Dailydave mailing list archives
Re: Boom! Loopcasts.
From: Darren Martyn <darren () insecurety net>
Date: Tue, 20 Aug 2013 19:55:51 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Obviously, Dave is not telling everyone about the weaponized 0day he clearly has for the PHP interpreter itself ;) As a general rule though, PHP applications tend to have more trivially exploitable flaws than other apps*, which is probably due to the languages documentation and examples being rubbish. Not to mention, PHP programmers being kind of awful most of the time. Hence, it being ruled "insecure". - -Darren * Coldfusion being an exception here, as that is basically a web API for being owned repeatedly. On 08/20/13 12:15, Justin C. Klein Keane wrote:
Hello, I'm writing after listening to Loopcast 73 and hearing Dave say "Everything PHP based is completely insecure" (min 30:18) in the course of the interview. I had to rewind the podcast a couple of times, sure that I'd misheard something. After a quick Tweet [1] I got a number of responses and the suggestion that I e-mail the list. The dubious wisdom of submitting my thoughts to a moderated list in order to criticize the list's namesake isn't lost on me. I'm not going to spend too much time on this e-mail in case it gets routed to /dev/null. Stating that an entire programming language is secure, or insecure, is overreaching to the point of useless generalization. If we consider security to be a non-trivial property then it can't be computed [2]. If we're making attestations that can't be proven computationally then they're purely based on anecdote. While I'm sure there are convincing anecdotes about insecure PHP programs, there are also counter examples [3]. I think it's irresponsible to label an entire language insecure, even one like PHP, which is the favorite whipping boy of the security community. While it is accurate to say that PHP is an extremely widespread, and easy to learn, programming language for producing globally available always-on web applications, and that the popularity and ease of PHP lend themselves to novice's producing insecure applications in the language, it is not accurate to say that PHP itself is insecure. PHP based applications suffer just as many security flaws as any other application. Security, or lack thereof, is derived in implementation. While we can make specific claims about security related attributes of PHP, such as: PHP doesn't allow the programmer to make unchecked memory assignments (i.e. no buffer overflows), we can't say that this makes the language secure or insecure. It is just as easy to produce an insecure web application in Java, or ASP.NET, [4] as it is in PHP. Singling out an entire language for derision doesn't really advance any conversation of purpose. I think if we want to make specific, actionable, recommendations vis-a-vis PHP we can certainly say that any organization that deploys an open source, PHP based, web application without performing a rigorous code review for security flaws is trusting the security of that application to third parties and that this is an unwise security posture. If Immunity had a PHP based web forum compromise, and didn't review the forum software before deploying it, the fault doesn't lie in PHP, but with Immunity for not performing due diligence with respect to the software. [1] https://twitter.com/madirish2600/statuses/369549381373923329 [2] https://en.wikipedia.org/wiki/Rice%27s_theorem [3] https://association.drupal.org/node/17438 [4] https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project Cheers, Justin C. Klein Keane, MA MCIT Security Engineer University of Pennsylvania, School of Arts & Sciences The digital signature on this message can be verified using the key at https://sites.sas.upenn.edu/kleinkeane/pages/pgp-key On 08/19/2013 11:54 AM, Dave Aitel wrote:So if you are like me, you are amused by people who strategize on Cyber without looking at some of the weirder sides to the equation - i.e. copyright, drug law, funny cat videos, etc. In any case, if you can stand to hear me rant on and on about such things, the below loopcast goes into some of this stuff in a hopefully amusing way. Vanessa tells me it's quite annoying to listen to me talk about cyberwar for this long, but I sit behind her all day and so she's forced to hear me go on and on about funny cat videos on a regular basis.http://www.theloopcast.com/2013/08/16/episode-73-strategy-and-information-security/Some of the other presentations I've done on this subject that are not really linked anywhere are here: http://prezi.com/zayyak66yyia/what-is-a-cyber-weapon/ (prezi) http://www.youtube.com/watch?v=GiV6am2lNTQ&feature=youtu.be (movie from RSA 2012)-dave<http://www.youtube.com/watch?v=GiV6am2lNTQ&feature=youtu.be>_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
- -- Insecurety Research - http://insecurety.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSE8nHAAoJEEqUSoN8D1ViVH0H/2fPBwwUsWXg7WA2Fb789G2j U/capTjTtcC0tdC15RT2ALndrn7EoXEeVpYgO/vhJTbAtyzJ/yV0Su1NeetIsX3Q qV9WBEbLCHvROde3JFp4GFGfP1ic4oCK2Zm4pzN1qUBR3d2kkJ/i/OJRwKy+jeWL yeh14ry571WWSCfoRziTzmkmgoLfkXumwFDmBNyvWAyHMq90aq+QTkNkcLiuvCaJ NxXhq4L3KOO/WytETxCrvM7WrrD4S0q583yMngoSWKshH/qlJlCckqjcmzwQV5/h qHm43HPe58dBopC7AqyCARywqT460ygLIRViwRPAH0EYMBEFdFqycUoC/N9Fvi4= =0KtZ -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Boom! Loopcasts. Dave Aitel (Aug 19)
- Re: Boom! Loopcasts. Justin C. Klein Keane (Aug 20)
- Re: Boom! Loopcasts. Bas Alberts (Aug 20)
- Re: Boom! Loopcasts. security curmudgeon (Aug 20)
- Re: Boom! Loopcasts. Christey, Steven M. (Aug 21)
- Re: Boom! Loopcasts. Darren Martyn (Aug 20)
- Re: Boom! Loopcasts. Justin C. Klein Keane (Aug 20)