OWASP Guide 2013 – Developers needed!

The Developer Guide is a huge project; it will be over 400 pages once completed, hopefully written by tens of authors from all over the world, and will hopefully become the last “big bang” update for the Guide.

The reality is our field is just too big to do big bang projects. We need to continuously update the Guide, and keep it watered and fresh. The Guide needs to become like a metaphorical 400 year old eucalypt, all twisty and turny, but continuously green and alive by the occasional rain fall, constant sunlight, and the occasional fire.

If you are a developer and have some spare cycles, you can make a difference to the Developer Guide. I need everyone who can to add at least a paragraph here and there. I will tend to your text and give it a single conceptual integrity and possibly a bit of a prune, but with many hands, we can get this thing done.

Why developers? Many security industry folks are NOT developers and can’t cut code. We need developers because we can teach you security, but it’s difficult to instil 3 years of post graduate study and a working life cutting code. I am not fussed about your platform. Great developers know multiple platforms, and have mastered at least a couple.

I am installing Atlassian’s Greenhopper agile project management tool to track the state of the OWASP Developer Guide 2013’s progress.

Feel free to join the mailing list, come say hi, and join in our next status meeting on Google+.

Speaking at Linux.conf.au 2013

I’m glad to say that I’ve been accepted to speak at linux.conf.au 2013.

My talk is how to apply the OWASP Developer Guide 2013 to your open source project.

The Open Web Application Security Project (OWASP) Developer Guide 2013 is coming soon. In this presentation, you’ll learn about the major revision to one of the major open source code hardening resources.

The new version will encompass not only web applications (although that is its primary focus), but also general advice for all languages, frameworks, and applications through the use of re-usable architecture, designs, patterns and practices that you can adopt in your code with a bit of thought.

Learn about:

  • The latest research in application security
  • How to apply new patterns to eliminate hundreds of security flaws in your apps, such as the bizarre world of race conditions, distributed and parallel artefacts. Few apps can afford to be single threaded any more, and yet these subtle flaws are easily prevented if you only knew how
  • Challenges of documenting bleeding edge practices in long lived documents
  • How to pull together a global open source document team whilst holding down a day job

If you code web apps, or write apps that need to be secure, this is a must attend presentation!

Come see me! Challenge me! Make the Guide better for non-web apps!

Shame, Slashdot, Shame – misogyny and moderation

Our industry suffers from a lack of women – women in senior positions are very rare, women who do what I do I can count on my hands without resorting to binary, and there are so few women coming out of Uni comp sci, developers and engineering courses that I can use and craft into my replacements.

IT needs women, and lots more of them, not only for the perspective they can bring to the table, but simply in the terrible truth that young women deciding on future careers at high school don’t see any future for themselves in our great industry, or any of the Science, Technology, Engineering or Medical research (STEM) subjects as a valid career choice.

There is so much to do to rectify this situation, not the least eliminating low hanging fruit, such as eliminating booth babes. I’ve heard lots of excuses, like:

  • “It’s a legal job, I don’t see the problem” (this one makes the least amount of sense)
  • “Everyone does it” (no, they most certainly don’t)

So when /. posts a story on what booth babes really think of us leering at them, you know it’s going to be a stinky disgusting mess, but you have to try to convert the heathens in any case.

I’ve been a Slashdot irregular for years. In 1999, the /. “community” said some disgusting things about Richard Stevens, the author of some of the (still) best Unix and TCP/IP books. I stopped going there every day after that shameful episode. I’ve not posted there since 2010, but I have /. in my RSS feed.

I have removed that feed today and I will be deleting my account shortly.


Many of you know my very low opinion of IT vendors who use booth babes at trade shows.

Update: I found this comment to a similar post last year just a few minutes ago:

Thanks for making the main point clear, I want to chime in here as a woman and someone who has represented my company from very early on at trade shows (and does to this day). In the telecom industry in particular these booth babes run rampant, they literally provide you with a form when you register to exhibit asking if you want to hire models.

At one event a couple years ago, a guy came over to talk with our CTO (a guy) and I and said point blank to me, “do you have an ownership stake in the company? if not, at least you’ve got one foot in the door to marry this guy?” Nevermind that I’m wearing my wedding ring! All I could do was paint a “go F&%$ yourself” smile on my face and wait for him to leave. The things I would have liked to say, but it just wasn’t worth it in that context.

