Hot:

I try to avoid software thats end of life but occasionally I get stuck with a few programs that just don’t have any updated versions or are tied to a piece of hardware that I need to use.  LCDC is software designed to run little LCD displays you can buy for your computer.  I have one in particular thats over 3 years old now but still runs great.  However it hasn’t been updated well ever.

Today I took to scanning my PC and discovered that some of the plugins for LCDC were infected.  I decided to check the web site http://www.lcdc.cc/downloads.htm for updates, it didn’t appear off hand that any were actually updated, but it does appear that some are not infected and others still are.

Continue reading 'LCDC Plugins Infected With Malware'»

Hot:

With a great deal of disappointment I have to make this post.  I have been a avid user of this tool in the past (I’m still running a pretty old version of this on a XP box) since it expedited deleting of files that were locked by an application.  It would clearly identify whom locked the file and give me the option to delete it.  However it appears that it is in fact bundled with ADWARE.  This is defined by some AV products as a Trojan, including Microsoft Essentials as TrojanClicker:Win32/Yabector.gen

It should be noted that CNet’s Download.com ‘verifys’ its spyware free, yet obviously either this was a clear ‘miss’ on their part, or they do not classify adware as spyware. This confirms my thinking that anything on Download.com should be considered ‘risky’ software since they either mislead or don’t bother to check the software that’s uploaded or availble from download.com.  My thinking is they simply are misleading by ‘verify’ing it contains no spyware.  Others have disclosed this over the past year and a bit that this version has been around for download so I think ample time was provided for Cnet to correct this.

Continue reading 'Unlocker 1.8.7 Infected with Trojan Adware'»

Hot:

Well continuing my review of ‘integrated security solutions’ I have once again become dismayed by the terrible offerings by the various security vendors out there.

Today we don’t have massive virus outbreaks, nor do we even have a big problem with Trojans (except when it comes to malware) and worms are even starting to slow down. We can thank enterprise scale solutions and active monitoring of networks for this. Yes, even email/spam solutions are stopping many of these things right at the server at our ISP, so very little should be getting into our machines today, unlike just a couple years ago when ISP’s were leaving each of us to our own solutions.

Today, malware in the form of ADWARE and SPYWARE, as well as BOTNETS and ROOTKITS are our big challenge, and in many of these that we encounter tend to not be detected in many products until they are discovered. In my mind this does not provide a solution but a clean up.

So I don’t recommend people who are pro-active to buy these ‘Internet Security’ solutions that the vendors are pumping. They are just no good and a waste of CPU time.

F-Secure’s offering is probably the worst I’ve encountered to date. But like many of these packages, they taunt you with a free trial offering, which seems to work pretty good.

F-Secure offers the same as every other package, Anti-Virus, Anti-Spam, Firewall, as well as malware detection and a rudimentary rootkit check tool. Let’s start at the top.

The anti-virus solution is definitely the best of the inclusions with this product. When it updated that is. Our biggest challenge was getting this product to work through a proxy. Seems the F-Secure developers don’t comprehend proxies and the awesome solutions they provide, and many times our updates would never get downloaded. An Anti-Virus product is only as good as it’s updates, and we constantly had to fiddle with the settings to do a simple update. Pathetic. So we would just as soon use Avast for FREE which does not seem to have a problem with proxies.

The anti-spam solution was incredibly poor however causing several minutes of delays in processing email from nearly every ISP I tested this with. A normal POP session usually takes about 1 minute and about 10 seconds per email on the slow side. With F-Secure Anti-spam this increased ten fold. We were easily waiting about a minute per email, causing us to go for coffee every time we checked email. Since we use spam-assassin on our free servers and a very pricey solution for our Microsoft exchange server, we really don’t need anti-spam. It was no better at detecting the stuff that made it through these tools so it was simply wasting time.

