-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Obviously, Dave is not telling everyone about the weaponized 0day he clearly has for the PHP interpreter itself ;)
As a general rule though, PHP applications tend to have more trivially exploitable flaws than other apps*, which is probably due to the languages documentation and examples being rubbish. Not to mention, PHP programmers being kind of awful most of the time. Hence, it being ruled "insecure". - -Darren * Coldfusion being an exception here, as that is basically a web API for being owned repeatedly. On 08/20/13 12:15, Justin C. Klein Keane wrote: > Hello, > > I'm writing after listening to Loopcast 73 and hearing Dave say > "Everything PHP based is completely insecure" (min 30:18) in the > course of the interview. I had to rewind the podcast a couple of > times, sure that I'd misheard something. After a quick Tweet [1] > I got a number of responses and the suggestion that I e-mail the > list. The dubious wisdom of submitting my thoughts to a moderated > list in order to criticize the list's namesake isn't lost on me. > I'm not going to spend too much time on this e-mail in case it gets > routed to /dev/null. > > Stating that an entire programming language is secure, or > insecure, is overreaching to the point of useless generalization. > If we consider security to be a non-trivial property then it can't > be computed [2]. If we're making attestations that can't be > proven computationally then they're purely based on anecdote. > While I'm sure there are convincing anecdotes about insecure PHP > programs, there are also counter examples [3]. > > I think it's irresponsible to label an entire language insecure, > even one like PHP, which is the favorite whipping boy of the > security community. While it is accurate to say that PHP is an > extremely widespread, and easy to learn, programming language for > producing globally available always-on web applications, and that > the popularity and ease of PHP lend themselves to novice's > producing insecure applications in the language, it is not accurate > to say that PHP itself is insecure. PHP based applications suffer > just as many security flaws as any other application. Security, or > lack thereof, is derived in implementation. > > While we can make specific claims about security related > attributes of PHP, such as: PHP doesn't allow the programmer to > make unchecked memory assignments (i.e. no buffer overflows), we > can't say that this makes the language secure or insecure. It is > just as easy to produce an insecure web application in Java, or > ASP.NET, [4] as it is in PHP. Singling out an entire language for > derision doesn't really advance any conversation of purpose. > > I think if we want to make specific, actionable, recommendations > vis-a-vis PHP we can certainly say that any organization that > deploys an open source, PHP based, web application without > performing a rigorous code review for security flaws is trusting > the security of that application to third parties and that this is > an unwise security posture. If Immunity had a PHP based web forum > compromise, and didn't review the forum software before deploying > it, the fault doesn't lie in PHP, but with Immunity for not > performing due diligence with respect to the software. > > [1] https://twitter.com/madirish2600/statuses/369549381373923329 > [2] https://en.wikipedia.org/wiki/Rice%27s_theorem [3] > https://association.drupal.org/node/17438 [4] > https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project > > Cheers, > > > Justin C. Klein Keane, MA MCIT Security Engineer University of > Pennsylvania, School of Arts & Sciences > > The digital signature on this message can be verified using the key > at https://sites.sas.upenn.edu/kleinkeane/pages/pgp-key > > On 08/19/2013 11:54 AM, Dave Aitel wrote: >> So if you are like me, you are amused by people who strategize >> on Cyber without looking at some of the weirder sides to the >> equation - i.e. copyright, drug law, funny cat videos, etc. In >> any case, if you can stand to hear me rant on and on about such >> things, the below loopcast goes into some of this stuff in a >> hopefully amusing way. Vanessa tells me it's quite annoying to >> listen to me talk about cyberwar for this long, but I sit behind >> her all day and so she's forced to hear me go on and on about >> funny cat videos on a regular basis. > >> http://www.theloopcast.com/2013/08/16/episode-73-strategy-and-information-security/ > >> Some of the other presentations I've done on this subject that >> are not really linked anywhere are here: >> http://prezi.com/zayyak66yyia/what-is-a-cyber-weapon/ (prezi) >> http://www.youtube.com/watch?v=GiV6am2lNTQ&feature=youtu.be >> (movie from RSA 2012) > >> -dave > > >> <http://www.youtube.com/watch?v=GiV6am2lNTQ&feature=youtu.be> > > >> _______________________________________________ Dailydave >> mailing list [email protected] >> https://lists.immunityinc.com/mailman/listinfo/dailydave > > _______________________________________________ Dailydave mailing > list [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave > > - -- Insecurety Research - http://insecurety.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSE8nHAAoJEEqUSoN8D1ViVH0H/2fPBwwUsWXg7WA2Fb789G2j U/capTjTtcC0tdC15RT2ALndrn7EoXEeVpYgO/vhJTbAtyzJ/yV0Su1NeetIsX3Q qV9WBEbLCHvROde3JFp4GFGfP1ic4oCK2Zm4pzN1qUBR3d2kkJ/i/OJRwKy+jeWL yeh14ry571WWSCfoRziTzmkmgoLfkXumwFDmBNyvWAyHMq90aq+QTkNkcLiuvCaJ NxXhq4L3KOO/WytETxCrvM7WrrD4S0q583yMngoSWKshH/qlJlCckqjcmzwQV5/h qHm43HPe58dBopC7AqyCARywqT460ygLIRViwRPAH0EYMBEFdFqycUoC/N9Fvi4= =0KtZ -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
