Dailydave mailing list archives
Re: Boom! Loopcasts.
From: Bas Alberts <bas.alberts () immunityinc com>
Date: Tue, 20 Aug 2013 15:15:40 -0400
I think you're thinking a bit too highlevel, bro. The actual PHP interpreter is a piece of shit. It is horrendous, atrocious, and a whole bunch of other ous-es, except for delicous. Even in a language-semantic perfectly secure PHP application, it's still being interpreted by the biggest pile of loosely written C code known to man. That means that your theoretical PHP level security falls on its ass with the quality of the actual PHP interpreter, because what would in theory be a safe and secure API on the PHP level can still turn out (and often does) to be a complete disaster on the C level. Therefor, everything PHP based is completely insecure. Love, Bas On Tue, Aug 20, 2013 at 08:15:53AM -0400, Justin C. Klein Keane wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I'm writing after listening to Loopcast 73 and hearing Dave say "Everything PHP based is completely insecure" (min 30:18) in the course of the interview. I had to rewind the podcast a couple of times, sure that I'd misheard something. After a quick Tweet [1] I got a number of responses and the suggestion that I e-mail the list. The dubious wisdom of submitting my thoughts to a moderated list in order to criticize the list's namesake isn't lost on me. I'm not going to spend too much time on this e-mail in case it gets routed to /dev/null. Stating that an entire programming language is secure, or insecure, is overreaching to the point of useless generalization. If we consider security to be a non-trivial property then it can't be computed [2]. If we're making attestations that can't be proven computationally then they're purely based on anecdote. While I'm sure there are convincing anecdotes about insecure PHP programs, there are also counter examples [3]. I think it's irresponsible to label an entire language insecure, even one like PHP, which is the favorite whipping boy of the security community. While it is accurate to say that PHP is an extremely widespread, and easy to learn, programming language for producing globally available always-on web applications, and that the popularity and ease of PHP lend themselves to novice's producing insecure applications in the language, it is not accurate to say that PHP itself is insecure. PHP based applications suffer just as many security flaws as any other application. Security, or lack thereof, is derived in implementation. While we can make specific claims about security related attributes of PHP, such as: PHP doesn't allow the programmer to make unchecked memory assignments (i.e. no buffer overflows), we can't say that this makes the language secure or insecure. It is just as easy to produce an insecure web application in Java, or ASP.NET, [4] as it is in PHP. Singling out an entire language for derision doesn't really advance any conversation of purpose. I think if we want to make specific, actionable, recommendations vis-a-vis PHP we can certainly say that any organization that deploys an open source, PHP based, web application without performing a rigorous code review for security flaws is trusting the security of that application to third parties and that this is an unwise security posture. If Immunity had a PHP based web forum compromise, and didn't review the forum software before deploying it, the fault doesn't lie in PHP, but with Immunity for not performing due diligence with respect to the software. [1] https://twitter.com/madirish2600/statuses/369549381373923329 [2] https://en.wikipedia.org/wiki/Rice%27s_theorem [3] https://association.drupal.org/node/17438 [4] https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project Cheers, Justin C. Klein Keane, MA MCIT Security Engineer University of Pennsylvania, School of Arts & Sciences The digital signature on this message can be verified using the key at https://sites.sas.upenn.edu/kleinkeane/pages/pgp-key On 08/19/2013 11:54 AM, Dave Aitel wrote:So if you are like me, you are amused by people who strategize on Cyber without looking at some of the weirder sides to the equation - i.e. copyright, drug law, funny cat videos, etc. In any case, if you can stand to hear me rant on and on about such things, the below loopcast goes into some of this stuff in a hopefully amusing way. Vanessa tells me it's quite annoying to listen to me talk about cyberwar for this long, but I sit behind her all day and so she's forced to hear me go on and on about funny cat videos on a regular basis. http://www.theloopcast.com/2013/08/16/episode-73-strategy-and-information-security/ Some of the other presentations I've done on this subject that are not really linked anywhere are here: http://prezi.com/zayyak66yyia/what-is-a-cyber-weapon/ (prezi) http://www.youtube.com/watch?v=GiV6am2lNTQ&feature=youtu.be (movie from RSA 2012) -dave <http://www.youtube.com/watch?v=GiV6am2lNTQ&feature=youtu.be> _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSE13zAAoJEIH7slQlJAgKLRsQAIQGtfmVRyzcCRQw+o7pc0xQ vEhp4kX33CDckEwFSsDq1T30xC4fR5vVbDBE9jG0HF1sDlCpynLkDI00hpRm7DKj cAhr17mTDBsdP2r9CC8Sp9gvK/50CQXNFafgoKYedqpYK2b4EfsuAkmTEZma9H35 sroGRAXLs5gjM3V3//4yATfdMQELqCCF9iITfpdj9lx8YsdLCH1WdNmrq+bGmmdR cYGphK0b4XDliHLUUKxRu4Jm3UQublN1HsXDQ2uu7vAiyo/2Cq7cRK/B6KTrasBX +BRBga9KKC9uZNaYcVtdx1/SJ9lzcnNDfc8t7mmC5sf2JKxwXZ5OBQi/FSQck0EG 6w+WkaNw5/ilgIKr5fFvIFlOnX1P2FGiCfyNwvpI9ZTn7Pp0gR4dZuYuz5kMweFf ujRogCc6uMPpCx4sFFwTd/egtZ4oII314swk5DYUqoPSG+Kr5UEtIBMstVB2OP8G XzC9drmceZth5aBBP0ryZlyw5iOPLTMJMCLz/Y/A8i6Jo+mA87OlRzkZtZvLKOpW u00Cj4ctz4nWRfVyEQsIpEu7ZUvbkfCEf647y+dPhNvC7VnGToWfOffjuQoOql2N vMuBEL3qY9We5fzNbxledzMisnef8fVW8KQ58d/wBHQGjcK7rvNDFE5Kdz1eXE+2 KqtaN09PFC/vgmkHu5uo =qEKp -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Boom! Loopcasts. Dave Aitel (Aug 19)
- Re: Boom! Loopcasts. Justin C. Klein Keane (Aug 20)
- Re: Boom! Loopcasts. Bas Alberts (Aug 20)
- Re: Boom! Loopcasts. security curmudgeon (Aug 20)
- Re: Boom! Loopcasts. Christey, Steven M. (Aug 21)
- Re: Boom! Loopcasts. Darren Martyn (Aug 20)
- Re: Boom! Loopcasts. Justin C. Klein Keane (Aug 20)