The firewall was the worst of the bunch. First problem we encountered was one of our test boxes had NVideo Forceware Network Access Manager already installed. This is a firmware based firewall, and it works very well. The downside was that F-Secure Internet Security refused to install “anything” with this product installed. In this box we simply wanted to test the anti-virus and anti-spam solutions but we were forced to install the firewall product also. Trying to disable the firewall and reinstall NAM was ok, and thankfully NAM remembered are old settings saving us more time. Not F-Secure!

Once everyhting was installed in this box, we found out we could no longer access our network shares. Yes F-Secure firewall was blocking these accesses. Adding rules to allow this traffic made no difference. Isn’t a firewall made to configure what “I” want, not what some dork developer wants? I guess not. Nothing we could do (short of disabling the firewall) would allow us access to our network shares again.

The rootkit checker was bland. Featureless, did not detect 22 of our suspicious ADS streams and did not provide any output that could be used to track and discover where potential problems could be. The average person does not understand rootkits enough to be able to troubleshoot this without a lot of hand holding, and this tool has none of that available. Eeye’s BLINK was better for this yet even it was an ineffective tool at current rootkits. Old and very public rootkit technology was noted effectively, but most of the problems these days are botnet driven and none of these were detectable until infection occured and the OS was exploited. Then the anti-virus solution did it’s job.

The anti-malware portion of this software was very paranoid and kept advising us of tools that it didn’t think the average PC should have, like netcat or nmap, even PE builder tools were quarantined by F-Secure which annoyed me to no end. Sure one could build exceptions but shouldn’t the tool ask this during detection, not AFTERWARDS? Barts PE builder broke thanks to F-Secure’s gross paranoia. Perhaps they should devise a color coding like DHS has for terrorist alerts, ah never mind, they’d all be red…

The kicker was purchasing a license and getting technical support. I had to send two emails to get my license since they didn’t bother sending it automatically as part of the order. Very irritating to have to ask after a week of buying a license where it is.

The next kicker was contacting support about our two major issues. Updates and our firewall problems. Neither were addressed in a satisfactory manner. We were advised to disable proxies for updates. Ok, not a big deal but every week this needed to be changed since it seemed to forget the settings. As a consequence we were hardly up to date. This should be automatic and not require tweaking internet settings just to update so we fail this product on this point alone. The other components had very few updates (some never updated in the two months we used this product) so we wonder how effective a solution is if it is never updated. Snort rules for instance are updated almost every day, and they haven’t come close to detecting everything yet, so if I have a choice I’ll stick to a real IDS solution and not the ‘cleanup’ proposed by F-Secure.

Technical support was terrible also. Three phone calls to them and after explaining my problem to some fellow who speaks very poor English, he would offer to ‘email’ me a solution. I think he simply could not grasp the English alphabet over the phone when I tried to spell my email address since on all three occasions I never received an email from him. By phone call#4 I asked if he could simply walk me through this on the phone. He refused and insisted to email it. I then asked if he really was a technical support person? He said yes. I asked if he could REALLY help with my problem or if he didn’t have a clue how to fix my firewall/proxy solutions? He said he could. So I told him that I want him to help me now on the phone. He hesitates, but otherwise agreed..

F-Secure — you call that support? I call that very disappointing and disrespectful of your clients when you continually waste there time. Secondly, get people who can speak English. Make it a requirement of the job for those who prefer to get support in english.

After talking to this guy for about 20 minutes and following his instructions I was able to ‘one time’ update the package (I had to repeat his instructions every time I needed an update), but my firewall issue was not finding a solution. Even with rules in place (confirming I had indeed set them up correctly, but it still didn’t work) with the fellow from technical support still did not lead me to a working solution. I asked if there was a way to remove the firewall component completely. The tech stated I would have to download the Anti-virus program alone to accomplish this. I did not have a license for that product so I would have to buy another product to do this.

At this point I simply stated this product was ineffective and I requested a refund. This the tech support fellow was able to do very quickly, and in minutes I had a email in my inbox to confirm this.

This was the best performance I received from F-Secure.

My suggestion for you considering this ‘integrated solution’ Save your money and just buy the Anti-Virus product alone. IT’s the only thing worth any money, provided you don’t have any proxies to affect your updates.My suggestion was to stick with Avast anti-virus, which does most of this stuff for free and much more effectively.