The problem is, most people don’t walk up to me expecting me to know about APIs, building applications, solving problems specific to their industry or use case, how supply chain works, or anything else important to their business. This is perpetuated by booth babes. How do I know? If I dress in a frumpy or slightly less feminine style, instead of my normal stylish heels and a skirt suit, I get a different reaction. If I wear skinny jeans and flats and a tshirt or hoodie, look my age (early 20s) and have a self-effacing air, they think “oh she’s a nerdy girl” and then they ask the real questions. PUH-LEASE.

If you are a vendor, I have a very strict, and very long standing rule – if you use booth babes, I either don’t recommend you to my clients, or I actively campaign against you, and I will never, ever buy from you again. Such vendors have lost more than a $1m in recommendations from me alone in the last 10 years, and I doubt I am alone in my opinion of such appalling, women hating sales tactics.

So fast forward to today. I logged in after a few days to see if my romantic idealization of early Slashdot met up with even 1999 Slashdot low life scum. I was saddened and disappointed. I lost my decade long “excellent”  karma rating to peer moderation, and it’s no surprise the peers at Slashdot hate women.

One of my posts had to get more than seven negative flamebait downward moderation clicks to get the score it finally received.

So let’s look at the quality gem of a reply that gets +5 moderation (errors in copy and paste I will leave to the troll, can’t even do that right):

“ook at my low user ID, I’ve been here for longer than some of you have been alive.”

No one cares. I’m probably the same age as you but I don’t go around pointing it out as if it somehow adds extra weight to the argument.

“I am literally white hot angry with whomever did it b”

You’ll get over it.

“f you have a daughter, I expect you’ll want her to be a geekgrrl. If you want that outcome, you will join me in boycotting booth babes.”

Actually if I had a daughter I’d let her do whatever she wanted. Unfortunately you obviously don’t realise it but you’re just another one of those self righteous prudish males who seem to think that women should only do the jobs YOU approve of. Newsflash pal – its the WOMEN who get to decide whether to do it , not people like you.

I suspect in another century you’d be at the pulpit foaming at the mouth and damning any woman who dared go out with an unmarried man or wear a short skirt or speak before a man gave her permission.

You know what – Fuck you and your kind.

From viol8, a 40-something troll programmer who lives and works somewhere in Europe (if he can be trusted to thump things into the post box), who comes across as an arrogant Australian or English ex pat. I can’t be arsed working out who he is any longer – he’s exactly like any number of the worthless women hating smegheads that infest slashdot.

It’s time to put /. out of its misery and terminal decline. It has been an irrelevant community for years, and now the cesspool is dead to me.

ajv (4061, ex-member /. 1997-2012)

Update: RSS feed – deleted. Twitter – unfollowed. Can I find how to delete my /. account, no I can’t. Help appreciated in the box below.

PCI DSS QSA vs ISA smack down

In his post “PCI’s Money Making Cash Cow“, Andrew Weidenhamer must have had a bad week of being challenged (or in his words, “bullied’) by an PCI DSS Internal Security Auditor (ISA). This is not acceptable, but QSA’s must accept that their advice is there to help the organization become compliant, not to provide a cash cow of their own nor to be unchallenged.

Not knowing the specifics of the background that led to this article, I have to assume that the ISA has pushed back on one or more of:

  • Scope – this has traditionally been the QSA’s sole domain, and (uncharitably) they probably don’t want anyone else busting a move in their profitability zone.
  • Interpretation of the meaning of various clauses. I wrote the OWASP Top 10 2007, which was incorporated in the PCI DSS. I find it highly amusing to hear some of the “meanings” attributed to what I wrote.
  • Being forceful about adhering to the “intent” versus the “letter” of the PCI DSS. This is a problem where the standard has to be deliberately vague, but the Council should be open and honest about what they meant when they wrote it – do they mean a web app, or something else? The PCI DSS is highly focussed on web apps, not other apps. Trying to extend it is like extending a repair manual for a ship to a bus. They both have diesel engines, but you know it doesn’t work that way. Don’t force the issue if you don’t know.

Being in this space right now, I understand the issues here. There are several problems I hope the SSC will pick up and resolve in the next major overhaul of the standard.

