Profile picture
Scott Arciszewski @CiPHPerCoder
, 30 tweets, 5 min read Read on Twitter
I've drafted several blog posts in the past week and scrapped them all. None of them feel important enough to write about, let alone publish.
This isn't coming from a position of writer's block. This is coming from a position of empathy. Time is precious, and I hate to waste anyone's.
Application security: I don't know whether it's better classified as "poorly understood" or "underappreciated".
But when you look at information security as a whole, it's woefully underappreciated, even if you count all the vendor bullshit and cold sales calls.
There wouldn't be a need for sales/marketing to cling to buzzwords and manufacture hype if the world at large already appreciated what we do for them.
And then when you encounter situations like @Equifax, the insult compounds atop the injury.

"Nothing we do matters, egregious acts of negligence that harmed millions of us are met with no real consequences."
So if that's true: What does matter? This isn't a rhetorical question.
In application security land, I've been fighting for years to improve the PHP ecosystem. I even rewrote most of libsodium in PHP (as insane as that sounds) just so WordPress (which pathologically refuses to bump their min PHP version) could sign their updates.
I probably still would've written sodium_compat regardless, however, I wouldn't have included PHP 5.2 support if it weren't for WordPress.
Why? Because it's a huge fucking threat to the stability of the Internet.

You try blocking a DDoS that consist of ~27% of the websites on the Internet.
Imagine circa-2012 Anonymous getting their hands on enough 0days (or getting lucky and discovering enough misconfigurations) to get into the update server for WordPress and poisoning the update file with their malware.

That's a very basic supply-chain attack.
I don't particularly care about WordPress as a product. I do care about all of the people that depend on it directly, and the fact that they're a single popped server away from being a source of disaster for the Internet.
WordPress's automatic update feature can be a boon for security: It stops 1day vulnerabilities from being massively exploited by skiddies.

However, as implemented today, it's far too dangerous to ignore. And ignore is exactly what WordPress has been doing.
Not only did I rewrite a cryptography library to help solve this problem, I also wrote the patches to the WordPress core that would use this library to add code-signing (the first step in making their infrastructure not a single point of failure).

Proof: core.trac.wordpress.org/ticket/39309
I did all of that, and was met with silence. Others have come forward with suggestions for stoking a fire under the butts of the people who have the power to make decisions, I point to instances where I did what they suggest months/years ago with no positive outcome.
The reason WordPress hasn't solved this problem isn't because it would be a huge time/personnel demand on their end. The solution is on their public issue tracker, ffs!
The reason is simple: They don't give a shit.

And we can't afford to not give a shit about WordPress in return. They're too big to fail, and I don't envy anyone who ever has to clean a botnet of that magnitude.
What can we do?

Other than apply economic pressure to Automattic (the company that employs most of the WP org core committers, paid for by WP com, and has the lion's share of the political power over the WP org community), I'm fresh out of ideas.
It bears repeating and emphasizing:

The work was done for them.
The fucking work was done for them.
The work was fucking done for them.
There are other options, of course, but those are criminal, so don't even think about doing any of them. Just, NO.
It's really hard to write about topics as banal as "how type-safety relates to software security, with examples in PHP" when this Sword of Damocles hangs over us all, and the fools propping it up remain silent.
#39309 remains unfixed. As long as this is true, but Automattic's revenue continues to grow, every network on the Internet should consider itself at risk.
I think I've done everything I can do.

I'm going to stop trying and caring so much about what happens to WordPress, even if a disaster is impending due to a sleeping conductor.
Instead, I'm going to focus more of my time and energy on getting CMS Airship v2 ready to release. If anyone wants to help make this into a viable and seamless replacement for WordPress, let's knock their market share down a few pegs.
I'm not an artist, nor am I skilled at UI/UX. If you know much about these subjects, chances are you're far better than myself.

Please consider making Airship less ugly. github.com/paragonie/airs…
On the milestone for version 2:

- MySQL/MariaDB support
- Seamless migration and data imports from existing blog platforms (including WordPress)
I've suspended any notions of a set "release date" in favor of making sure it's ready for production when the time comes.
CMS Airship might not be able to make a large dent into WordPress's terrifying market share, but for anyone who migrates, your safety and privacy will always be priority #1, and not take a backseat to a shiny WYSIWYG editor.
Looking elsewhere in the PHP ecosystem for mistakes to avoid, I seek to create a culture that fosters personal growth and diversity.

Such a culture precludes indulging in behavior like this: medium.com/valley-of-the-…
If you've read this entire thread, thank you for bearing with me. I have a lot of work before me, but I'd like to think that at the very least my effort won't be wasted (as it is with WordPress).
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Scott Arciszewski
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @CiPHPerCoder see all

Profile picture
Want to make PHP's exceptions more helpful to your users, even if they're speaking to it over a JSON API or command line script? github.com/paragonie/corn…
Note: v1.x of this library targets EOL versions of PHP. You'll ideally want to use version 2 at a minimum.

But anyway, consider this a holiday gift to the PHP community. (I might have proposed it to FIG, if I were a member, and wasn't wary of endless bikeshedding.)
So what does Corner do? It transforms thorny corner-case errors into something that developers will find more useful.

