Home page logo

dailydave logo Dailydave mailing list archives

Re: Boom! Loopcasts.
From: Bas Alberts <bas.alberts () immunityinc com>
Date: Tue, 20 Aug 2013 15:15:40 -0400

I think you're thinking a bit too highlevel, bro.

The actual PHP interpreter is a piece of shit. It is horrendous, atrocious, 
and a whole bunch of other ous-es, except for delicous. 

Even in a language-semantic perfectly secure PHP application, it's still
being interpreted by the biggest pile of loosely written C code known
to man.

That means that your theoretical PHP level security falls on its ass with 
the quality of the actual PHP interpreter, because what would in theory be a 
safe and secure API on the PHP level can still turn out (and often does) to 
be a complete disaster on the C level.

Therefor, everything PHP based is completely insecure.


On Tue, Aug 20, 2013 at 08:15:53AM -0400, Justin C. Klein Keane wrote:
Hash: SHA1


  I'm writing after listening to Loopcast 73 and hearing Dave say
"Everything PHP based is completely insecure" (min 30:18) in the
course of the interview.  I had to rewind the podcast a couple of
times, sure that I'd misheard something.  After a quick Tweet [1] I
got a number of responses and the suggestion that I e-mail the list.
The dubious wisdom of submitting my thoughts to a moderated list in
order to criticize the list's namesake isn't lost on me.  I'm not
going to spend too much time on this e-mail in case it gets routed to

  Stating that an entire programming language is secure, or insecure,
is overreaching to the point of useless generalization.  If we
consider security to be a non-trivial property then it can't be
computed [2].  If we're making attestations that can't be proven
computationally then they're purely based on anecdote.  While I'm sure
there are convincing anecdotes about insecure PHP programs, there are
also counter examples [3].

  I think it's irresponsible to label an entire language insecure,
even one like PHP, which is the favorite whipping boy of the security
community.  While it is accurate to say that PHP is an extremely
widespread, and easy to learn, programming language for producing
globally available always-on web applications, and that the popularity
and ease of PHP lend themselves to novice's producing insecure
applications in the language, it is not accurate to say that PHP
itself is insecure.  PHP based applications suffer just as many
security flaws as any other application.  Security, or lack thereof,
is derived in implementation.

  While we can make specific claims about security related attributes
of PHP, such as: PHP doesn't allow the programmer to make unchecked
memory assignments (i.e. no buffer overflows), we can't say that this
makes the language secure or insecure.  It is just as easy to produce
an insecure web application in Java, or ASP.NET, [4] as it is in PHP.
 Singling out an entire language for derision doesn't really advance
any conversation of purpose.

  I think if we want to make specific, actionable, recommendations
vis-a-vis PHP we can certainly say that any organization that deploys
an open source, PHP based, web application without performing a
rigorous code review for security flaws is trusting the security of
that application to third parties and that this is an unwise security
posture.  If Immunity had a PHP based web forum compromise, and didn't
review the forum software before deploying it, the fault doesn't lie
in PHP, but with Immunity for not performing due diligence with
respect to the software.

[1] https://twitter.com/madirish2600/statuses/369549381373923329
[2] https://en.wikipedia.org/wiki/Rice%27s_theorem
[3] https://association.drupal.org/node/17438
[4] https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project


Justin C. Klein Keane, MA MCIT
Security Engineer
University of Pennsylvania, School of Arts & Sciences

The digital signature on this message can be verified using the key at

On 08/19/2013 11:54 AM, Dave Aitel wrote:
So if you are like me, you are amused by people who strategize on
Cyber without looking at some of the weirder sides to the equation
- i.e. copyright, drug law, funny cat videos, etc. In any case, if
you can stand to hear me rant on and on about such things, the
below loopcast goes into some of this stuff in a hopefully amusing
way. Vanessa tells me it's quite annoying to listen to me talk
about cyberwar for this long, but I sit behind her all day and so
she's forced to hear me go on and on about funny cat videos on a
regular basis.


 Some of the other presentations I've done on this subject that are
not really linked anywhere are here: 
http://prezi.com/zayyak66yyia/what-is-a-cyber-weapon/ (prezi) 
http://www.youtube.com/watch?v=GiV6am2lNTQ&feature=youtu.be (movie
from RSA 2012)



_______________________________________________ Dailydave mailing
list Dailydave () lists immunityinc com 

Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

Dailydave mailing list
Dailydave () lists immunityinc com

Attachment: signature.asc
Description: Digital signature

Dailydave mailing list
Dailydave () lists immunityinc com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]