  • Make the meaning of “in scope” and “out of scope” a great deal more tightly defined. The biggest problem in my view is it’s far too easy to drag in unrelated systems in a cloud / virtualized / management environments. I’m all for a solid ring fence, but to think the only way to do it is by layer two firewalls is farcical at best and destructive of the Council’s reputation at worst. Firewalls have their place, but as part of a wider set of more than adequate other controls, such as strong authentication, authorization, auditing and escalation. Let’s put it this way, I do nearly all my penetration tests over SSL and through firewalls and in direct view of IDS’s, and I still manage to have a very, very good time. If firewalls are all you’ve got, we’ve got it very, very wrong.
  • Leaving the QSA to determine the scope is inherently conflicted. They get a lot more money if they scope it conservatively (i.e as many of the requirements as possible, and as many systems as possible), and there’s a lot of risk if they scope it to be a minimal but to the letter of the standard. I strongly suggest SSC require tier one merchants hire two QSA’s, one to find the information out and set the scope, and one to assess the desired scope and systems. Or work just like the internal audit versus external audit functions in the financial world, where the ISA’s output is treated as trustworthy and evaluated from time to time. Is either method perfect? No, but it’s a lot less conflicted than the current situation.
  • The glossary, the prioritized list, fact sheets, and PCI DSS for Dummes, what you heard on the community grapevine, or the guidelines ARE NOT the standard. They can be used to support an argument to do something in the spirit of the standard, but they are most certainly NOT the standard. QSA’s – please understand unless you demonstrate that your reason for a “not in place” actually is required by one of the in scope requirements, then it’s not required to be in place. Is it good idea? Almost certainly, but that’s a different standard.
  • Many folks need and want an Attestation of Compliance … but at what cost? The process of working through not getting an AoC is almost completely off the reservation. Most folks don’t even think about this third way, but it’s actually fairly likely. If your activities are all about getting an AoC at all costs, PCI DSS has failed to achieve a good balance. There are places for a black and white compliance standard, and there are places for risk based assessments. If it’s going to cost you $25m to fix a $25 a year problem, that’s a terrible, terrible outcome. I hope the SSC addresses this in the future, as many folks going through PCI DSS compliance will need an AoC but can’t get one because their QSA has said no for the most minor of reasons.
  • Make it easy for folks to ask questions directly to the council. Nearly all of the requirements are vague. One QSA might have been told one thing by the Council, and other has never come across it before, and you have two opinions, one right and one somewhat wrong. Too many times, an argument that goes on for weeks can be solved with a simple email to the Council. Channeling it through one side of the argument (the QSA) is inherently conflicted. Let’s be open and transparent in this process.

In my view, the best way to deal with a QSA is to be friendly, but make it known that you will challenge them in a collegiate way from time to time, and that there’s nothing personal about that challenge. The QSA may not understand the business or the technology, and they may have got it completely wrong.

On the other hand, you as an ISA or as a hiring company may not understand the intent or learnings of the Council, and need to get your house in order, which is far, far more likely.

PCI DSS does this in a very blunt, non risk assessed way. For the first time ever, someone with a bigger stick is holding you to account to do it the way you should have done it in the first place. There is simply NO EXCUSE for SQL injection or XSS in any app, let alone a payment app. However, so many of the requirements are vague and so open ended as to be nearly impossible to comply with unless you hoodwink the QSA. And that doesn’t serve the real purpose of this exercise.

QSA’s who fear going to every meeting with you are not going to offer good advice. They wont offer advice at all. It’s best to walk a very fine line between being friendly and learn all you can get from A to B in the best way possible that achieves credit card security, but don’t be so chummy that you find it hard to say “no” when you need to say “no”.

My rule of thumb is that if you’re having a difficult conversation with your acquirer when you should have been having a difficult conversation with your developers, your marketers, your business or the QSA, then you’ve done it wrong. PCI DSS is here to save your bacon, not be a speed bump. However, there is much to improve in the QSA engagement process, mainly in my view to advance true independence of QSAs.

Fedora 17 install on VMWare Fusion 4 / Workstation 8

I am moving over to using Fedora from Ubuntu as I am helping out with the OLPC XS (School Server) on XO laptop effort, which is Fedora based. Fedora 17, codename The Beefy Miracle (seriously), has just been released, so it’s time to update my Linux development workstations.

