Ed Finkler discusses Month Of PHP BugsTuesday, May 1. 2007Tuesday, May 1. 2007 Today I learned about a podcast interview of Ed Finkler one of the members of the PHP Security Consortium. I heard through the first 30 minutes and was kinda bored because it was not really about PHP Security but about educating PHP developers, which is a subtopic of PHP Application Security which itself is a subtopic of PHP Security. I already wanted to switch it off when at around 34:32 they started talking about the Month of PHP Bugs.
Comments
Display comments as
(Linear | Threaded)
Sorry but I never said that all members lie all the time.
However in an inactive bunch like the PHP Security Team when one person gives a statement and the others do not say anything against it they are supporting it. Especially when it comes from a person working at Zend the outside considers it an official statement. Beside the fact that members of the same team write blog entries or give interview statements with the goal to discredit me. posted on Tuesday, May 1. 2007
Chris, let's not confuse members of the PHP Security Consortium with the developers responsible for maintaining or fixing those parts of the PHP core which may be insecure. I've not heard of Ed Finkler before and I don't know whether he's one of the latter group (he may or may not be).
Ilia, for one, stated that he was interested in the results of the Month of Bugs. Indeed, a quick glance through them reveals that PHP 5.2.1 contains fixes for many of the problems Stephan and his team have discovered. I suppose that means that, contrary to many of Stephan's previous claims, the core devs do respond to his disclosures. (Either that or they've discovered them independently or had them brought to their attention by others. However, I tend to think that we can probably thank Stephan for indirectly making recent versions safer.) >My advice to the members of the PHP Security Consortium is: >You should use the time that you waste on interviewing each >other or spreading anti Esser propaganda for actually contributing >to PHP (Application) Security. Shall we rephrase that? You should use the time that you waste on spreading anti-Shiflett propaganda actually contributing to PHP (Application) Security. posted on Tuesday, May 1. 2007
David, first of all I never ever spreaded a single line of anti shiflett propaganda. I am just listing facts that show his poor character and lack of competence.
Attacks are always comming from the side of the PHP Security Consortium, that tried breaking into Hardened-PHP servers, that was manipulating Wikipedia Entries about us, that do not list our Auditing service in their PHP Security ressources, because we demonstrated in the public that their security guide has as many holes as swiss cheese, that attack us on mailinglists, ... The list of their attacks is nearly endless. And unfortunately you still don't get it that PHP Security is mainly driven by me and the Hardened-PHP Project. We were babysitting the PHP developers for years and if we stop doing this PHP will have a dark future of remote overflows... So telling me to spend more time on securing PHP must be a joke... posted on Tuesday, May 1. 2007
>We were babysitting the PHP developers for years and if we
>stop doing this PHP will have a dark future of remote overflows... Why do you bother? I can't remember a single time when you actually said you liked PHP (though I'd be happy to be shown that you did). >So telling me to spend more time on securing PHP must be a >joke... Of course it's a joke. But your constant jibes against him reveal bad character. You're not content to merely "list facts" and point out his mistakes and leave it to your readers to judge... you have to attack the man and make derisive comments about him. As I've said in the past: ad hominem. I agree with Ed Finkler on this: if you behave in that way, you can't claim the moral high ground. And anyone else who's listened to the podcast will find that Finkler was pretty measured... he didn't even mention anyone's name! He didn't say you weren't worth talking about; rather he hesitated to respond to some of the questions he was asked and was at pains not to make personal attacks. Whatever else one might say about him and his expertise (or Shiflett for that matter), he's not out to pick a fight with you. If you must know, I think you're a complete arsehole (you can edit that out if you want ... it's your blog!), but I can put aside my personal feelings about your conduct and still admire the work you do... and even defend it on occasion (as I did above). posted on Tuesday, May 1. 2007
David,
you must have heard a different podcast. Ed Finkler was accusing me the whole time of doing irresponsible disclosure and having choosen an unmoralic path. It does not matter that he has not called me by name, because everyone can look it up. From his answers it is also clear that he has not really followed the MOPB, because otherwise he would not have to guess how many bugs were previously mentioned to the PHP developers. It would really help a lot if people like him would not try to give comments about things they do not understand. And accusing me of personally attacking Shiflett is the next joke, isn't it? In reality it is more like the other way around... Ohh and about: Why do I bother... I bother because PHP was a lot of fun until the "We want to be enterprise" - "anti open source" attitude marched in. posted on Tuesday, May 1. 2007
>accusing me of personally attacking Shiflett is the next joke
