Home page logo

dailydave logo Dailydave mailing list archives

Re: Boom! Loopcasts.
From: Darren Martyn <darren () insecurety net>
Date: Tue, 20 Aug 2013 19:55:51 +0000

Hash: SHA1

Obviously, Dave is not telling everyone about the weaponized 0day he
clearly has for the PHP interpreter itself ;)

As a general rule though, PHP applications tend to have more trivially
exploitable flaws than other apps*, which is probably due to the
languages documentation and examples being rubbish. Not to mention,
PHP programmers being kind of awful most of the time. Hence, it being
ruled "insecure".

- -Darren

* Coldfusion being an exception here, as that is basically a web API
for being owned repeatedly.

On 08/20/13 12:15, Justin C. Klein Keane wrote:

I'm writing after listening to Loopcast 73 and hearing Dave say 
"Everything PHP based is completely insecure" (min 30:18) in the 
course of the interview.  I had to rewind the podcast a couple of 
times, sure that I'd misheard something.  After a quick Tweet [1]
I got a number of responses and the suggestion that I e-mail the
list. The dubious wisdom of submitting my thoughts to a moderated
list in order to criticize the list's namesake isn't lost on me.
I'm not going to spend too much time on this e-mail in case it gets
routed to /dev/null.

Stating that an entire programming language is secure, or
insecure, is overreaching to the point of useless generalization.
If we consider security to be a non-trivial property then it can't
be computed [2].  If we're making attestations that can't be
proven computationally then they're purely based on anecdote.
While I'm sure there are convincing anecdotes about insecure PHP
programs, there are also counter examples [3].

I think it's irresponsible to label an entire language insecure, 
even one like PHP, which is the favorite whipping boy of the
security community.  While it is accurate to say that PHP is an
extremely widespread, and easy to learn, programming language for
producing globally available always-on web applications, and that
the popularity and ease of PHP lend themselves to novice's
producing insecure applications in the language, it is not accurate
to say that PHP itself is insecure.  PHP based applications suffer
just as many security flaws as any other application.  Security, or
lack thereof, is derived in implementation.

While we can make specific claims about security related
attributes of PHP, such as: PHP doesn't allow the programmer to
make unchecked memory assignments (i.e. no buffer overflows), we
can't say that this makes the language secure or insecure.  It is
just as easy to produce an insecure web application in Java, or
ASP.NET, [4] as it is in PHP. Singling out an entire language for
derision doesn't really advance any conversation of purpose.

I think if we want to make specific, actionable, recommendations 
vis-a-vis PHP we can certainly say that any organization that
deploys an open source, PHP based, web application without
performing a rigorous code review for security flaws is trusting
the security of that application to third parties and that this is
an unwise security posture.  If Immunity had a PHP based web forum
compromise, and didn't review the forum software before deploying
it, the fault doesn't lie in PHP, but with Immunity for not
performing due diligence with respect to the software.

[1] https://twitter.com/madirish2600/statuses/369549381373923329 
[2] https://en.wikipedia.org/wiki/Rice%27s_theorem [3]
https://association.drupal.org/node/17438 [4]


Justin C. Klein Keane, MA MCIT Security Engineer University of
Pennsylvania, School of Arts & Sciences

The digital signature on this message can be verified using the key
at https://sites.sas.upenn.edu/kleinkeane/pages/pgp-key

On 08/19/2013 11:54 AM, Dave Aitel wrote:
So if you are like me, you are amused by people who strategize
on Cyber without looking at some of the weirder sides to the
equation - i.e. copyright, drug law, funny cat videos, etc. In
any case, if you can stand to hear me rant on and on about such
things, the below loopcast goes into some of this stuff in a
hopefully amusing way. Vanessa tells me it's quite annoying to
listen to me talk about cyberwar for this long, but I sit behind
her all day and so she's forced to hear me go on and on about
funny cat videos on a regular basis.


 Some of the other presentations I've done on this subject that
are not really linked anywhere are here: 
http://prezi.com/zayyak66yyia/what-is-a-cyber-weapon/ (prezi) 
(movie from RSA 2012)



_______________________________________________ Dailydave
mailing list Dailydave () lists immunityinc com 

_______________________________________________ Dailydave mailing
list Dailydave () lists immunityinc com 

- -- 
Insecurety Research - http://insecurety.net
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

Dailydave mailing list
Dailydave () lists immunityinc com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]