My rating of this product is 1 out of 10. This should not even be out of beta, but getting a refund was no trouble.

Hot:

Well everyone needs an antivirus solution don’t they?

 

No.  I don’t believe everyone NEEDS one anymore.  To be truly effective you will probably need two or three, but good luck running them all together.  Its not recommended, and you will probably have real issues.

As a consequence even software designers are realizing this and integrating their AV solution into a more comprehensive and complete solution, bringing other features that should not be part of a pure anti-virus solution.

 

Let me state some declarations for the security vendors out there who may read this.

First declaration.  We don’t want “vendor-specific” integrated solutions.  Period.  Anyone who thinks they do can email me directly or on the forums and we can discuss it. 

Second declaration.  No AV/Security Vendor has a ‘good’ integrated solution let alone a ‘excellent’ one.

Third declaration.  Stay out of endeavors unless your going to do them well.

Now even some AV products are moving into integrating other ‘features’ into their software.  Kaspersky v6 Beta is one of those.  This was supposed to be a pure Anti-Virus program but as I highlight it isn’t.

 

Since this is an article about my last 24 hours with this program I shall try not to pick on integrated solutions any more. 

Why I don’t believe you need AV products anymore?

Truthfully virus’ are very very rare forms of malware these days.  They are making a bit of a comeback but mostly as rebuilt worms or trojans.  Worms and trojans are the big purveyors of nasty malware, and of course spam, phishing etc are even larger spreaders of the disease, BUT they are not virus either. 

 

So Anti-virus products simply waste resources and offer little to no actual protection?

Exactly.  Almost none are capable of “true” real-time protection unless you are being infected with very old malware.  However this is really where the value in Anti-virus software is.  Typically the value comes into play only after you discover that your already infected. [1]  Sure none of us like this, and we wish we would never get infected but it happens.  Our AV solution typically works good to excellent at removing and cleaning ‘known’ infections.  Sure, sometimes we need to do more than scan, quarantine, and delete, but our investment in the AV program should be able to assist at weeding out the ‘known’ malware and ensuring our data is clean. 

Only in the know…

It doesn’t stop unknown virus’.  Hence why you need to keep updating your software with new ‘signatures’ and additionally keep scanning your systems to keep up to date with what’s ‘known’.

Anti-virus software tends to be excellent at dealing with virus, pretty good at trojans and worms, but ‘only’ if the signature is up to date.  Besides nobody trades floppy disks much anymore so boot sector virus’ are dying out as malware matures in new forms[2].  So the AV product typically cannot stop trojans or worms from moving around, unless it has detection signatures for it.  But these definitely are acquired after the trojan or worm has typically ran it’s course.  Some worms have lifetimes in seconds.  How do you detect it, report it, confirm it, publish it, add it, update it, scan it all in a few seconds?  You can’t.  You would be infected during that phase with no trigger from your AV software.  

Since I don’t need to waste time and money getting little return on investment I choose not to install Anti-Virus tools.  Regardless of the solution though remember, “true” real time protection comes at a cost to performance.  On a home PC who wants to give up performance?  On a gaming machine, no WAY your giving up performance.  So don’t waste your time installing this software on these machines.  There are better solutions. 

Isn’t Kaspersky Anti-Virus v6 Beta different?

Yes.  Kaspersky v6 Beta was downloaded as I have always heard good things about this company and they tend to get fairly favorable reviews.  However most people hated v5 for a variety of reasons and I was led to believe (reading other reviews) that 6 was like a phoenix from the ashes type of release compared to v5.  It wasn’t.  It’s very like 5 and add new features you may love, but I guess you won’t, I sure didn’t.

From the beginning

Well the MSI installer was the first strike against this product. I’m no fan of the MSI installer, it creates numerous difficulties at installing software, and there should NEVER be a PROBLEM installing software. If there is, you shouldn’t have released it with the problem.

