Blog

  • PHP Security Architecture

    [ EDIT: a comment I wrote in this entry referred to Laura Thomson as one of the reviewers of the OWASP Top 5 article. Although I have discussed other PHP related things with Laura, this article is not one of them. I’ve carefully reviewed my Sent folder during this time, and I’ve updated the reviewers in the article on the OWASP website. I apologize to Laura for bringing her into this sordid affair. ]

    I have a comprehensive PHP security architecture for PHP 6 I’ve been developing, which I wanted to present to Chris for his comment, and if he felt it was good, possibly then ask Rasmus and Andi for a beer or two whilst I am at OSCON.

    However, I’ve just had a very disturbing e-mail conversation with Stefan Esser, PHP security researcher, founder of Hardened PHP, and one of the initiators of security@php.net. He posted from his php.net address, so I imagine he was talking to us (as in OWASP) in his PHP security bod at large capacity, but I’m not sure.

    I’m now basically convinced that there is just no point trying to make PHP safe. The people involved are too poisonous and arrogant to change, therefore PHP will not change and become safe. My architecture would be attacked viciously but nothing would be done to put something like it in place. And without a decent architecture (mine or someone else’s), PHP is no safer than it is today, which is to say – not safe at all unless you know what you’re doing and can control php.ini, something most shared host users do not have the luxury.

    The best bet for PHP is to kill it by letting the current development team make PHP 6.0 into even more of a niche that PHP 5.x is, and ensure that hosters become more and more locked into the insecure PHP 4.x. When the hosters get sick of rebuilding their virtual hosts all the time, it will become uneconomical to allow PHP to be on their hosts. They will take it off, and ask people to move to safer languages / frameworks.

    It’s time for PHP to die.

    Update… I’m not going to re-write history, so I’ve left the above text for you to see.

    However, it’s not fair to the PHP community that we security folks argue amongst ourselves whilst their apps continue to fall victim to the same attacks, time after time. I will spend more time on the architecture and create a BoF at the conference to present it after spreading it around my coterie of PHP friends for advice and comment. I’d love to have everyone who has been so passionate about this article come see us at OSCON and see what I have in mind.

  • OSCON 2006 – See you there!

    Just a quick note as to the quietness of the blog. I’m working on a few things:

    • my slides for OSCON (webappsec 150 tutorial, and updating my Ajax presentation to include the latest research and make it a bit more (ahem) controversial to liven things up)
    • doing demos for the above
    • my slides for OWASP Melbourne, July 2006 meeting (this coming Wednesday! Details)
    • reconstructing my work laptop
    • the OWASP membership packs and other executive director project items
    • administrating Aussieveedubbers
    • writing a fresh Ajaxy UltimaBB installer
    • writing a proposal for a workable security architecture for PHP 6 which I want to present to Chris when I go to OSCON, and maybe earn myself an audience with Rasmus and the other PHP luminaries to discuss it over a beer or two and thus decrease my trolliness to those folks.

    and plus Tanya would like my body sometime as well. I’ve given up TV. Woe is me!

    See you at OSCON 2006.

    I’m also making an appearance at BlackHat and Defcon, and will be in SF in between those two conferences, and possibly in Salt Lake City before OSCON (depends on work). If you want a Thawte Notarization for the Web of Trust (free *real* fully trusted S/MIME certificates!), please bring photocopies of your photo ID and I’ll do it for free.

  • It doesn’t rain, it pours

    As I was wondering how to force myself to sleep at 2.30 am as my body clock is still way out of whack from the unspeakable misery that is my throat, my fiancée Tanya had an anaphylactic reaction to something. After she tried all three methods of control, including an auto-injecting adrenaline monster needle, I had to zoom her to hospital. Although I am still suffering the full effects of laryngitis, extremely tired, and out in 7C weather wearing just shorts and t-shirt and with nothing to read. But I’d do it all again.

    Our nearest hospital is Werribee Mercy hospital, about 5 km and around 5 or so minutes in the car. The hospital had nurses, but no doctors as they all called in sick, so emergency was shut down. Tanya’s breathing wasn’t improving. Although the nurses on duty tried to make things better, it looked as if the MICA dudes would have to intubate her whilst on the way to the next nearest hospital, some 15 km away.

    The care Tanya received from all concerned was great (except of course, the Werribee Mercy, where due to stupid laws prohibiting qualified nurses from prescribing anything, Tanya couldn’t be given anything until the MICA dudes arrived, even though this meant she might have choked to death). The nurses at the Mercy were clearly worried and got us out of there as quickly as they could. They shouldn’t have needed to. I feel sorry for them, as it’s not their fault Tanya’s recovery was made so much worse by unnecessarily and potentially fatal delays in treatment. It is pure and utter luck that Tanya survived this period – there were no drugs available for treatment (see the bit about no doctors!), and adrenaline to keep your heart going only helps if you can breathe.

