|
|
BugTraq
new linux malware Feb 18 2006 10:40PM Gadi Evron (ge linuxbox org) (2 replies) Re: new linux malware Feb 20 2006 04:57PM Christine Kronberg (Christine_Kronberg genua de) (1 replies) PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 20 2006 08:22PM Gadi Evron (ge linuxbox org) (2 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Dec 30 2006 10:00PM Kevin Waterson (kevin oceania net) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 05:53PM Bill Nash (billn billn net) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 09:00PM Tino Wildenhain (tino wildenhain de) (1 replies) RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 09:31PM Jim Harrison (Jim isatools org) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 10:37PM Dana Hudes (dhudes hudes org) (1 replies) RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 12:02AM Jim Harrison (Jim isatools org) (2 replies) Re: PHP as a secure language? PHP worms? Jan 02 2007 12:01PM Duncan Simpson (dps simpson demon co uk) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 10:58AM Darren Reed (avalon caligula anu edu au) (2 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 03:16PM Dana Hudes (dhudes hudes org) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 06:48PM Lawrence Paul MacIntyre (macintyrelp ornl gov) RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 02:15PM Jim Harrison (Jim isatools org) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 22 2006 10:48AM Kevin Waterson (kevin oceania net) (2 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 24 2006 09:13PM Matthew Schiros (schiros gmail com) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 03:26PM L. Adrian Griffis (agriffis dstsystems com) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 03:50PM Matthew Schiros (schiros gmail com) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 04:21PM L. Adrian Griffis (agriffis dstsystems com) (1 replies) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 05:55PM Matthew Schiros (schiros gmail com) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 24 2006 09:07PM Jamie Riden (jamie riden gmail com) Re: new linux malware Feb 20 2006 04:24PM Marco Monicelli (marco monicelli marcegaglia com) (1 replies) |
|
Privacy Statement |
>
> No; this wasn't flame-bait, although I'd be silly not to expect some.
> Let me make my position clear; the goals of secure coding and secure
> languages are both grand and well worth the time spent.
>
> There are two primary factors which make this an impossible task:
>
> 1. "secure" is moving, contextual target. That which is deemed "secure"
> by today's standards will be "just ok" or "watta joke" by future
> evaluators. What is good enough for Joe's Garage won't even make it in
> the door of Fred's Bank (3 anti-social points for each reference),
> although some could argue that Joe's security requirements should equal
> Fred's, since they both pin their business on it.
This discussion is about secure programming and the problems related
to PHP. Your comment has nothing to do with either except to state
that what is considered secure by two different environments are
actually different (big deal.)
> 2. Until the human factor is removed from both, mistakes and simple
> ignorance will always render them both "less than secure" in any
> context. This is the core of my argument.
>
> Again; I agree with and fully support the effort. What I'm trying to
> point out is the literal impossibility of actually achieving "genuine
> security" in either our code or the languages it's written in.
Well given that the ultimate root of any invention is going to be
human, you're saying "genuine security" is impossible.
I'm quite confident that someone could develop a very secure
interpreted language. It might not do a lot, but it could easily
be done (even if only to prove you wrong) - if one doesn't already
exist. I could probably even prove a case with /bin/sh.
The problem we have right now is that the language commonly used for
dynamic web pages on non-Microsoft platforms is PHP and that this has
not been engineered *for security*.
The goal of a language such as PHP should be to make it possible
to do what is required without the person using it needing to know
anything about security or secure programming practices. Just as
people using perl generally don't need to worry about buffer
overflows, why should people using PHP need to worry about SQL
escapes and filepath issues? They shouldn't.
Darren
[ reply ]