[Dailydave] Boom! Loopcasts.
Darren Martyn
darren at insecurety.net
Tue Aug 20 15:55:51 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Obviously, Dave is not telling everyone about the weaponized 0day he
clearly has for the PHP interpreter itself ;)
As a general rule though, PHP applications tend to have more trivially
exploitable flaws than other apps*, which is probably due to the
languages documentation and examples being rubbish. Not to mention,
PHP programmers being kind of awful most of the time. Hence, it being
ruled "insecure".
- -Darren
* Coldfusion being an exception here, as that is basically a web API
for being owned repeatedly.
On 08/20/13 12:15, Justin C. Klein Keane wrote:
> Hello,
>
> I'm writing after listening to Loopcast 73 and hearing Dave say
> "Everything PHP based is completely insecure" (min 30:18) in the
> course of the interview. I had to rewind the podcast a couple of
> times, sure that I'd misheard something. After a quick Tweet [1]
> I got a number of responses and the suggestion that I e-mail the
> list. The dubious wisdom of submitting my thoughts to a moderated
> list in order to criticize the list's namesake isn't lost on me.
> I'm not going to spend too much time on this e-mail in case it gets
> routed to /dev/null.
>
> Stating that an entire programming language is secure, or
> insecure, is overreaching to the point of useless generalization.
> If we consider security to be a non-trivial property then it can't
> be computed [2]. If we're making attestations that can't be
> proven computationally then they're purely based on anecdote.
> While I'm sure there are convincing anecdotes about insecure PHP
> programs, there are also counter examples [3].
>
> I think it's irresponsible to label an entire language insecure,
> even one like PHP, which is the favorite whipping boy of the
> security community. While it is accurate to say that PHP is an
> extremely widespread, and easy to learn, programming language for
> producing globally available always-on web applications, and that
> the popularity and ease of PHP lend themselves to novice's
> producing insecure applications in the language, it is not accurate
> to say that PHP itself is insecure. PHP based applications suffer
> just as many security flaws as any other application. Security, or
> lack thereof, is derived in implementation.
>
> While we can make specific claims about security related
> attributes of PHP, such as: PHP doesn't allow the programmer to
> make unchecked memory assignments (i.e. no buffer overflows), we
> can't say that this makes the language secure or insecure. It is
> just as easy to produce an insecure web application in Java, or
> ASP.NET, [4] as it is in PHP. Singling out an entire language for
> derision doesn't really advance any conversation of purpose.
>
> I think if we want to make specific, actionable, recommendations
> vis-a-vis PHP we can certainly say that any organization that
> deploys an open source, PHP based, web application without
> performing a rigorous code review for security flaws is trusting
> the security of that application to third parties and that this is
> an unwise security posture. If Immunity had a PHP based web forum
> compromise, and didn't review the forum software before deploying
> it, the fault doesn't lie in PHP, but with Immunity for not
> performing due diligence with respect to the software.
>
> [1] https://twitter.com/madirish2600/statuses/369549381373923329
> [2] https://en.wikipedia.org/wiki/Rice%27s_theorem [3]
> https://association.drupal.org/node/17438 [4]
> https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
>
> Cheers,
>
>
> Justin C. Klein Keane, MA MCIT Security Engineer University of
> Pennsylvania, School of Arts & Sciences
>
> The digital signature on this message can be verified using the key
> at https://sites.sas.upenn.edu/kleinkeane/pages/pgp-key
>
> On 08/19/2013 11:54 AM, Dave Aitel wrote:
>> So if you are like me, you are amused by people who strategize
>> on Cyber without looking at some of the weirder sides to the
>> equation - i.e. copyright, drug law, funny cat videos, etc. In
>> any case, if you can stand to hear me rant on and on about such
>> things, the below loopcast goes into some of this stuff in a
>> hopefully amusing way. Vanessa tells me it's quite annoying to
>> listen to me talk about cyberwar for this long, but I sit behind
>> her all day and so she's forced to hear me go on and on about
>> funny cat videos on a regular basis.
>
>> http://www.theloopcast.com/2013/08/16/episode-73-strategy-and-information-security/
>
>> Some of the other presentations I've done on this subject that
>> are not really linked anywhere are here:
>> http://prezi.com/zayyak66yyia/what-is-a-cyber-weapon/ (prezi)
>> http://www.youtube.com/watch?v=GiV6am2lNTQ&feature=youtu.be
>> (movie from RSA 2012)
>
>> -dave
>
>
>> <http://www.youtube.com/watch?v=GiV6am2lNTQ&feature=youtu.be>
>
>
>> _______________________________________________ Dailydave
>> mailing list Dailydave at lists.immunityinc.com
>> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
> _______________________________________________ Dailydave mailing
> list Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>
- --
Insecurety Research - http://insecurety.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSE8nHAAoJEEqUSoN8D1ViVH0H/2fPBwwUsWXg7WA2Fb789G2j
U/capTjTtcC0tdC15RT2ALndrn7EoXEeVpYgO/vhJTbAtyzJ/yV0Su1NeetIsX3Q
qV9WBEbLCHvROde3JFp4GFGfP1ic4oCK2Zm4pzN1qUBR3d2kkJ/i/OJRwKy+jeWL
yeh14ry571WWSCfoRziTzmkmgoLfkXumwFDmBNyvWAyHMq90aq+QTkNkcLiuvCaJ
NxXhq4L3KOO/WytETxCrvM7WrrD4S0q583yMngoSWKshH/qlJlCckqjcmzwQV5/h
qHm43HPe58dBopC7AqyCARywqT460ygLIRViwRPAH0EYMBEFdFqycUoC/N9Fvi4=
=0KtZ
-----END PGP SIGNATURE-----
More information about the Dailydave
mailing list