functions. It makes a lot less sense to not care like this.
Not the person to whom you're responding, but for me, some of the heavy hitters:
- Real-time weather alerts (I spend a lot of time in a naked Jeep in the summer, it's helpful to know when rain is imminent)
- Work-related authentication
- Audiobooks
- High quality, always available camera with quick editing and instant sharing capabilities
- GPS tracking when I'm exploring
- Find restaurants, museums, hotels when I'm traveling
- Pay for nearly anything (credit cards are useful but more time-consuming, and pulling them out frequently is a minor friction point that I'm grateful to leave behind)
That's curious. What do you mean by /almost/ impossible? Slightly more inconvenient / would have to visit a branch one time?
In the UK card readers are still widely supported by traditional banks. As is SMS for one time codes. People who think fintech banks are the only ones that exist might have a warped view on reality of course
i mean that i don't know of a single bank in my country that still offers physical tokens. I'm sure there is at least one and you have to go through hoops.
I left my previous main bank after they retired the tokens and mandated the app use, which required biometrics.
Current main bank is not so bad, but i'm not sure if the app works without google play integrity (at least it doesn't mind developer mode / unlocked bootloader)
That sucks. The UK gets a lot of stick for being 'stuck in the past' sometimes but when I hear things like that, I'm totally OK with it. We can even do proxy banking at a Post Office ! [0]
At least we don't currently require a US tech company (Apple | Google) to give their blessing to people to have a bank account :-)
Though I'm sure your country's set up will be ours before too long...
reply