 

I attempted the installer on Vista RC2 and it completely failed with no real error (unknown error, didn’t I just type this…).  I then attempted to install this on a XP SP2 box I use that has ‘never’ seen an Anti-virus product before, and has been running for 6 months.  This installed fine requiring a reboot at the end.  However it attempted to update during the install, and this simply caused a hangup of both the installer and windows explorer.  I wasn’t impressed.  The reason for this hanging will be clear in a minute.

 

After a successful reboot, the software came up and started flagging various dll’s mostly, with nice smallish yellow popups,  and asking me what I wanted to do.  Folks, this is like many MANY other products out there, most are firewall solutions, but a few call themselves Anti-Virus solutions.   Now with all these packages the capabilities are morphing also.  Its an application tracking program that shows hooks into system routines, accesses and injections and changes of course.  This can be a very powerful tool to ensuring you stay protected.  However this!?!?!? In an AV product?  Give me a break.  Someone forgot to tell these folks ‘I only want my AV software bothering me IF IT’S A VIRUS OR OTHER MALWARE!!!!!!!’, we do need to remind them.

Why is this a problem?

I expect my anti-virus tool to ‘detect’ virus’.  Not tell me every little thing going on inside my system.  If I wanted an effective tool for active malware discovery I would use a serious appliance built for that purpose.  Maybe  the Anti-virus software guys and gals want to detect 0-days, something they never have done in the entire history of anti-virus tools.  Great lofty goal, but then they break trusted processes (detecting and removing virus’) with new features that can misplace trust, and then all bets are off.

So, question is.  Do I really want this level of protection?  Maybe. 

Do I want it from a trusted application like an anti-virus tool?

No, since they don’t know whether it’s malware or not, it asks you to make the decision.  I’m not sure if this would have an effect on scanning files against known attacks but I’m not about to either guess or take a chance.  Of course in my case I’m sure this is all innocent routine stuff, but it’s being treated inappropriately by Kaspersky so it’s possible one can make bad decisions.

 

Every little task generates this ‘alertwindow’ providing you only with:

 

A:  The classification of the alert;

B:  The location of the file causing the alert.

Then you have to make decisions as to:

C:  Whether to accept or deny it;

D:  Whether to make the above choice permanent, or just this time;

E:  Whether to simply trust this application to do what it wants, or not.

 

Lets look at each of these in more detail.

 

A:  The classification is a single word.  “Invader”  “Downloader”  “Threat”.  You can click on it to go to http://www.viruslist.com and check the definition in the encyclopedia, but don’t waste your time.   The definition you probably already formed in your head is more accurate and descriptive.

 

B:  The location is helpful, but in no way assists in decision making.  Does the software ‘belong’ there?  Are there other files called this also?  What is the manufacturers version information from the file?  Do we have a MD5 or SHA hash to verify it’s integrity?  Is this an essential windows file or not?  Is it a virus because my AV program displayed it to me?  Too many questions still and no definitive answers from the program that’s supposed to be definitive.

 

C:  Whether to
accept or deny this activity.  How am I supposed to make an intelligent decision based on the little panic information I have received so far?  Honestly you can’t.  So you flip a coin.  However chances are something ‘legit’ was trying to do something and if you deny it, very likely the application will now no longer have any communication back to the system including the calls and threads it already created and will typically crash the application or worse the desktop, or sadly, the entire machine.  So, the default choice is to accept it.  Why bother me then? 

 

D:  Now we have to make a choice that we will have to live with if we ever run this again.  Again same logic trail as C: above, so same conclusion.  Why bother me then?

 

E:  Should we just ‘trust’ this application to do what it wants? Now here’s the ‘stop annoying me’ choice, we can tell the program “look you annoying software, quit bugging me with popups and just trust the blasted application”.  Still we don’t know whether this is our photo gallery we wanted to start up to add some pictures from the weekend, or the latest worm/trojan file deletion tool.  But we can trust it and never hear from Kaspersky again. 