Installing Fedora 17 in VMWare Fusion / VMWare Workstation 8

There are two problems with Fedora 17 and VMWare at the moment:

  • Fedora 17’s graphical installer on VMWare (and I’ve heard on Oracle VirtualBox too) does not show the Back / Next buttons. They are there and they work if you tab to them, but they are offscreen due to the video mode.
  • The next problem is that “Linux Easy Install” doesn’t work in VMWare Tools build 8.8.3 in the Fedora 17 guest. At all. Don’t use it, or you’ll end up in dracut debug shell purgatory after a “dracut Warning: Unable to process initqueue” message. The rest of the instructions here gets you to where Easy install would have managed to get you anyway.

So to get through it, you can either run a text install that produces a very minimal install of Fedora (great for hardened servers like the XS!)

  • Boot from the ISO
  • Enter the troubleshooting menu
  • Press tab to bring up the linuz boot arguments
  • Delete the vesa arguments
  • Type in “text” on the end of the command line

or just use the graphical install…

  • If there’s only one control on screen, just press return and you can go to the next screen
  • If there’s many controls on screen, press tab until the focus disappears, and then press tab one more time (moves from the hidden Back button to the hidden Next button) and then press return.

Updating Fedora to allow VMWare Tools compilation

Once you have Fedora installed, login and open a terminal window

sudo yum update
sudo reboot
sudo yum install kernel-devel kernel-headers gcc make

Installing VMWare Tools

Now you’re ready to install the VMWare Tools

  • Virtual Machine -> Install VMWare Tools. Unfortunately, F17 now mounts CD ROMs in a user specific location (/run/media/<username>/<volume name>), so you need to know your username if the instructions below don’t work
  • Open a terminal
tar zxf /run/media/`whoami`/VMware\ Tools/VMw*.tar.gz
cd vmware-tools-distrib
sudo ./vmware-install.pl

NB: With tools build 8.8.3, there will be compilation errors until an update for the tools is released by VMware, but enough modules will compile to allow you to use shared folders, have auto-resizing monitors, working cut-n-paste, and a few of the other things that make running the tools worthwhile. Drag and drop doesn’t work yet.

Logout and then Restart the system to enable the tools. If you’re text only,

sudo reboot

will do the trick.

You are welcome!

On penetration testing – harmful?

Over at Sensepost Security, there’s a new blog entry wondering about Haroon Meer‘s talk “Penetration Testing Considered Harmful“. Those who know me know that I’ve had this view for a very long time. I’m sure you could find a few posts in this blog.

Security has to be a intrinsic element of every system, or else it will be insecure. Penetration testing as a sole activity and piece of assurance evidence makes security appear on the fringes of the development, something that you pass or fail, something to be commodotized, a box to be ticked, and ultimately ignored. Penetration testing as is done by most in our industry is incredibly harmful. It’s a waste of investment to most organizations, and they know it so they try to minimize wastage by minimizing the scope, the time, and poo-pooing the outcomes.

Penetration testing should be a part of a wider set of security activities, a verification of all that came before. All too often, we come across clients who want to do a one or two day test the day before go-live. They’ve done nothing else, and when you completely pwn them, they’re terribly surprised and upset.

We need to move on to make penetration testing the same as unit testing – a core part of the overall software engineering of every application.

Penetration testing should never be ill informed (zero knowledge tests are harmful and a WAFTAM for all concerned), and it should have access to source, the project, and all documentation. Otherwise, you’re wasting the client’s money up against the wall and acting unethically in my view.

Tests should come from the risk register maintained by the project (you do have one of those, right?), as well as the use cases (the little cards on the wall) as well as from the OWASP ASVS / Testing Guides. More focus must be made on access control testing and business logic testing.

Penetration testing has become vulnerability assessment – run a tool, drool, re-write the tool’s results into a report, deliver. No! Write selenium tasks and automate it. If you’re not automating your pentests, how can your customers repeat your work? Test for it? They should be taught how to do it.

Folks at consultancies will shriek away in horror at my suggestion, but getting embedded is actually a good thing. Instead of hearing from a client once in a blue moon, you’re integrated into the birth and growth of software. This is a huge win for our clients and the overall security of software.

OWASP Development Guide – what do you want in, and what do you want out?

It’s time to do some curating of the OWASP Developer Guide. This is where my tastes meet the community’s – what do you want in the Guide, and what do you want out of the guide?