Look, you evidently and probably justifiably feel aggrieved and I suppose it's hard to keep your feelings out of it. But that phrase "attack" makes it sound like a public exchange of words. Whereas the alleged actions against your servers, or the Wikipedia entry (or whatever else) were done without any exchange of words.. they were covert. >In reality it is more like the other way around... No, it's not. You've made certain claims about him and he just doesn't engage with that at all and doesn't really say anything about you. (So much so that I was surprised that he had a exchange with you in a recent post on his blog.) Now, if you merely pointed out that his code had mistakes, or that some concept he was arguing was wrong, and left out all those comments about his being a "so-called" expert -- and that's the least vitriolic thing you've said -- I'd feel differently about you. Similarly, if you'd said something like "someone with the same IP as Chris Shiflett has used in such-and-such a forum has changed the Hardened PHP entry on Wikipedia" and nothing else. (Might have the details wrong, but you get the idea.) Short version: you are an enormously smart guy, but he's a better communicator. And if you want to be thought of as better than him, a bit of civil speech -- however hard that might be -- would help. The net effect might just be that your words are seen to be more noble than others' actions, therefore you appear to be a better person. posted on Tuesday, May 1. 2007
David,
just by repeating it, it does not become true. When I disclosed the first holes in the PHP Security Guide he denied that they were real bugs and claimed that I simply does not understand the examples. You might get fooled by such "nice" words but their real meaning is that he accused me of being too dumb to understand his examples, just to make everyone believe he is right. This is pretty much a personal attack and it was the beginning of his war against my person. And this is only one of several examples. A lot of the juice you will never read, because he only said it during conferences but there are examples where he calls me dishonest and similar things on public mailinglists. So please get your facts straight. posted on Tuesday, May 1. 2007
"Ed Finkler was accusing me the whole time of doing irresponsible disclosure and having choosen an unmoralic path."
You yourself admitted to irresponsible disclosure in reporting your "bonus" vulnerability in MOPB related to mod_security (which, of course, was not a PHP bug at all). Ivan Ristic stated in his blog: "And, for the record, I am not at all happy with the fact the issue was not disclosed to us in advance. We take security very seriously; a responsible disclosure would have allowed us to have an updated version of ModSecurity available for download at the same time as the disclosure." http://www.modsecurity.org/blog/archives/2007/03/modsecurity_asc.html When you took your blog down to "deal with spam," the message you left up there stated that you knew you had made no attempt to contact him, and felt morally at ease with this. You subsequently deleted this message. "What he fails to mention is however that half of the security bugs were released without prior notification of the PHP Security Team, because a member of the Team that also happens to work for Zend openly claimed on the PHP Internals mailinglist that he does not know about any security hole in PHP, while I had disclosed about 20 holes the 2 weeks before. When a vendor denies the existance of security holes and lies into the face of his users, he has voided all options of nice treatment." So you're saying because one member of a large, fluid, volunteer development group made this statement, that justifies releasing over a dozen previously-unreported vulnerabilities? Hey, a manager at a grocery store could say it's impossible for people to break into the place, but that doesn't make it okay to start telling everyone I know how to steal their customer's credit card info. I'm sorry that you were frustrated by the pace of fixes by the PHP security group, and I'm sorry you felt that you did not receive enough credit for your contributions. However, I do not believe that this justifies releasing vulnerability information without *any* attempt to inform the PHP development team, let alone an independent project that has nothing to do with PHP. posted on Tuesday, May 1. 2007
I never said that I irresponsible disclosed anything.
It is just your interpretation that I am irresponsible because I released a certain vulnerability in a different way than you want. Other might argue that releasing a web application firewall that is flawed by design and advertising it everywhere is irresponsible. Do you really believe the vulnerability I release is the only vulnerability in mod_security? And do you really believe I am the only one knowing about them? And you do realise that the PHP Security Team is not a large group of people but only a handful of people that should NOT deny the existance of security vulnerabilities. They are the persons responsible for dealing with security holes and with behaviour like that it is no wonder how bad the reputation of PHP ist. posted on Tuesday, May 1. 2007
I would appreciate some clarification about what role you feel education plays in security. If developers were educated and did simple things like validate input... we'd all be more secure. This is something the manual has started to again take seriously so all help is appreciated. There were good points made on this topic in the interview, points I've taken to heart. The post here makes me feel as though you barely feel education is worth mentioning but I hope I'm misreading your words.
posted on Tuesday, May 1. 2007
Educating users is a subset of PHP Application Security. Which is a little part of PHP Security.
