Recently I was pointed to a blog entry announcing the retirement of Stefan Esser from the PHP Security Response Team. Stefan, amongst other things, developed Suhosin, a PHP security tool. His retirement announcement was extremely disturbing and is worth reading.
The crux of it is this paragraph:
The reasons for [my retirement] are many, but the most important one is that I have realised that any attempt to improve the security of PHP from the inside is futile. The PHP Group will jump into your boat as soon you try to blame PHP’s security problems on the user but the moment you criticize the security of PHP itself you become persona non grata. I stopped counting the times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin.
Now I’ve done relatively little hacking of PHP and don’t expect to do this for a living, so why should I care about this? I hacked on one PHP app that horrified me because of how poor it’s security was, but this is not a reflection on PHP. However, as I was once griping about the fact that I don’t miss strong typing, one programmer pointed out that if we could get optional strong typing in Perl, we could gain tremendous performance wins for all Perl programs.
That’s why I was annoyed at the security holes I had to fix in the PHP app (SQL injection attacks), but not overly worried. If Stefan’s comments are accurate, then there are plenty of reasons for the PHP community to be concerned. You might not care about an individual program — you can usually just choose a different program which does the same thing — but if you’re talking about the entire programming language, that’s serious. The more people who are affected by what you do, the more disciplined and less-ego driven you need to be.
Of course, it’s possible that Stefan is just a crank — I wouldn’t know — but if any of the people involved are reading this, my apologies if I’ve offended anyone. I’m an outsider looking in and perspective is a difficult thing to acquire.
Remember, problems with an application written in PHP (especially with something like SQL injections) aren't problems with PHP the language.
Also remember, there are others on this team that will carry things on. Stefan just happened to be the most vocal.
enygma, as mentioned:
I do realize there's a huge difference between the two. The problem is that Stefan implied that people working on the PHP language didn't seem as concerned about security. If true, that's a huge problem. That's why I found his post very disturbing, but again, I have no way of knowing if his implications are correct.
IIRC, he made some rather brash and inappropriate statements the other day in regards to how certain binary compilers/optimizers were "anti-open-source" by letting application developers declare that their compiled scripts could not run when certain extensions were detected. This is probably fallout because of that.
Charles is on the right path. Don't do FUD the favor of making speculation into news. Gossip and heresay belongs on the magazine rack, not on oreilly.net.
Stefan made some nice contributions to the PHP community, but to say he was a crank is a massive understatement.
I read your blog often, but this should be the first time I post.
I can't help noticing how very carefully you choose your words, and how you leave room, almost always, to be wrong. That's rare. And for a guy as smart as you are, that's rarer. But that's why genius is rare.
That's all. No real comments on this. Just noting the mode of expression used (consistently).
Revance wrote:
That's just because I'm wrong so often. Honestly.
I'm a PHP developer (as in codes with PHP, not creates the language) by trade (started with perl, and still do some), and follow the PHP blogs pretty closely. Stefan is incredibly knowledgeable about security issues, and definitely an authority. However, that said, he's also one of the most abrasive developers I've read. The language he typically uses in his posts is antagonistic, and as a result, he's had a lot of difficulty pushing through security initiatives.
I don't think those developing the PHP language do not care about security, as Stefan is alleging; several, including Ilia Alshenetsky, are well-known for their security expertise and contributions in that area. I think the biggest issue here was a clash of personalities between Stefan and others on the PHP team.
well, im not alarmed with his crux. i'm sure he will still contribute to php community. let's just wait...
HELLO,
URGENT
I NEED A PROGRAM OR A PHP SCRIPT THAT CAN EXTRACT (E M A I L) AND OTHER INFORMATION FORM ANY USER OF EBAY. THE SCRIPT SHOULD WORK LIKE THIS: IN A BOX WHEN I ENTER AN EBAY USER ON SUBMIT THE PROGRAM MUST SHOW THE (E M A I L) ADDRESS OF THE SPECIFIED USER FROM EBAY.
IN THE OTHER BOX WHEN I ENTER THE EBAY ITEM # AND SUBMIT IT SHOULD REVEAL THE EBAY BIDDERS WITH THEIR (E M A I L) ADDRESES AND THEIR BIDS.
DEMO REQUIRED BEFORE I BUY, I NEED TO TEST IT AT LEAST 24H - 48H. I can offer you 1500 USD per week!if you can contact me at: ralcosm@yahoo.com ...
Thank you!
http://www.javatag.com find php doc by javadoc styles
I NEED A PROGRAM OR A PHP SCRIPT OR ANY OTHER TYPE OF SCRIPT THAT CAN EXTRACT (E M A I L) AND OTHER INFORMATION OF ANY USER OF EBAY. THE SCRIPT SHOULD WORK LIKE THIS: IN A BOX WHEN I ENTER AN EBAY USER ON SUBMIT THE PROGRAM MUST SHOW THE (E M A I L) ADDRESS OF THE SPECIFIED USER FROM EBAY.
IN THE OTHER BOX WHEN I ENTER THE EBAY ITEM # AND SUBMIT IT SHOULD REVEAL THE EBAY BIDDERS WITH THEIR (E M A I L) ADDRESES AND THEIR BIDS.
DEMO REQUIRED BEFORE I BUY, I NEED TO TEST IT AT LEAST 48H. I'M WILLING TO PAY UP TO US$ 1500 FOR THIS SCRIPT.my email address is: power_traderltd@yahoo.com
only for testing
furstkes
If you're already subscribed, you should be getting your issue any time now but, if you're not, there's two ways you can get your hands on a copy - either "quick buy" it from the php|architect website or subscribe and get this and other great future issues jam packed full of great PHP content