As much as I want to be comprehensive, there is a real risk that a 800 page book would never be read. There ARE easter eggs in the Guide that no one has found or bothered to e-mail me about yet, so I know it’s not being read widely.

I want to ensure the Guide is used, in a way that the OWASP Top 10 and ESAPI are used daily throughout our industry.

  • What would you like to see IN the Guide? Why?
  • What would you like to see OUT of the Guide? Why?

Let me know by June. I’ll be sure to share your thoughts with the Developer Guide mail list.

OWASP Guide 2013 Development

It’s been nearly seven years since I finished the herculean effort of holding down a day job and leading, editing or excising the existing material, cat herding all the collaborators, and writing a goodly portion of the OWASP Developer Guide 2.0.

I finished PDFing 2.0 around 4.30 am and pushing it to the OWASP website. I was rush packing for BlackHat as my plane was due to depart at 11 am. I checked my mail as I was shutting down my home lab, and got a last minute set of edits from Michael Howard on the crypto chapter (which is definitely not my strong suit). So I fired up Word again, made the changes, and issued 2.0.1 in Word and PDF format pretty much just as I had to walk out the door to catch the plane.

That was the last time the Guide was formally issued.

It’s time to pick up the whip, and dip the pen in the inkwell (well, TextMate this time – we are working in Wiki format at Google Code).

I plan to write at least one blog entry a week to describe how we are going. I am determined this time to not write > 80% of the content. I simply don’t have the time, and honestly, if we’re going to do this before 2.0 can vote, I really need helpers.

The first steps have been put into place:

  • Put out a mail to the Guide mail list asking if I can take over
  • Got a bunch of public and private e-mails saying yes, plus most pleasing to me of all – offers of help!
  • Got an e-mail from Vishal Garg, the previous leader – 1, saying that he had actually stood down last year (!)
  • Got an e-mail from Abraham Kang, the previous leader, saying that he would be happy to co-lead with me (awesome!)
  • Asked the Global Projects Committee to assign the project to me, along with a PM. I’ve not heard back from them, but at this stage, I’m happy to do first, apologise later.

Current status

I’ve been reading the current materials out of the SVN repo. Oh wow. So much work to do. My plan is to use a few hours each day to write a precis of what I have in mind for each section, and then farm out the work to all those who volunteered.

I have to make a few basic executive decisions. These help get the project re-oriented in the right way, so as to encourage lateral thinking about some of the hardest topics in our industry. I need the Guide to lead the charge against group think that XSS or SQL injection is insolvable, or that (weak) passwords will be with us forever. Other decisions are just necessary for logistical reasons. I will try to make as few unilateral decisions as possible.

First executive decision: We cannot possibly know what will be the new hotness.

Developers are a creative and fickle bunch. Business would love us to code everything in COBOL or VB … or Java, but that’s not how the game is played. Freaking awesome developers (the taste makers) choose new and interesting things to them at least once or twice a year or more. A pool of talent builds behind the cooler / better marketed languages / frameworks. Not knowing what will be the next new hotness is my only real assumption whilst we develop the new version of the Guide. 

During Guide 2.0 development, classic ASP was winning the battle over ASP.NET, PHP was very popular and very insecure, and J2EE was just starting the process of moving from Struts 1.x to Spring, modulo a dead end or two (JSR-168 comes to mind). Ruby on Rails was a brand new plaything with a few fervent supporters. How times have changed.

What hasn’t changed are the underlying principles of web application security. I don’t care if you are writing in technologies like Ajax, GWT, Ruby on Rails, Haskell, or you’ve moved to a web flow type model – we know what works and what doesn’t, and to a large extent, it’s in the existing Guide 2.0.

So I want to move the Guide up a level to be a hybrid architecture / detailed design guide, rather than an implementation guide, a set of repeatable architectural / design patterns that are easily adaptable and applicable cross-language, cross-framework, and be aware of new fads that come and go without knowing exactly what they are.

Second Executive Decision: Diagrams must not suck

The Guide has always needed a lot more diagrams than it has. The diagrams I drew back in 2004 and 2005 … suck. I have the originals here, but honestly, I don’t feel we should re-use them.

I will be approaching the Projects committee to find us a good graphic designer to give a cohesive design language for us to do the diagrams in, or simply farm out our hand drawn diagrams to someone who can do them all in the one style in a way that looks good in the Wiki, Word, iPad and PDF versions of the Guide.

