[Dailydave] Boom! Loopcasts.

Tue Aug 20 15:55:51 EDT 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Obviously, Dave is not telling everyone about the weaponized 0day he
clearly has for the PHP interpreter itself ;)

As a general rule though, PHP applications tend to have more trivially
exploitable flaws than other apps*, which is probably due to the
languages documentation and examples being rubbish. Not to mention,
PHP programmers being kind of awful most of the time. Hence, it being
ruled "insecure".

- -Darren

* Coldfusion being an exception here, as that is basically a web API
for being owned repeatedly.

On 08/20/13 12:15, Justin C. Klein Keane wrote:
> Hello,
> 
> I'm writing after listening to Loopcast 73 and hearing Dave say 
> "Everything PHP based is completely insecure" (min 30:18) in the 
> course of the interview.  I had to rewind the podcast a couple of 
> times, sure that I'd misheard something.  After a quick Tweet [1]
> I got a number of responses and the suggestion that I e-mail the
> list. The dubious wisdom of submitting my thoughts to a moderated
> list in order to criticize the list's namesake isn't lost on me.
> I'm not going to spend too much time on this e-mail in case it gets
> routed to /dev/null.
> 
> Stating that an entire programming language is secure, or
> insecure, is overreaching to the point of useless generalization.
> If we consider security to be a non-trivial property then it can't
> be computed [2].  If we're making attestations that can't be
> proven computationally then they're purely based on anecdote.
> While I'm sure there are convincing anecdotes about insecure PHP
> programs, there are also counter examples [3].
> 
> I think it's irresponsible to label an entire language insecure, 
> even one like PHP, which is the favorite whipping boy of the
> security community.  While it is accurate to say that PHP is an
> extremely widespread, and easy to learn, programming language for
> producing globally available always-on web applications, and that
> the popularity and ease of PHP lend themselves to novice's
> producing insecure applications in the language, it is not accurate
> to say that PHP itself is insecure.  PHP based applications suffer
> just as many security flaws as any other application.  Security, or
> lack thereof, is derived in implementation.
> 
> While we can make specific claims about security related
> attributes of PHP, such as: PHP doesn't allow the programmer to
> make unchecked memory assignments (i.e. no buffer overflows), we
> can't say that this makes the language secure or insecure.  It is
> just as easy to produce an insecure web application in Java, or
> ASP.NET, [4] as it is in PHP. Singling out an entire language for
> derision doesn't really advance any conversation of purpose.
> 
> I think if we want to make specific, actionable, recommendations 
> vis-a-vis PHP we can certainly say that any organization that
> deploys an open source, PHP based, web application without
> performing a rigorous code review for security flaws is trusting
> the security of that application to third parties and that this is
> an unwise security posture.  If Immunity had a PHP based web forum
> compromise, and didn't review the forum software before deploying
> it, the fault doesn't lie in PHP, but with Immunity for not
> performing due diligence with respect to the software.
> 
> [1] https://twitter.com/madirish2600/statuses/369549381373923329 
> [2] https://en.wikipedia.org/wiki/Rice%27s_theorem [3]
> https://association.drupal.org/node/17438 [4]
> https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
> 
> Cheers,
> 
> 
> Justin C. Klein Keane, MA MCIT Security Engineer University of
> Pennsylvania, School of Arts & Sciences
> 
> The digital signature on this message can be verified using the key
> at https://sites.sas.upenn.edu/kleinkeane/pages/pgp-key
> 
> On 08/19/2013 11:54 AM, Dave Aitel wrote:
>> So if you are like me, you are amused by people who strategize
>> on Cyber without looking at some of the weirder sides to the
>> equation - i.e. copyright, drug law, funny cat videos, etc. In
>> any case, if you can stand to hear me rant on and on about such
>> things, the below loopcast goes into some of this stuff in a
>> hopefully amusing way. Vanessa tells me it's quite annoying to
>> listen to me talk about cyberwar for this long, but I sit behind
>> her all day and so she's forced to hear me go on and on about
>> funny cat videos on a regular basis.
> 
>> http://www.theloopcast.com/2013/08/16/episode-73-strategy-and-information-security/
>
>>  Some of the other presentations I've done on this subject that
>> are not really linked anywhere are here: 
>> http://prezi.com/zayyak66yyia/what-is-a-cyber-weapon/ (prezi) 
>> http://www.youtube.com/watch?v=GiV6am2lNTQ&feature=youtu.be
>> (movie from RSA 2012)
> 
>> -dave
> 
> 
>> <http://www.youtube.com/watch?v=GiV6am2lNTQ&feature=youtu.be>
> 
> 
>> _______________________________________________ Dailydave
>> mailing list Dailydave at lists.immunityinc.com 
>> https://lists.immunityinc.com/mailman/listinfo/dailydave
> 
> _______________________________________________ Dailydave mailing
> list Dailydave at lists.immunityinc.com 
> https://lists.immunityinc.com/mailman/listinfo/dailydave
> 
> 

- -- 
Insecurety Research - http://insecurety.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSE8nHAAoJEEqUSoN8D1ViVH0H/2fPBwwUsWXg7WA2Fb789G2j
U/capTjTtcC0tdC15RT2ALndrn7EoXEeVpYgO/vhJTbAtyzJ/yV0Su1NeetIsX3Q
qV9WBEbLCHvROde3JFp4GFGfP1ic4oCK2Zm4pzN1qUBR3d2kkJ/i/OJRwKy+jeWL
yeh14ry571WWSCfoRziTzmkmgoLfkXumwFDmBNyvWAyHMq90aq+QTkNkcLiuvCaJ
NxXhq4L3KOO/WytETxCrvM7WrrD4S0q583yMngoSWKshH/qlJlCckqjcmzwQV5/h
qHm43HPe58dBopC7AqyCARywqT460ygLIRViwRPAH0EYMBEFdFqycUoC/N9Fvi4=
=0KtZ
-----END PGP SIGNATURE-----