I am kinda bored of all these pseudo PHP Security experts that may or may not have some skillz in PHP Application Security. Web Application Security experts are atleast honest and do not claim to be Web Security experts, because this are two different things. And yes education is important but you don't educate the majority of users by speaking at expensive conferences. And you don't educate users with so called PHP Security Guides or PHP Security Books that contain lots of very bad examples/recommendations. posted on Tuesday, May 1. 2007
#3.1.1
Philip Olson
()
Okay so you feel the current situation is not working... but do you have ideas for helping move the 'official' education process along? Specifically I refer to the PHP Manual because this topic is actively being thought about for the future but it can always use additional brain power. All helpful information is appreciated.
posted on Tuesday, May 1. 2007
I wish you good luck.
I will create more security education material (or participiate in the creation) in the near future, but not if the result ends up on php.net posted on Tuesday, May 1. 2007
The phpsec.org articles are a good source of holes, I found one :
http://blog.flyspray.org/archives/7-Amusing-security-hole-in-Shifletts-security-guide.html later I found more that definately renders this site an unreliable source for secuirty advice.. article http://phpsec.org/articles/2005/text-captcha.html see the section that follows "pear install Text_CAPTCHA" and you will find another nice XSS hole.. http://phpsec.org/articles/2005/password-hashing.html has another XSS hole too, see the final "else" block on the "Figure 2 Logging back in " ha"s gye http://phpsec.org/articles/2005/password-hashing.html posted on Tuesday, May 1. 2007
Dude,
Speaking as a developer who naturally wants to have good resources for security and related info, I sometimes find myself interested in what you have to offer on the security front. But I'm constantly turned off by missives like this, where you come across as a petulant child wailing about how someone called you a bad name. If you want to spread your message clearly and effectively, I respectfully suggest that you need to stick to your message without getting sidetracked into this political and personal mess. posted on Tuesday, May 1. 2007
Nick,
I have the right to defend myself against the mobbing attacks and propaganda comming from the PHP Security Consortium and the PHP Security Team. If you deny me this right then please go away and read someone else's blog. posted on Tuesday, May 1. 2007
First I would like to say that I have found this blog entertaining, informative and an excellent source of educational material.
As a PHP application developer I appreciate any effort to make PHP more secure, especially when those efforts are directed toward making the PHP core more secure. Everyone can argue over (ir)responsible disclosure or about morality, but it is all just noise, which distracts from the fact that the MOPB has caused the PHP core to become more secure. As for the interview referenced, I did find it interesting (and somewhat biased) that there was no focus on the effects of the MOPB, the only focus was on responsible disclosure. This subject could have been discussed without directly mentioning the MOPB or quoting the php-security.org website. To then immediately turn the discussion to Mr. Shifflett's disclosure of an Amazon vulnerability seemed to give this section of the interview even more of a slant. I am not saying that this was done on purpose, it is just my first impressions. posted on Wednesday, May 2. 2007
When Esser points out mistakes and names the names of people making those mistakes, he is right in doing so. PhP may be run by pros in "computer science", but too often they act as no other scientists. It is quite correct to point out the hypocrisy of authors of books claiming to be about php security when they make basic mistakes. They enjoy the cachet of the title of Expert, but care too little of the responsibility. What of when the code in official PHP contains regressions that ought to be found? (Wouldn't you expect a well run organisation of pros to be able to develop such testing?) What Esser is doing is called PEER REVIEW. Professional organisation would welcome his criticism, which is almost always on point. If PHP were run as well as its importance in the real world necessitates, it wouldn't need Esser to publicly drop the hammer from time to time.
posted on Saturday, May 5. 2007
Add Comment
|
Calendar
Archives Categories Syndicate This Blog Protected By 
|
|||||||||||||||||||||||||||||||||||||||||||||||||