    I rang her parents as I left Werribee Mercy, and they came as soon as they could, arriving at Western General shortly after I was allowed in to keep Tanya company.

    After getting to Western General at Footscray an hour after the attack had occurred at our place, Tanya received treatment, but was left on a trolley under bright neon lights all night – there literally is no other option at Western General. It’s a bit ancient, run down, crowded and primitive there. However, for the poor western suburbs, there is basically nowhere else.

    The triage area didn’t let Tanya’s parents in to see her until nearly 40 minutes after we arrived. I could see that Tanya was immensely relieved to see her folks, as I know I was. Tanya’s parents and I took turns staying with her in the very crowded and busy emergency department.

    However, at 6.30 am it was obvious I needed my drugs for my throat. So I had to go, even though I didn’t want to. I was extremely tired and so I drove very carefully. I got home at 7 am, showered, ate breakfast, and rang Tanya’s parents to check up on her condition. Luckily, Tanya had been moved to a recovery ward and was resting, so I took the opportunity to take some sleep.

    I woke at 11 am with the sorest throat I’ve had in the course of my horrible illness, had a huge painful coughing fit and spent the next hour or so gagging in the bathroom. I wanted to go back to Tanya, but I knew I couldn’t do it. Luckily (for me!), Tanya rang and told me that a reporter will be speaking to her, and most likely appear on the news that night. I hadn’t realized a political football had been set in motion by *someone*, but it certainly wasn’t us.

    Tanya made the news: she was interviewed by Channel 9 for their main evening bulletin, and Channel 10 reported a slightly inaccurate version – she was never intubated. The Age also covered it here (“Furore over casualty closure”). Our phone was red hot for a while after the 6 pm news.

    However, it would have been nice to have doctors in an area where there’s upwards of 30,000 families relying upon their hospital. I just hope that this leads to changes that allow us to assume that our nearest hospital is safe to attend in an emergency. I know that the western suburbs seem like the wasteland to our medical fraternity, but it’s unacceptable to leave us all at risk just so they can live in Toorak or South Yarra. Now this thing is a political football, it should be sorted. But having worked in the health care industry for a while in the past, I am terribly cynical and know it will not be fixed. Our horrible episode will just be forgotten in a day or two, and nothing will change.

  • Not a well chappie

    I’ve got more stuff to go up here, but I’m not feeling very well.

    On Sunday night in Steve’s flat in Munich, I felt a bit lightheaded after some decent wine and grappa. I put it down to that. I woke the next morning feeling very hot and flushed. I thought, bugger, what a hang over! I knew I needed some drugs, but it was a public holiday in Germany on Monday and every pharmacy I could see was shut. When we got to the airport, the pharmacy was on the inside, but no dice there either – they were shut.

    When I got to Singapore, it was too short a stop over to try and get some drugs and plus, I didn’t want an ear temperature test keeping me in Singapore until they worked out what it is I have.

    However, upon returning to Australia I was feeling less than stellar, so I went to bed, thinking I’ll sleep it off. Not being shy of the GP, my lovely financée rang and was directed by my GP to make myself available at my local hospital’s emergency department at the earliest opportunity. Which is exactly what my financée and her mum did. I was groggy from the long flight and tired. They woke me up, drove me there, and we waited. And waited. and waited. I could have done with that sleep! Eventually, the drugs she plied me with kicked in, and we decided to head back to the GP, even though he was treating me like a leper who also had avian bird flu.

    A quick two minute exam – bronchitis. A short course of antibiotics, no alkyhol, and rest. Which is exactly what I feel like and have been doing. Except I should be at work today, and I should have been back in my own time zone. It’s 2.20 am, and I feel … well … up. Tired, crappy, and up.

    I’ll try staring at the bedroom ceiling and see if it helps.

  • Munich – Saturday (Deutsches Museum)

    We got up, had breakfast, and walked to the Deutsches Museum.

    Unlike any other museum, this is a geek museum. It’s like geek heaven there. Except there’s so much to see and that entails a lot of walking. They have feet massagers, but they take 50 c coins, and I haven’t acquired any of those yet, only heaps of 20 euro cents.

    The first thing we checked out was the high energy lab, and that was amazing. Lots of noise, sparks and high energy!