 

So the conclusion, this behavior from Kaspersky isn’t warranted or desired in an AV product because it doesn’t provide decent support.  It simply gives the user very powerful filtering capability which one can most simply avoid, and probably will.  This type of processing smacks of ‘host intrusion prevention systems (HIPS)’ but these are typically poor or overly complex applications.  Here with Kaspersky AV v6 Beta we have not overcome that hallmark.

 

The second contention I have with Kaspersky AV v6 Beta, is all the links direct one to a page to download the ‘trial version’ from, but with no way to activate the ‘trial version’.  The docs indicate that the activation tool (help -> activate) allows one to buy a license for this or activate later, or activate with a trial code.  Well the ‘trial version’ I downloaded from the ‘trial page’ does not have a ‘activate with trial code’ option.  So it’s either no updates or buy a license.  Well lets see how it does with it’s current database on my box that has never seen a anti-virus tool.  Aha, this is why my install hung up, it won’t allow the updater to update.  How silly.

 

Ok, I start the scan and I do like some of the options it provides like showing you all the exploits at theo >end f the scan.  I like this.  So, I run the scan, it estimates about two hours to scan everything (lots of partitions) and unbelievably it was done in just under two hours.  Very impressive.  Two little things I have seen before but they actually work as expected.  Wow.  It’s truly unfortunate that little else worked as great or made a positive lasting impression on me.

 

Remember we scanned a box that has XP SP2 installed patched semi regular (I let it inform and download, but I install manually) basis, no firewall except windows firewall, no antivirus ever until Kaspersky v6 Beta was installed, This has office 2003 installed runs Outlook as the mail client, has perl installed, IRC runs constantly, and most web browsing is done from this box, including this report being initially typed on it.

 

After a full two hour scan of my box I found one ‘threat’ on my PC.  Oh, that’s darn good I say to myself.  Just one file.  Considering some of the PC’s people have brought to me that I’ve cleaned up, repaired and rebuilt over the years, typically finding unbelievable amounts of malware  or a simple single infection still resulting in numerous files found during a scan.  Just one file infected.  Must have contained it…

So what one did I have?  I clicked on the result and was shocked.  The result was ‘Not-a-virus:mirc-616.exe’.  I couldn’t believe this.  It was showing me a backup copy of MIRC from my last update.  Hey I use MIRC daily, and rely upon it.  I bought the tool so I’m licensed, and when it did an upgrade it created a backup first.  How intelligent. 

So why is Kaspersky bugging me about this innocent tool?

 

I guess someone could ‘run’ it and take advantage of the exploits to infect my box, so I deleted it afterwards.  Was it infected?  No.  Why does it flag me with a bunch of insignificant warnings when it’s harmless?  Why did it not say ‘look you should delete this old version or upgrade if this is the current version you are using’?  Because it’s not a patch management solution, nor is it an auditing solution.  So I cannot fathom why my Anti-Virus software is behaving like one. 

 

Maybe it’s trying to be more encompassing and deal with the latest threats, rootkits.   But then shouldn’t it promote itself as an anti-rootkit tool?   Well we all know that there isn’t any such thing (yes many are trying to build one, but nothing actually works in detection), even tools such as ‘Rootkit Revealer’ by F-secure simply tell you a bunch of stuff that may ‘look’ like a rootkit, but you’ll have to do much more system analysis to determine for real or not.

 

Lets do some work

So, I figure I’ll wait and see if I can get the 30 day activation code to use this product, check around to ensure I haven’t missed something in terms of getting the proper beta product.  In my travels I find this great RAR file I want to download.  Ok firefox causes numerous popups in Kaspersky as DLL’s are loaded to process the download.  Ok I get the download and click on open in my download window in firefox, get more including AdobeIEsomethingorother.dll I can’t see why it needs this and select deny.  Windows Explorer crashes.  Ooops.  Attempt to repeat, crashes again.  Turns out that the download window launches in explorer.exe space and any time it looks up how to handle extensions several dlls are loaded for that purpose, including the AdobeIEsomethingorother.dll that I denied.  I wasn’t running IE or Adobe, but Windows Explorer (explorer.exe) required it during it’s initialization and denying it made it quite unstable.