In the meantime, I will hand draw and photograph the diagrams I have in mind and include them in the wiki as markup. That way, we’re not spending hours in a diagramming tool when we really need to be writing at this stage.

Third executive decision: Distributed computing

In 2005, the problem of race conditions in web apps was only really in J2EE web apps that did the very wrong but very arcane things. I had planned for 2.0 (and then 2.1) to include a distributed computing chapter that discussed race conditions, but it’s time to include a detailed discussion on asynchronous, distributed computing: i.e. cloud computing.

Not only do we need to take into account the many threads / cores of a typical processor today, thus meaning that any server worth its salt will have multi-threading issues, there are parallel languages (F# with the parallel extensions to .NET, and Go for two), and there is Ajax and all the multitude of frameworks that support asynchrony. I don’t want to forget the oldest of them all – batch and background processes that can still produce surprising results.

So its time to bring this bunch of issues to the forefront, because the cloud genie is out of the bottle, Ajax is well and truly plastered all over the Internet, and if there’s ever a new single core CPU running a new single threaded OS ever again, I’d be immensely surprised.

Where to from here?

It’s time to gather the offers for support and start to build a road map, and build consensus on where we should be going. In my view, we need to and indeed must lead the industry by at least two-three years to be relevant on day one of our launch. 2.0 was ahead of its time, but only just, and in the last seven years, my lack of foresight / bravery in targeting the absolutely crazy bleeding edge meant irrelevance by 2008 at the latest.

If you want to help, please join the mail list and please offer your services. It’s time to get OWASP Developer Guide 2013 going again.

Safety culture – let’s add it

Last year, I was at a site which took safety very, very seriously. On the wall in a break room was a poster with several steps that I think we in the security industry could learn from:

  • Eliminate the risk. In this case, if you see a risk and it has a known solution, that should be done. For example, with SQL injection and XSS, we know the solution. There simply is no excuse. If you don’t know about SQL injection, XSS, or even input validation, then you shouldn’t be writing software. It really is that simple.
  • Engineer the risk. If the risk is too hard to eliminate, then workarounds should be created to reduce the risk to acceptable levels. To do this means you are aware of the risk, and that you know how to address the risks in at least one way. If you cannot do this, you should not be in our industry.
  • Operating procedures. Systems languages do useful things, and useful things include shooting yourself in the foot with the safety off. Learning how to write safe useful code is vital (i.e. don’t create a system that has “Okay” for “Destroy data”. All useful systems must be operated safely, and this means skilled and trained system administrators and highly practiced procedures. You cannot legally outsource responsibility for your risk (otherwise contract killings would be acceptable), and thus you cannot expect low skill, low cost operators to do manage something that is vital to your business.
  • Involve the everyone in safety. If it’s going to happen to you, at least let folks participate in the process. In this case, consider a security@example.com, risk register, and so on
  • Wear protective equipment (hard hats, etc). All I know is that we let folks with no experience use computers. If we want to continue doing this, then …

Political expediency

Last week, Julia Gillard listened to Clubs Australia and the few voters out at Rooty Hill RSL rather than do the right thing and fix problem gambling. In her announcement, she used the code word “gaming”, which is industry speak that doesn’t like to be called “gambling”. By using this special phrase, it’s obvious that for-profit gambling is more important to her than the lives of problem gamblers and society’s fabric, particularly those who are close to problem gamblers.

The problem isn’t the little flutters that most of us have from time to time, it’s the problem gamblers who form much of the industry’s profits. The for-profit firms have shown no mercy in their campaign to get rid of gambling reform. They succeeded.

The problem is the ALP now sways in the wind to the tune of vested interests rather than the public good. Whitlam didn’t give up on creating Medicare just because the AMA was against it. Hawke and Keating didn’t give up on monetary reform, such as floating the dollar or removing trade barriers that have made us far richer, just because the unions were against it.

The ALP will be in the wilderness for a very long time after the next election. They can’t rule by themselves for many years because they have given up on traditional ALP values, and abandoned and cast off a good percentage of their party support base to the Greens.

If the ALP wants to govern again, it needs to get some vision aligned with its core values, and do it. Kicking refugees, dropping gambling reform, and working against gay marriage are none of these things. Once Craig Thompson has gone (and although I reckon he will hang on until convicted, he surely will be forced to go), the ALP will feel the full wrath of its core voters.