Recently I analyzed a security of a big site and found an issue that is not easy to notice, but it lets people do a bit more then they should. I did it for fun and for a "prove of concept" that I can find it, not for destruction, but it made me think.
Security is measured with the cost one has to spend to break it. Let's take a good American programmer with $150 thousands per year salary building up the system. Let's take a good Russian programmer who makes $1 or 2 thousands per month. It is obvious that a Russian will be ready to spend a month to exploit the system and make $4000, while an American company spends 12 thousands for a month of work of it's employee.
Why not Indians or Chinese? Well, they too, but Russians historically have a solid mathematical, engineering and computing schools, and half of major IT companies in US have Russians among founders and chief developers.
I don't really know a solution for a short period. In the long run the income will more and more depend on qualification rather then on geographical location, as Bill Gates wrote in his book. But for now the only way for companies is to accept the problem and earn more then lose.
Anyway, good programmers respect professional growth and creativity, not cash or destruction.
If you run and maintain a web server you are definitely interested in the web server software. Apache is an old good friend and we all are very happy about it. But if your load grows, you may realize that Apache with PHP eating 20-50 Mg of RAM per child is a bit too much. This mean that you can't run more then a couple of hundreds of children simultaneously even on a powerful server. Not a big problem, how has 100 simultaneous users - you can say. The issue is that a plain Apache server can easily be brought down.
A 5-line script opening 200+ simultaneous connections sending incomplete HTTP requests can make the server with a plain Apache stop serving requests or serve them very slowly, when the server itself will not be loaded at all.
For the cases like in the past we were puting reverse proxies in front of Apache. Now we have a better way - another web servers. Usually we choose between Lighttpd and Nginx.
The best one at the moment is Nginx - for highest speed, lowest memory consumption, ease of configuration, scalability and completeness. The negative side people find is that original documentation is written in Russian. Here are the links for the English documentation: Nginx wiki and Nginx - Small, But Very Powerful and Efficient Web Server
Lighty is good as well, it became famous for being used in Youtube. Especially I like the supplementary project of Lighttpd called XCache. XCache is the fastest PHP bytecode cache at the moment and it was the first stable one compatible with latest PHP 5.2 Also, untill recently Lighttpd had the only usable FCGI process management tool. Now we have PHP-FPM (docs are in Russian as well).
I took a VPS (Virtual Private Server) from hostingforweb.com today for my projects. Among the first things I did was watching the security log /var/log/secure
First lines of the logs are: Aug 1 08:34:01 server sshd: Server listening on 0.0.0.0 port 22. Aug 1 08:37:39 server sshd: Accepted password for root from 188.8.131.52 port 2781 means, someone accessed the server as root 3 minutes after it was started
Now imagine my shock when `whois 184.108.40.206` shown the "Belarus republic" as country. A large US hosting provider hires administrators in the "black-listed" country? Or Belorussian hacked the servers in 3 minutes after it's installed??? I even wrote support a question.
And the fact is that they have a "Minsk office" in Belarus. Nice, now US is a place where Russian admins set up servers for Russian programmers. And Bush politics does not matter ;)
And should I mention, this is probably the 1st time I see the latest version of PHP is already installed correctly with Apache 1.3, which means admins did it themselves, and there were almost all development packages I usually miss in the fresh-installed Red Hat distributives.
Now I'll check how stable their network and system are.
~ August 10, 2007 the server is stable, configuration is a really good one. The only problem I see is the very slow disk operations. Looks like their hard disks are overloaded and it takes significant time to do anything involving operations with files. For my tasks it is not critical.