 

Ok, this is not why I have security products installed on my machines.  I install them to:

 

A:  Improve the security of my systems, and improve my ability to do said;

rr

B:  Improve the stability and reliability of my systems and the data that resides on them

C:  To protect and ensure the accuracy and validity and privacy of the data and software that resides on the machines.

 

If the software I’m installing/using interferes with ONE of those conditions it fails and gets removed.

 

Kaspersky failed on the first two accounts.  It did not improve my security, and it destabilized my system by halting processes in stream to popup windows.  This regularly caused issues and in some cases fails, or crashes or unrecoverable applications.  In one case it completely crashed my TCP/IP stack since the protocol doesn’t like waiting for responses.  As for the third I can say the installation/removal of the software did not adversely affect any system files.  It did not interfere with the accuracy of the files that presided, nor did it interfere with them (outside of the routine application issues)

 

I could not recommend this product since:

 

1. It misleads the user about particular findings
2. Activation was a major headache with no immediate solution attainable
3. The product introduces so many additional points of failure that system stability could be a factor
4. It wastes the users time with notices of things that are innocent additionally it doesn’t make notice of important things.
5. Misuse of the tool by the user can render a machine or application useless.  Even to the point of crashing system kernel routines.

 

In my opinion this Anti-virus product is only 1/5th of it’s capabilities, and I was not seeking integrated solutions.  Since the AV portion does seem to work effectively it alerts you to non-virus files, which could cause one to delete something they use accidentally.

Installation Ranking: 3/5 – Using MSI and saying it installs on all windows but would not on Vista nor would it generate a decent error.  XP works fine.

Initial Setup and Patching: 1/5 – Unable to do anything except hang the machine attempting to make connections the
program blocks.  Unable to recify within test period, granted it was very short, so we give it a one.

Usability: 3/5 – Overall the program worked as we expected and did not cause issues or confusion when we asked it to do things.  It was not so clear when it prompted you with popups about app activity.

Dependability: 3/5 – Overall it’s engine scanned effectively and found all the planted malware on our test box.  It’s discovery of non-malware as malware concerned me greatly about it’s ‘cry wolf’ potential.  I would not rely on results singularily by this software I would have to confirm them with another more reliable package to ensure it is accurately determining valid malware, and not potential malware. 

Overall score: 2.5/5 – Software adequate.  Price to purchase unrealistic to it’s abilities.  Certainly has potential as a combo AV-Application Watcher, but why?

I don’t want to have to second guess my results, my AV software shouldn’t either.  If it does then it no longer has any ability to do what AV software is supposed to do….detect.

 

---

[1]This happens as a result (typically) by being infected during the ‘unknown’ phase, and once the signatures were updated, you now ‘detect’ the infection running around doing whatever it wants until now.

[2]Traditionally you got virus from copying files usually from a floppy disk.  Over time as other file transfer methods developed, the ways for virus to spread changed also.  However malware creators also realized that in order to get the virus around, they needed to figure out how to spread it.  Email, news, IRC protocals were used and the development of hiding virus in (even legit) programs was developed, now commonly referred to as trojans or trojan horses.  Worms also are an effective spreader technology since it’s whole concept in life is to move around the internet.

Hot:

To be quite frank no language is secure, no language was built from a security perspective.

 

So….

Many people these days seem to get it in their head that there are secure designs in the world, and I digress, no their isn’t. Nobody thinks deeply about security except those with a great deal to lose, and they pay very heavy for it.

Your bank is not really that secure.  Your data is not really secure.  Your personal government files are not secure.  Your home is not secure.  Your business is not secure, your car is (phht a joke!) not secure.  What does this tell you?

Well what did September 11, 2001 tell you?  What did Hurricane Katrina tell you?  

I think it’s telling us, that no ‘system’ or ‘process’ is secure by design.  Security is something we thought about afterwards, generally speaking when someone else quite distinctly shows you the insecurity.

When it comes to software, we cannot think that ‘security’ is job #1.  We’d be lucky if they even considered it in a fleeting moment, let alone design with it in mind.

