Re: Boom! Loopcasts.

[Darren Martyn <darren () insecurety net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Obviously, Dave is not telling everyone about the weaponized 0day he
clearly has for the PHP interpreter itself ;)

As a general rule though, PHP applications tend to have more trivially
exploitable flaws than other apps*, which is probably due to the
languages documentation and examples being rubbish. Not to mention,
PHP programmers being kind of awful most of the time. Hence, it being
ruled "insecure".

- -Darren

* Coldfusion being an exception here, as that is basically a web API
for being owned repeatedly.

On 08/20/13 12:15, Justin C. Klein Keane wrote:
> Hello,
>
> I'm writing after listening to Loopcast 73 and hearing Dave say 
> "Everything PHP based is completely insecure" (min 30:18) in the 
> course of the interview.  I had to rewind the podcast a couple of 
> times, sure that I'd misheard something.  After a quick Tweet [1]
> I got a number of responses and the suggestion that I e-mail the
> list. The dubious wisdom of submitting my thoughts to a moderated
> list in order to criticize the list's namesake isn't lost on me.
> I'm not going to spend too much time on this e-mail in case it gets
> routed to /dev/null.
>
> Stating that an entire programming language is secure, or
> insecure, is overreaching to the point of useless generalization.
> If we consider security to be a non-trivial property then it can't
> be computed [2].  If we're making attestations that can't be
> proven computationally then they're purely based on anecdote.
> While I'm sure there are convincing anecdotes about insecure PHP
> programs, there are also counter examples [3].
>
> I think it's irresponsible to label an entire language insecure, 
> even one like PHP, which is the favorite whipping boy of the
> security community.  While it is accurate to say that PHP is an
> extremely widespread, and easy to learn, programming language for
> producing globally available always-on web applications, and that
> the popularity and ease of PHP lend themselves to novice's
> producing insecure applications in the language, it is not accurate
> to say that PHP itself is insecure.  PHP based applications suffer
> just as many security flaws as any other application.  Security, or
> lack thereof, is derived in implementation.
>
> While we can make specific claims about security related
> attributes of PHP, such as: PHP doesn't allow the programmer to
> make unchecked memory assignments (i.e. no buffer overflows), we
> can't say that this makes the language secure or insecure.  It is
> just as easy to produce an insecure web application in Java, or
> ASP.NET, [4] as it is in PHP. Singling out an entire language for
> derision doesn't really advance any conversation of purpose.
>
> I think if we want to make specific, actionable, recommendations 
> vis-a-vis PHP we can certainly say that any organization that
> deploys an open source, PHP based, web application without
> performing a rigorous code review for security flaws is trusting
> the security of that application to third parties and that this is
> an unwise security posture.  If Immunity had a PHP based web forum
> compromise, and didn't review the forum software before deploying
> it, the fault doesn't lie in PHP, but with Immunity for not
> performing due diligence with respect to the software.
>
> [1] https://twitter.com/madirish2600/statuses/369549381373923329 
> [2] https://en.wikipedia.org/wiki/Rice%27s_theorem [3]
> https://association.drupal.org/node/17438 [4]
> https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
>
> Cheers,
>
>
> Justin C. Klein Keane, MA MCIT Security Engineer University of
> Pennsylvania, School of Arts & Sciences
>
> The digital signature on this message can be verified using the key
> at https://sites.sas.upenn.edu/kleinkeane/pages/pgp-key
>
> On 08/19/2013 11:54 AM, Dave Aitel wrote:
> > So if you are like me, you are amused by people who strategize
> > on Cyber without looking at some of the weirder sides to the
> > equation - i.e. copyright, drug law, funny cat videos, etc. In
> > any case, if you can stand to hear me rant on and on about such
> > things, the below loopcast goes into some of this stuff in a
> > hopefully amusing way. Vanessa tells me it's quite annoying to
> > listen to me talk about cyberwar for this long, but I sit behind
> > her all day and so she's forced to hear me go on and on about
> > funny cat videos on a regular basis.
>
> > http://www.theloopcast.com/2013/08/16/episode-73-strategy-and-information-security/
>
> >  Some of the other presentations I've done on this subject that
> > are not really linked anywhere are here: 
> > http://prezi.com/zayyak66yyia/what-is-a-cyber-weapon/ (prezi) 
> > http://www.youtube.com/watch?v=GiV6am2lNTQ&feature=youtu.be
> > (movie from RSA 2012)
>
> > -dave
>
>
> > <http://www.youtube.com/watch?v=GiV6am2lNTQ&feature=youtu.be>
>
>
> > _______________________________________________ Dailydave
> > mailing list Dailydave () lists immunityinc com 
> > https://lists.immunityinc.com/mailman/listinfo/dailydave
>
> _______________________________________________ Dailydave mailing
> list Dailydave () lists immunityinc com 
> https://lists.immunityinc.com/mailman/listinfo/dailydave

- -- 
Insecurety Research - http://insecurety.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSE8nHAAoJEEqUSoN8D1ViVH0H/2fPBwwUsWXg7WA2Fb789G2j
U/capTjTtcC0tdC15RT2ALndrn7EoXEeVpYgO/vhJTbAtyzJ/yV0Su1NeetIsX3Q
qV9WBEbLCHvROde3JFp4GFGfP1ic4oCK2Zm4pzN1qUBR3d2kkJ/i/OJRwKy+jeWL
yeh14ry571WWSCfoRziTzmkmgoLfkXumwFDmBNyvWAyHMq90aq+QTkNkcLiuvCaJ
NxXhq4L3KOO/WytETxCrvM7WrrD4S0q583yMngoSWKshH/qlJlCckqjcmzwQV5/h
qHm43HPe58dBopC7AqyCARywqT460ygLIRViwRPAH0EYMBEFdFqycUoC/N9Fvi4=
=0KtZ
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave