The original page has been deleted? On Thu, Mar 7, 2013 at 7:50 PM, Christian Sciberras <[email protected]>wrote:
> Andrew, > > > You realize this guy is trying to advise people through a tutorial? > It's not like we're talking about average Joe shipping buggy software... > people *teaching bad practices,* especially in this field should be shot > dead > before they do any more damage. > > You just can't learn how to code by teaching others to do it wrongly. > > Pointing back to my comprehensive list, the author missed some of > the very basics of programming in general (undefined variables, no > indentation..). > > > Chris. > > > On Fri, Mar 8, 2013 at 2:14 AM, Andrew King <[email protected]>wrote: > >> Has anyone considered that loads of stuff is shipped bugged? >> >> I mean it's not like they hosted it on their site executable. It's also >> not like we're talking about vsftpd where it's installed for a legitimate >> purpose on millions if not billions of PCs. >> >> The million eyeball test and trolling a company where one person might >> have to read 15 articles a day in addition to actual job duties are not >> even in the same realm. Add to that maybe backdoor software like sub7 had >> administrative access backdoors. The list goes on. All I'm saying is >> don't be dense. >> >> >> On Wed, Mar 6, 2013 at 2:57 AM, Christian Sciberras <[email protected]>wrote: >> >>> Ulisses, >>> >>> No, I'm blaming developers that are not in the field of security for >>> this mess. >>> >>> Chris. >>> >>> >>> On Wed, Mar 6, 2013 at 1:10 PM, Ulisses Montenegro < >>> [email protected]> wrote: >>> >>>> Christian >>>> >>>> If you're reading my email as "it's the developers' fault", then you >>>> got it wrong -- I've been a developer for most of my life. And while things >>>> have gotten better in the last years, there are still tons of "build your >>>> blog 15 minutes" or "develop a twiiter clone in 2h" >>>> tutorials/advertisements for various platforms and languages out there >>>> which either assume security is a non-issue, or assume the >>>> platform/language will take care of it for you. >>>> >>>> Heck, the manpages for some libc functions on non-GNU platforms still >>>> show vulnerable code in examples. perldoc is riddled with code that is just >>>> enough to show how a given function should be used, but with no validation >>>> whatsoever. I remember reading the training material for an Oracle product >>>> (sorry, I really can't recall the name) which touted being able to have the >>>> application security handled by infrastructure/middleware componentes as a >>>> desirable feature. >>>> >>>> So while I'd agree that we are getting better at this, we're still far >>>> from ideal. The canonical "hello world" for most languages/platforms out >>>> there, in most cases, still does not make explicit references to security >>>> issues. >>>> >>>> >>>> On Wed, Mar 6, 2013 at 8:49 AM, Christian Sciberras >>>> <[email protected]>wrote: >>>> >>>>> The article actually recommends looking for information from >>>>> www.w3schools.com <http://www.w3fools.com>?! >>>>> >>>>> Here's a few other obviously missing things: >>>>> - script requires input but does not check for it (very bad PHP >>>>> practice) >>>>> - what the hell is with that code? Ever heard about indentation? >>>>> - there should be some very basic sanitization; ints be ints and >>>>> strings be strings >>>>> - hiding all errors, that was a very smart thing to do.... >>>>> - early 20's html and css coding style to boot >>>>> >>>>> Regarding the tool itself, obviously it's not meant to be used >>>>> publicly, hence why I could close my eye in this respect. >>>>> >>>>> UIlisses, developers already do this. Actually, they've been doing it >>>>> for quite some time. >>>>> Perhaps the "security experts" writing tutorials as in that article >>>>> should follow? >>>>> >>>>> >>>>> On Wed, Mar 6, 2013 at 11:55 AM, Dan Ballance <[email protected] >>>>> > wrote: >>>>> >>>>>> +1 >>>>>> On 6 Mar 2013 10:41, "Ulisses Montenegro" < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Not including proper input validation and error handling in code >>>>>>> samples is one of the most common and harmful practices in the software >>>>>>> development industry -- doing it is not "optional" or "advanced", it is >>>>>>> mandatory unless you want to be pwned. >>>>>>> >>>>>>> Developers need to start doing things properly from the very >>>>>>> beginning, as habits become harder and harder to change with experience. >>>>>>> >>>>>>> >>>>>>> On Wed, Mar 6, 2013 at 7:33 AM, Benji <[email protected]> wrote: >>>>>>> >>>>>>>> Actually, adding input sanitisation really wouldnt increase the >>>>>>>> code size that much. Are you just incompetent? >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Mar 6, 2013 at 7:46 AM, Źmicier Januszkiewicz <[email protected] >>>>>>>> > wrote: >>>>>>>> >>>>>>>>> Dear list, >>>>>>>>> >>>>>>>>> Well, I suppose this had to be a proof-of-concept piece of code to >>>>>>>>> demonstrate how port scanning can be done in PHP, not a >>>>>>>>> production-grade >>>>>>>>> software. Adding input sanitization would increase the code size by a >>>>>>>>> lot >>>>>>>>> and obscure the concept somewhat (not that there is much to be said >>>>>>>>> anout >>>>>>>>> the concept though). Think we can give the dude some discount for >>>>>>>>> that. >>>>>>>>> >>>>>>>>> Nevertheless, seeing something like this coming from "Certified >>>>>>>>> Ethical Hacker and Security + certified" makes me doubt the worthness >>>>>>>>> of >>>>>>>>> those certificates. Could be nice to know the exact naming of those >>>>>>>>> certificates to properly disregard them in the future. >>>>>>>>> >>>>>>>>> With best regards, >>>>>>>>> Z. >>>>>>>>> >>>>>>>>> 2013/3/6 laurent gaffie <[email protected]> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> http://resources.infosecinstitute.com/php-build-your-own-mini-port-scanner/ >>>>>>>>>> >>>>>>>>>> Finding the vulnerability in this code is left as an exercise to >>>>>>>>>> the reader. >>>>>>>>>> >>>>>>>>>> PS: "*Your comment will be awaiting moderation forever."* >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Full-Disclosure - We believe in it. >>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Full-Disclosure - We believe in it. >>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Full-Disclosure - We believe in it. >>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> “If debugging is the process of removing software bugs, then >>>>>>> programming must be the process of putting them in.” - *Edsger >>>>>>> Dijkstra* >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Full-Disclosure - We believe in it. >>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Full-Disclosure - We believe in it. >>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> “If debugging is the process of removing software bugs, then >>>> programming must be the process of putting them in.” - *Edsger Dijkstra >>>> * >>>> >>> >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