    We took in (not nearly exhaustive to describe it!):

    • High energy lab
    • Planes, and lots of them!
    • Planetarium
    • Rockets, rockets, rockets!!!!!! And more rockets!
    • Chemistry … no explosions, doh!
    • Space exploration (astronautics)
    • Measurements and time
    • A temporary exhibition on German progress
    • Walked through the agricultural area, but checked out a complete house they’d reconstructed
    • A cave about neolithic art work. It was dark.
    • Nuclear physics and other physics
    • Paper and printing (look at real leading and type!)
    • Musical instruments (nearly missed out on this one, but it was awesome!)
    • Techno Toys – looking at all these early proto-legos from the late 19th century and early 20th century

    Check out the gallery of stuff here:

    After the techno toys, my feet were killing me, so we headed back to Steve’s place. We geeked out there for about an hour and watched a Coupling episode. I’d forgotten how cool that show is – I’ve only seen the one episode until then. Will need to get the DVDs when I get back to Australia.

    We had dinner at the Mexican restaurant near Steve’s friend Andi’s place. It was really good, particularly the half price Margaritas. Again, no Visa, and the prices at most European places are in ouchy land territory for earners in $AUD. At this stage, I’m nearly out of cash again. Need to find an ATM on Monday to deal with this if I run out of Steve’s hoard of cash (we’re trading at the correct rate, so he doesn’t need to be done over when he comes to Australia).

    Sloshed our way back to his place. Even at 10 pm, the public transport doesn’t take long, despite needing to change trains (and system) three times. You simply couldn’t rely on public transport in Melbourne to do this.

    We watched a few episodes of Coupling and I hit the sack.

  • Munich – Friday

    I landed in Munich and waited to pick up my luggage. The new airport feels like one big BMW ad. There’s BMW everywhere, so at least I had something to look at. Eventually my bag came, and I headed out. I met up with Steve Riehm, who is hosting me in Munich. When I was organizing the last minute trips, I did not know that Munich is hosting a goodly percentage of the soccer World Cup, so all the flights were full and mine was no exception. That’s why I had to travel to Munich a day earlier than I expected.

    The weather in Munich is even worse than that in St Anna, which is hard to top. Steve cranked on the heated seats in his beemer, and I was toasty in seconds. 🙂

    After dropping my crap at his place, we geeked around a bit and then headed into town for a look see. I took heaps of photos, which can be found in the Gallery, here:

    After walking around Munich for a few hours, my footsies were a bit sore. Luckily, there was a pub only a little distance away, so we ended up eating there, and again, I was surprised to find that Visa is not accepted widely in this fairly first world nation. Unbelievable. After a few really nice beers and some roast suckling pig and crackling (the Germans know how to do pork!), Steve bundled me home on the excellent public transport here. If only Melbourne had such good public transport!

    We traded Euros for Australian dollars as the Travellex rate was insanely bad. My normal savings card didn’t work here, despite the ATM I used having a Cirrus logo. So beware if you come from a place like Australia where everyone uses electronic cash and come to a place like Munich, where it’s hard to use your own money. I wonder how many tourists to the World Cup are going to be bitten … coming here with only a tad of real money like me, and expecting to use ATMs and EFTPOS as per normal.

    We watched a movie – Sky Captain and the World of Tomorrow. Awesome film noir / comic / kitsch. Get it!

  • Meeting up with the family

    On Thursday morning, I took the very reasonably priced train up to my family near St Nicklaas. It looks a long way on the map, but it’s only 40 or so km. Europe is compact that way. The weather is still crappy and it barely makes it above 10 C.

    Met up with Eddy at the train station, and we had a good old conversation about geeky stuff. Eddy is a funny bloke – he didn’t know where the coffee was, so he rang his sister, who popped over with some coffee and a filter. Then when his better half (Viviane) came home, she showed us where the coffee was… it was right in front of the cupboard. The shame of it! 🙂

    We had an awesome meal of witlof and ham and cheese sauce, much thanks to Viviane’s awesome cooking. Eddy broke out the wine, and we started getting merry.

    Those were taken around 7 pm… the sun finally came out, and it was still cold, but at least I’ve seen the sun whilst I was overseas! It’s supposedly summer, but it’s colder than Melbourne.

    More family came around after dinner, and we had some awesome beer, West Vleteren. Eddy thinks it’s best beer in the world, and I think he could very well be right. I stayed with the family overnight, pushing Michael out of his room. Sorry about that Michael! 🙂

    In the morning, I left for Munich. Europe has awesome integrated public transport. Even though the train for the airport had been cancelled, I made my checkin at the airport with ages to spare. The new part of the airport is shiny and new. They really need to demolish the old bit as it makes a terrible impression, and I’m sure with 97 gates in the new bit, they can afford to get rid of the crusty old terminal.

