Last night I finally retired from the PHP Security Response Team, that was initially my idea a few years ago.
The reasons for this are many, but the most important one is that I have realised that any attempt to improve the security of PHP from the inside is futile. The PHP Group will jump into your boat as soon you try to blame PHP’s security problems on the user but the moment you criticize the security of PHP itself you become persona non grata. I stopped counting the
times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin (http://www.suhosin.org/).
For the ordinary PHP user this means that I will no longer hide the slow response time to security holes in my advisories. It will also mean that some of my advisories will come without patches available, because the PHP Security Response Team refused to fix them for months. It will also mean that there will be a lot more advisories about security holes in PHP.
Stefan has a history of providing well written and very technical attacks against the PHP language. If he was one of the few (only?) people that cared about security, this doesn’t bode well for PHP.
Social Implications of Keysigning
Raven & Jericho
Tue May 23 01:41:20 EDT 2006
The use of strong public encryption has always been popular among geeks. Perhaps the most commonly used and most beloved encryption for e-mail is Pretty Good Privacy (PGP); started as a free method for protecting emails or other sensitive information, later turned into a cornerstone for a large company. As PGP became more corporate, costly and used patented algorithms, another project, GnuPG, sprung up to continue to offer strong encryption to the masses.
One foundation of reliable encryption is trust. The use of encryption between two or more people relies on you being sure that the message you sent is properly encrypted to and able to be decrypted solely by the intended recipient. When using a friend’s GPG key, you must be sure that the key was created by and belongs solely to your friend. Otherwise, you may send mail that your friend cannot read (if they don’t have the key you encrypted to), or worse, mail that some other party can read (if that party does have the key you encrypted to).
Maybe I am immature but does anyone else find the Hitachi Incident Response Team logo a bit amusing?
Pink hearts, yellow XSS, orange SQL, blue DoS and green overflows!
Just over ten years ago (95-09-15) *Hobbit* wrote a little tool called netcat (aka nc), swiftly dubbed the “TCP/IP Swiss Army knife”. *Hobbit* was affiliated with the l0pht, which was later purchased by @stake, which was later purchased by Symantec. At some point (circa 1998), Weld Pond ported the netcat utility to Windows. Weld was an original member of the l0pht and later the Director of Research and Development with @stake. Weld’s version was distributed at @stake for some time. Suffice it to say, the l0pht, @stake and its members/employees supported netcat’s use and distribution.
Jump forward to today, and Symantec now classifies netcat on a system as a High Risk Impact. As aj reznor asked, “is that to say that SYM bought a company known then for offering naughty things?” Let us also remember that Symantec owns SecurityFocus which conveniently offers the tool in their tool repository.
Also amusing are Symantec’s “technical details” for this “hacker tool”:
Hacktool.NetCat arrives as a tool commonly carried by malicious components and dropped on the compromised computer for remote exploitation.
When Hacktool.NetCat is executed, it performs the following actions:
1. Transmits data across network connections.
Yes, there is no number two on the list. Hopefully Symantec will have the foresight to classify TCP/IP stacks as “Hacktool.TCPIP” and label it a “High Risk Impact” if found on a system.
November 30th was National Computer Security Day. It came and went .. did you notice? I previously blogged about National Cyber Security Awareness Month, calling into question the value of awareness months of any kind. Awareness days are no different. As William Knowles said, “might have been national kick a penguin day, I wouldn’t have known any difference..“
Developers ‘should be liable’ for security holes
Tom Espiner, ZDNet UK
October 12, 2005, 12:15 BST
Software developers should be held personally accountable for the security of the code they write, said Howard Schmidt, former White House cybersecurity advisor, on Tuesday.
“In software development, we need to have personal quality assurances from developers that the code they write is secure,” said Schmidt, who cited the example of some developers he recently met who had created a Web application to talk to a back-end database using SSL.
October has been named “National Cyber Security Awareness Month” by some. From a news article about this:
New York State, the University of North Carolina and the city of Charlotte, N.C., are joining the Department of Homeland Security, the National Cyber Security Alliance and numerous companies from the computer security industry to promote educational initiatives and free software giveaways to encourage the adoption of good cyber security practices in small businesses and citizens’ homes.
While security alliances, states and cities are grabbing their pom-poms, i’ll play the role of cynic. This awareness month means nothing to security companies and software developers that practice good security year round. As the article says, this awareness month is for businesses and end users which is good in theory. But will it help? You can answer this yourself actually. Find a friend or neighbor and ask them what other things we are supposed to be ‘aware’ of in the month of October. If your friend can’t remind you that it is National Breast Cancer Awareness Month, Domestic Violence Awareness Month, Down Syndrome Awareness Month, National Disability Employment Awareness Month, Energy Awareness Month, or Lupus Awareness Month, then this awareness month may fail too. Did you know there were more? Check out this great list of “Bizzare, Crazy, Silly, Unknown Holidays & Observances in October”.