[Dailydave] Boom! Loopcasts.

Justin C. Klein Keane jukeane at sas.upenn.edu
Tue Aug 20 08:15:53 EDT 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

  I'm writing after listening to Loopcast 73 and hearing Dave say
"Everything PHP based is completely insecure" (min 30:18) in the
course of the interview.  I had to rewind the podcast a couple of
times, sure that I'd misheard something.  After a quick Tweet [1] I
got a number of responses and the suggestion that I e-mail the list.
The dubious wisdom of submitting my thoughts to a moderated list in
order to criticize the list's namesake isn't lost on me.  I'm not
going to spend too much time on this e-mail in case it gets routed to
/dev/null.

  Stating that an entire programming language is secure, or insecure,
is overreaching to the point of useless generalization.  If we
consider security to be a non-trivial property then it can't be
computed [2].  If we're making attestations that can't be proven
computationally then they're purely based on anecdote.  While I'm sure
there are convincing anecdotes about insecure PHP programs, there are
also counter examples [3].

  I think it's irresponsible to label an entire language insecure,
even one like PHP, which is the favorite whipping boy of the security
community.  While it is accurate to say that PHP is an extremely
widespread, and easy to learn, programming language for producing
globally available always-on web applications, and that the popularity
and ease of PHP lend themselves to novice's producing insecure
applications in the language, it is not accurate to say that PHP
itself is insecure.  PHP based applications suffer just as many
security flaws as any other application.  Security, or lack thereof,
is derived in implementation.

  While we can make specific claims about security related attributes
of PHP, such as: PHP doesn't allow the programmer to make unchecked
memory assignments (i.e. no buffer overflows), we can't say that this
makes the language secure or insecure.  It is just as easy to produce
an insecure web application in Java, or ASP.NET, [4] as it is in PHP.
 Singling out an entire language for derision doesn't really advance
any conversation of purpose.

  I think if we want to make specific, actionable, recommendations
vis-a-vis PHP we can certainly say that any organization that deploys
an open source, PHP based, web application without performing a
rigorous code review for security flaws is trusting the security of
that application to third parties and that this is an unwise security
posture.  If Immunity had a PHP based web forum compromise, and didn't
review the forum software before deploying it, the fault doesn't lie
in PHP, but with Immunity for not performing due diligence with
respect to the software.

[1] https://twitter.com/madirish2600/statuses/369549381373923329
[2] https://en.wikipedia.org/wiki/Rice%27s_theorem
[3] https://association.drupal.org/node/17438
[4] https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Cheers,


Justin C. Klein Keane, MA MCIT
Security Engineer
University of Pennsylvania, School of Arts & Sciences

The digital signature on this message can be verified using the key at
https://sites.sas.upenn.edu/kleinkeane/pages/pgp-key

On 08/19/2013 11:54 AM, Dave Aitel wrote:
> So if you are like me, you are amused by people who strategize on
> Cyber without looking at some of the weirder sides to the equation
> - i.e. copyright, drug law, funny cat videos, etc. In any case, if
> you can stand to hear me rant on and on about such things, the
> below loopcast goes into some of this stuff in a hopefully amusing
> way. Vanessa tells me it's quite annoying to listen to me talk
> about cyberwar for this long, but I sit behind her all day and so
> she's forced to hear me go on and on about funny cat videos on a
> regular basis.
> 
> http://www.theloopcast.com/2013/08/16/episode-73-strategy-and-information-security/
>
>  Some of the other presentations I've done on this subject that are
> not really linked anywhere are here: 
> http://prezi.com/zayyak66yyia/what-is-a-cyber-weapon/ (prezi) 
> http://www.youtube.com/watch?v=GiV6am2lNTQ&feature=youtu.be (movie
> from RSA 2012)
> 
> -dave
> 
> 
> <http://www.youtube.com/watch?v=GiV6am2lNTQ&feature=youtu.be>
> 
> 
> _______________________________________________ Dailydave mailing
> list Dailydave at lists.immunityinc.com 
> https://lists.immunityinc.com/mailman/listinfo/dailydave
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSE13zAAoJEIH7slQlJAgKLRsQAIQGtfmVRyzcCRQw+o7pc0xQ
vEhp4kX33CDckEwFSsDq1T30xC4fR5vVbDBE9jG0HF1sDlCpynLkDI00hpRm7DKj
cAhr17mTDBsdP2r9CC8Sp9gvK/50CQXNFafgoKYedqpYK2b4EfsuAkmTEZma9H35
sroGRAXLs5gjM3V3//4yATfdMQELqCCF9iITfpdj9lx8YsdLCH1WdNmrq+bGmmdR
cYGphK0b4XDliHLUUKxRu4Jm3UQublN1HsXDQ2uu7vAiyo/2Cq7cRK/B6KTrasBX
+BRBga9KKC9uZNaYcVtdx1/SJ9lzcnNDfc8t7mmC5sf2JKxwXZ5OBQi/FSQck0EG
6w+WkaNw5/ilgIKr5fFvIFlOnX1P2FGiCfyNwvpI9ZTn7Pp0gR4dZuYuz5kMweFf
ujRogCc6uMPpCx4sFFwTd/egtZ4oII314swk5DYUqoPSG+Kr5UEtIBMstVB2OP8G
XzC9drmceZth5aBBP0ryZlyw5iOPLTMJMCLz/Y/A8i6Jo+mA87OlRzkZtZvLKOpW
u00Cj4ctz4nWRfVyEQsIpEu7ZUvbkfCEf647y+dPhNvC7VnGToWfOffjuQoOql2N
vMuBEL3qY9We5fzNbxledzMisnef8fVW8KQ58d/wBHQGjcK7rvNDFE5Kdz1eXE+2
KqtaN09PFC/vgmkHu5uo
=qEKp
-----END PGP SIGNATURE-----

More information about the Dailydave mailing list