[Dailydave] Boom! Loopcasts.

Bas Alberts bas.alberts at immunityinc.com
Tue Aug 20 15:15:40 EDT 2013 

I think you're thinking a bit too highlevel, bro.

The actual PHP interpreter is a piece of shit. It is horrendous, atrocious, 
and a whole bunch of other ous-es, except for delicous. 

Even in a language-semantic perfectly secure PHP application, it's still
being interpreted by the biggest pile of loosely written C code known
to man.

That means that your theoretical PHP level security falls on its ass with 
the quality of the actual PHP interpreter, because what would in theory be a 
safe and secure API on the PHP level can still turn out (and often does) to 
be a complete disaster on the C level.

Therefor, everything PHP based is completely insecure.

Love,
Bas

On Tue, Aug 20, 2013 at 08:15:53AM -0400, Justin C. Klein Keane wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello,
> 
>   I'm writing after listening to Loopcast 73 and hearing Dave say
> "Everything PHP based is completely insecure" (min 30:18) in the
> course of the interview.  I had to rewind the podcast a couple of
> times, sure that I'd misheard something.  After a quick Tweet [1] I
> got a number of responses and the suggestion that I e-mail the list.
> The dubious wisdom of submitting my thoughts to a moderated list in
> order to criticize the list's namesake isn't lost on me.  I'm not
> going to spend too much time on this e-mail in case it gets routed to
> /dev/null.
> 
>   Stating that an entire programming language is secure, or insecure,
> is overreaching to the point of useless generalization.  If we
> consider security to be a non-trivial property then it can't be
> computed [2].  If we're making attestations that can't be proven
> computationally then they're purely based on anecdote.  While I'm sure
> there are convincing anecdotes about insecure PHP programs, there are
> also counter examples [3].
> 
>   I think it's irresponsible to label an entire language insecure,
> even one like PHP, which is the favorite whipping boy of the security
> community.  While it is accurate to say that PHP is an extremely
> widespread, and easy to learn, programming language for producing
> globally available always-on web applications, and that the popularity
> and ease of PHP lend themselves to novice's producing insecure
> applications in the language, it is not accurate to say that PHP
> itself is insecure.  PHP based applications suffer just as many
> security flaws as any other application.  Security, or lack thereof,
> is derived in implementation.
> 
>   While we can make specific claims about security related attributes
> of PHP, such as: PHP doesn't allow the programmer to make unchecked
> memory assignments (i.e. no buffer overflows), we can't say that this
> makes the language secure or insecure.  It is just as easy to produce
> an insecure web application in Java, or ASP.NET, [4] as it is in PHP.
>  Singling out an entire language for derision doesn't really advance
> any conversation of purpose.
> 
>   I think if we want to make specific, actionable, recommendations
> vis-a-vis PHP we can certainly say that any organization that deploys
> an open source, PHP based, web application without performing a
> rigorous code review for security flaws is trusting the security of
> that application to third parties and that this is an unwise security
> posture.  If Immunity had a PHP based web forum compromise, and didn't
> review the forum software before deploying it, the fault doesn't lie
> in PHP, but with Immunity for not performing due diligence with
> respect to the software.
> 
> [1] https://twitter.com/madirish2600/statuses/369549381373923329
> [2] https://en.wikipedia.org/wiki/Rice%27s_theorem
> [3] https://association.drupal.org/node/17438
> [4] https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
> 
> Cheers,
> 
> 
> Justin C. Klein Keane, MA MCIT
> Security Engineer
> University of Pennsylvania, School of Arts & Sciences
> 
> The digital signature on this message can be verified using the key at
> https://sites.sas.upenn.edu/kleinkeane/pages/pgp-key
> 
> On 08/19/2013 11:54 AM, Dave Aitel wrote:
> > So if you are like me, you are amused by people who strategize on
> > Cyber without looking at some of the weirder sides to the equation
> > - i.e. copyright, drug law, funny cat videos, etc. In any case, if
> > you can stand to hear me rant on and on about such things, the
> > below loopcast goes into some of this stuff in a hopefully amusing
> > way. Vanessa tells me it's quite annoying to listen to me talk
> > about cyberwar for this long, but I sit behind her all day and so
> > she's forced to hear me go on and on about funny cat videos on a
> > regular basis.
> > 
> > http://www.theloopcast.com/2013/08/16/episode-73-strategy-and-information-security/
> >
> >  Some of the other presentations I've done on this subject that are
> > not really linked anywhere are here: 
> > http://prezi.com/zayyak66yyia/what-is-a-cyber-weapon/ (prezi) 
> > http://www.youtube.com/watch?v=GiV6am2lNTQ&feature=youtu.be (movie
> > from RSA 2012)
> > 
> > -dave
> > 
> > 
> > <http://www.youtube.com/watch?v=GiV6am2lNTQ&feature=youtu.be>
> > 
> > 
> > _______________________________________________ Dailydave mailing
> > list Dailydave at lists.immunityinc.com 
> > https://lists.immunityinc.com/mailman/listinfo/dailydave
> > 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQIcBAEBAgAGBQJSE13zAAoJEIH7slQlJAgKLRsQAIQGtfmVRyzcCRQw+o7pc0xQ
> vEhp4kX33CDckEwFSsDq1T30xC4fR5vVbDBE9jG0HF1sDlCpynLkDI00hpRm7DKj
> cAhr17mTDBsdP2r9CC8Sp9gvK/50CQXNFafgoKYedqpYK2b4EfsuAkmTEZma9H35
> sroGRAXLs5gjM3V3//4yATfdMQELqCCF9iITfpdj9lx8YsdLCH1WdNmrq+bGmmdR
> cYGphK0b4XDliHLUUKxRu4Jm3UQublN1HsXDQ2uu7vAiyo/2Cq7cRK/B6KTrasBX
> +BRBga9KKC9uZNaYcVtdx1/SJ9lzcnNDfc8t7mmC5sf2JKxwXZ5OBQi/FSQck0EG
> 6w+WkaNw5/ilgIKr5fFvIFlOnX1P2FGiCfyNwvpI9ZTn7Pp0gR4dZuYuz5kMweFf
> ujRogCc6uMPpCx4sFFwTd/egtZ4oII314swk5DYUqoPSG+Kr5UEtIBMstVB2OP8G
> XzC9drmceZth5aBBP0ryZlyw5iOPLTMJMCLz/Y/A8i6Jo+mA87OlRzkZtZvLKOpW
> u00Cj4ctz4nWRfVyEQsIpEu7ZUvbkfCEf647y+dPhNvC7VnGToWfOffjuQoOql2N
> vMuBEL3qY9We5fzNbxledzMisnef8fVW8KQ58d/wBHQGjcK7rvNDFE5Kdz1eXE+2
> KqtaN09PFC/vgmkHu5uo
> =qEKp
> -----END PGP SIGNATURE-----
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130820/a0ba0b4e/attachment.sig>

More information about the Dailydave mailing list