  • Updated Ajax Security presentation

    I’ve updated the Ajax presentation to the slide deck I gave at OWASP EU. New pictures. More content. More size! (4.3 MB)

    Get it here:

    Ajax Security (4.3 MB PDF)

  • OWASP EU – Day 2

    Excellent day again.

    I’m still waking up far too early, but that’s okay, particularly since I had still to complete my Day 2 keynote slides, much to Dave’s disgust.


    – Leuven University

    The keynote went well, but I finished what I thought was early, when in fact, it was dead on time. This left Ivan Ristic with much less time than he had intended. 🙁

    Ivan’s talk was pretty cool – he went through the stuff you’d expect of the author of the open source web application firewall, mod_security, discussing the four major features of the software. I’ve used it before in a DDoS attack, and it worked well.

    After the morning break, I went to the invited papers track. I think this was a good idea, and the quality of the ideas was good. I think it allowed people who are not conference whores like myself to get up and speak. And considering that only a small percentage of the attendees are native English speakers, I was pleasantly surprised at the quality of the English at the conference. Awesome.

    The session riding talk was cool, but again, they’re using a non-mainstream technology to fix the problems. I think people really need to start using the major technologies which are weak rather than using esoteric languages which take their fancy. PHP needs a lot of help, for example.

    After lunch, I went to Dinis’ tool heavy presentation on the stuff he’s made this last year. Awesome tools. Might see if they work under Mono on the Mac. Except for the report generator, which is basically a waste of time. As a customer I HATE (and I mean I will return your report and not pay you HATE) getting nessus or other tool output auto-gen’d from XML into PDF. I don’t pay the pound for my reports. I prefer short (10-20 page) reports which tell me what is wrong, carefully considered and rated. This is something that can be done in Word more easily than Dinis’ tool. I’m sure Dinis’ report writing tool (he’s a total XML freak 🙂 works for his customer, but I’m not interested. If it gets out in the big bad world, I hope it doesn’t catch on. Our value is our skilled interpretation, not 1000 page automated reports.

    After the last break, there was a panel discussion, which was far more lively than the previous day when everyone agreed with each other. It was hard as Gunnar let people speak who had more than their turn. There was one particular lady who just butted in all the time. I had my hand up for half an hour before I could a word in edge ways, thus not allowing me to state a couple of points about user security education which I vehemently disagreed with, but couldn’t as the flow had moved on. Oh well. I’ll butt in next year – being a good guy does not pay off if you want to be heard. Despite this, it was a good and lively session.

    Dave finished the conference up. After we had finished, Pravir Chandra and I went out to dinner. I wished a few more could hang around, but many needed to get on flights home, and several wanted to go back to Brussels for food. We had a good meal in the center of the old city. Awesome food.

    I think it was extremely valuable as a conference. If I can, I’ll be back next year.

  • OWASP EU: Day 1

    Great day yesterday.

    Dinis’ keynote went off great, but he got rid of all my images and loaded it up like an essay. Might need to encourage the OWASP presentation template to only contain a limited number of words per page, and increase the visual appeal of the slide pack. We don’t read slides, we present them.

    The panel I sat on after the keynote was amazing – Microsoft sent in a sacrificial victim in the form of Alex Lucas, and he did really well. The crowd was a bit restless, but honestly, I think they saw the light by the end. The funny thing was that Microsoft was arguing for more stringent safeguards than most of the panel members, but even more funny is that the panel members agreed with the SDL (for the most part). This got a laugh from the audience when it was brought up, but also demonstrates how far Microsoft has come over the last few years.

    Alex had a proof galley of the forthcoming SDL book from Lipner and Howard. I considered mugging Alex and stealing the book – it is totally awesome! This book is what everyone needs, particularly if you don’t have a strong security process today.

    I went to a bunch of presentations (including my own!), and learnt a lot. I was particularly freaked out by Amit Klein’s talk on HTTP Request / Response | Smuggling / Splitting and peripheral devices. Awesome research.

    My slides for my Ajax presentation are here.

    After the day finished, we had a chapter leads meeting, where we discussed what we want to do over the next twelve months. We prioritized, and I think it’s going to be great. I’ll blog more on this in the next few weeks.

    Last but not least, we had a fabulous dinner at the Faculty club. Leuven is very confusing, and the trip to the Faculty club was via taxi, leaving me confused where I was located. But that’s okay, a fine meal, good wine, and excellent company left me warm and fuzzy. I trundled into a taxi near 11 pm (when it was just going dark!) and made my way back to my hotel, where I promptly fell asleep.