So why would we think anything we do on computers or online, is secure?  It isn’t,  it’s even worse.  Online banking/payment systems are not secure, our Media players are not secure, our email and IM is not secure, our web browsing is not secure, nothing in our software is secure… 

…unless we want it secure. 

So if we want to think about secure design, what should we use as a language, and is there any languages we should avoid.  Well a ton of FUD is being generated towards PHP, like it’s the first language to have a high degree of problems.  Probably Microsoft detractors trying to suck people disillusioned by PHP info thinking that Visual Studio will be the holy grail for secure programming.  Only a total idiot could have that type of an epiphany.  Anyways, my thoughts on this subject have been heightened by a recent thread on Bugtraq by a group you’d think knew what they were talking about.  But it shows that its all opinion with little fact.  I question some of this and downright disagree with vast sums of it.

Let me quote:

> —–Original Message—–

> From: Thomas M. Payerle

> Sent: Thursday, February 23, 2006 1:38 PM

> To: Christine Kronberg

> Cc: Gadi Evron; bugtraq@securityfocus.com

> Subject: Re: PHP as a secure language? PHP worms? [was: Re:

> new linux malware]

>

> >> 1. PHP is the “serious” or at least open-source/Linux/security

> >> freak’s choice for web development. Mine as well (although as many

> >> still say, Perl does a better job).

> While PHP is extremely popular, especially in open-source and

> Linux communities,I am not sure it qualifies as the defacto

> choice of “serious” web developers.

 

What language is ranked the ‘defacto choice of “serious” web developers’? 

When I talk to them I typically hear three answers, Javascript, PHP, and ASP. When I look on google to see if there are any trends out there I find most ‘serious’ web developers typically use PHP and a lot of the design houses use ASP.

For developers in general (app, web, etc.)

 

Which programming languages are currently in use at your company for development?

C – 32%

C++ – 54%

C# – 72%

Delphi – 7%

Java – 66%

JavaScript – 50%

PHP – 16%

Perl – 34%

Python – 8%

Ruby – 1%

TCL – 6%

Unix shell scripts – 42%

Visual Basic – 62%

Other interpreted languages – 33%

 

Pasted from <ComputerWorld>

 

According to this I would rank PHP as #3.

Javascript, Perl, then PHP, followed by Python and TCL.

ASP didn’t even qualify (probably a chunk of that ‘other’). 

So what about web developers specifically?  Do they simply use Dreamweaver and frown on the rest?  It’s really up in the air.  A lot of choices out there.  Lets pick a couple examples.

The US  (GAO) General Accounting Office decided that PHP was the choice over java for such reasons as (gasp) security! 

Infoworld

Then there is this guy who thinks the sky is falling.

Nut Case Against PHP

May as well say Windows is a growing target for trojans and worms.  How about Mountains are a growing target for rain?  Taxi drivers are a growing target for passengers?  Runways are a growing target for airplanes (literally!)?  See how foundless this type of comment is?  Javascript has so many holes in it, they cannot realistically be patched, so the best solution is restricting what sites can use javascript, again another solution that has never worked, but at least allows us the whitelist-approach to the solution.

So it’s fairly obvious something with a HUGE penetration into the server market, cost is nil, and developers are abundant around the world,  is to be considered a ‘growing target’ for something!!  If peanut butter became the next language and used by a growing group, guess what?  It too will experience this type of exploitation, it’s part of life.  It’s what we as people do. 

Anyways, lets get back to our bugtraq discussion.

> And I did not think it was as popular in the security

> community (when I occasionally scan one of the reports on the

> frequent PHP based applications that grace this list, I

> thought exploit code is as often as not given in

> Perl:)

Ridiculous and nonsensical comment.  Perl is typically used because it’s easier to write PoC or exploits in.  I personally prefer Python.

Remember, we are here because nobody thinks about the ‘right’ way, just the fast or simple way. What difference does the PoC source mean?