It was inspired by this tweet:
Read 6 tweets
Profile picture
Fun activity:

Go through the plugins/extensions/whathaveyou for your favorite CMS/framework (especially eCommerce) and see which ones disable certificate validation for HTTPS requests.

paragonie.com/blog/2017/10/c…
Plugins for payment gateways that disable either are worth 5 points, unless they disable both, in which case they're worth 20 points.
If you expected to not find anything, well, I hope you didn't bet the farm on that:

Read 11 tweets
Profile picture
Let's talk about some of the open source libraries that @ParagonIE has created over the years to make it easier to make secure PHP applications.

paragonie.com/software
First, the polyfill libraries:

random_compat exists so that your framework can use the newer PHP 7 CSPRNG API even if they support PHP 5. It's used by a lot of projects, including WordPress.

github.com/paragonie/rand…
In a similar spirit, sodium_compat reimplements (most of) libsodium in pure PHP, and even supports 32-bit operating systems. Its purpose is to help projects transition toward PHP 7.2+ support.

github.com/paragonie/sodi…
Read 16 tweets

Related threads

Profile picture
Every.
Damn.
Time.

Right after huge movement in SpyGate, such as, let's say, John Solomon at the Hill dropping the bombshell about Flynn & the DIA [foreshadowed by my column this week] the fear porn starts right up again.

theepochtimes.com/stunning-devel…
You just found out this week a REAL REPORTER who keeps breaking real news based on real sources has new evidence that Flynn was working with/briefing the DIA and here comes the usual suspects dropping a ton of "Huber/Horowitz are deep state" fear porn on you.
I'm not the only one who's noticed this pattern.

1) Revelation is made {McCabe grand jury, Clinton Email reopenend, Flynn DIA info, etc. ]
2) Immediate push back from those who push the narrative nothing's really happening/going to happen.

Several other researchers see it.
Read 32 tweets
Profile picture
At oral arguments today in Syed v. State, the State, once again, brought up its bogus Ja'uan claims. Since the State has already successfully convinced one judge to believe its made-up theory, its worth debunking again.
Judge Graeff, in her dissent from the Court of Special Appeals decision, accepted Thiru's story that Adnan's attorney had evidence from which she could have reasonably concluded that Adnan had asked Asia McClain to provide a false alibi for him.
First, Judge Graeff was wrong to believe Thiru's claim that this was based on "police records to which trial counsel had access."

They were not. The State's Ja'uan story is based on police notes never handed over to trial counsel. They were obtained a few years ago through MPIA.
Read 14 tweets
Profile picture
Interesting to see how it's just as UK debate sits down for a bit on Brexit, to recover from conference season, negotiations w EU step up
If past fortnight has been about domestic management, then coming fortnight will be about UK working w EU to find ways to get mvt on WA/PD
Because of that hiatus after Salzburg, there's now v.little time left to achieve mvt in time for Oct #EUCO, hence the rush now
Read 11 tweets
Profile picture
THREAD: A few of us have been raising questions about some of the writings of Tim Clinton. Most notably, @wthrockmorton has several blog posts you can find here: wthrockmorton.com/tag/tim-clinto…. I’m still surprised more people aren’t asking more questions.
And I’m disappointed Dr. Clinton hasn’t given a more satisfactory response.
Here’s why this is a significant issue for me. Dr. Clinton has considerable influence. He is the President of the American Association of Christian Counselors. It is the largest organization of its kind.
Read 91 tweets
Profile picture
Ok, so as promised to @deficitowls and @txex, it’s time for a thread on MMT! My purpose here was to (in good faith) read as much MMT literature as I could bear, and to respond beyond the usual “this is meaningless quackery” many academic economists offer. 1/N
Let’s start with my reading list. Several blog posts from neweconomicperspectives.org like the MMT Primer, Huang’s Essays in Monetary Theory and Policy, and Tymoigne’s Money and Banking; also Warren Mosler’s “7 Deadly Innocent Frauds”, in addition to many others. 2/N
I want to start from the outset by saying I am NOT a macroeconomist. I say that as both as caution and critique. It is a caution because I am reticent to step outside the lanes of my training into commenting authoritatively in which I have limited advanced training. 3/N
Read 13 tweets
Profile picture
(THREAD) THE “PEE-TAPE” EXISTS.

Here’s why we can be sure that it does.

(Whether anyone outside the Kremlin will ever see it is another question entirely.)
“One of the questions [Steve] Colbert asked his Russian handler, who was ex-KGB back when it was the KGB, was would a tape have been made? It is considered standard practice, he was informed…” tinyurl.com/yc4nyota
1/ To see that the Steele dossier’s narrative of Trump-Russia collusion is undoubtedly correct, all we have to do is understand what, on a close reading, memos #080 and #095 actually tell us. tinyurl.com/znm89bc
Read 220 tweets

Trending hashtags

#none #resistance #TheocracyAlert #MondayMotivation #SinCity #ChurchToo #SimpsonsFamilyPortrait #publichealth #Haw_HawedCouple #WereSendingOurLoveDowntheWell #day1 #GoodbyeDemocrats #Exvangelical #EndGunViolence #Hivites #bigdats #MeToo #opendats #Krusty #OBeNice #Memo #YesterdaysTomorrows #TroyMcClure #MyWifeandMyDeadWife #PeakTV

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!