I previously blogged about the fact, that the Hardened-PHP Project visited the International PHP Conference and presented itself in a booth. For me it was the first time, that I attended a PHP conference and I was very suprised how relaxed the atmosphere is. I had expected to see a lot of people in suits with ties, but in reality most visitors were dressed like normal human beings. It was a lot of fun to finally meet people face to face, that I know from IRC for years.
I really enjoyed my stay, because I learned a lot about how the german PHP community ticks and what information they miss in my documentation. However from a security point of view the PHP conference was a nightmare...
The NH Hotel had a open and free WLAN during the conference days, which I consider quite stupid at a place where lots of IT people are meeting. The connection to the internet was quite slow, so the danger of a large scale anonymous attack was quite low, but a lot of people were using the anonymity to perform XSS and SQL injection attacks on websites of other visitors.
Additionally to this I saw several people running kismet to sniff the wireless traffic. There also must have been some more advanced WiFi hackers present at the conference, because there were some rouge accesspoints setup and when I started my own sniffer to see what is going on, several packets were catched, containing remote exploits against kismet.
While it is nothing new, that people underestimate the danger of sending not encrypted traffic over unsecure connections, I was quite shocked, how many POP3, IMAP, FTP and even PHP CVS passwords ended up in my sniffer log. I really suggest that anyone who used any plaintext service from the conference immediately changes his password, if he does not want to end up compromised.
If the WLAN situation at the conference place will not have improved until next year, the Hardened-PHP Project will offer VPN accounts to the attendees.