 

> >> 2. Developing secure applications in PHP is difficult, as one of

> >> PHP’s creators said recently – even to him after years of trying.

> The number of PHP applications getting reported on bugtraq

> would seem to support this, although likely also contributed

> to the fact that it is popular, and perhaps that it is (or at

> least has the reputation of being) of being easy to program,

> leading to programs written by people without understanding

> of security implications.

Again, just like any other language or ‘code base’ when we learn from our mistakes we explore new avenues and not necessarily like what we see.  PHP was the least designed to do only a trifle amount of what it has turned into.  It went from being a very simple ‘scripting home pages language’ to a very ‘sophisticated server side language’ in better course of a few years.  In that very short time frame a LOT has been learned about writing secure code in PHP, and the next generation of stuff will be leaps and bounds better, however; a LOT of old code (some no longer supported) needs to be fixed and the fact that the community is working to fix it is king.

But that doesn’t mean that the ‘need’ for secure code is present in all cases.  A Good example of this is ACID, for the longest time the only front end for the popular IDS called Snort used by a security analyst to gather information.  Simply said, one of the worst written apps in PHP probably ever “from a security perspective”. My analysis would be to chuck the whole thing out and rebuild, something a lot of people are currently doing and/or considering, or in the least, aware of the reality.

But in fairness to the author he did not design it ‘for secureness’ he designed it to view insecure data.  He did not think the average ‘user’ would ‘need it’ secure. Again, if the need for something in the software is not perceived, why would you waste time designing it.

The latest push has been into BASE development which has improved, is still nothing secure or even remotely close.  This team still is trying to grasp rewriting the application.  I personally think this was written this way for a reason, but I digress.

These were developed BY SECURITY PROFESSIONALS yet even they failed to account for writing secure code.  What does this tell you, I know what it tells me.  That nobody understands secure code in the first place, so how can they write it? Do people today still think that BASE needs to be written securely?  Back to our discussion:

 

> >> 3. Staying on top of new PHP vulnerabilities has become

> impossible,

> >> popping around everywhere.

> While I concede I am less than happy about the frequency with

> which patched versions of php come out, and most versions

> include some security related patches, I do not think it is

> impossible.  Furthermore, most of the “security”

> patches have been rather localized, and affect only a small

> number of functions and often only in rather specific

> circumstances, and with some knowledge of the PHP

> applications running on your system you can often leap frog

> over some of the versions.

 

 

I’m not quite following this statement, but it would certainly be the one I agree mostly with.  Most patches are good at fixing the issue with the function.  Typically has to do with no longer trusting some data source, and viola it more secure. But it’s similar to patching C functions also.  Or Perl, or Javascript, so why is PHP being singled out?

If you understand the C code, you can fix the problems when they are pointed out to you.  It seems silly to say, but it’s true.  But what is the likeliness of the developer being able to see the problems in his own code.  I think it’s stupid to comment on, but people are inherently egotistical, and programmers even more so.  When it comes to being honest with themselves and seeing their flaws for what they are we seem to emit a hormone that allows our senses to ignore our own, and home in on other peoples.  So, it’s quite unlikely the average developer is going to notice his or her own security flaws.  They will require someone  less in tune with their code, or picks up their hormone.

 

> Most bugtraq messages with PHP in the subject appear to be

> holes in specific applications, usually due to programming

> errors on the part of the application author.  This does not

> mean the language is inherently insecure; although it may

> indicate that it is difficult to write secure PHP code.  It

> could also mean that PHP is easy enough to program that a lot

> of people without knowledge of how to program securely are

> writing PHP code.

Again, I don’t understand what you would define a secure vs. insecure authoring language.  It’s difficult to write secure C code.  It’s difficult to write ANY code, if your not familiar with it, let alone expert with.  So…back to reality…

No language is secure to start with, so your choice is either defined by:

• Application
• Usage
• Availability
• Cost

 

Even if ‘Secure’ was in there, how would you measure it?

Some people never grasp this. 

Then what comes along…I see this fellow has figured this out:

 

On 22/02/06, Kevin Waterson wrote:

> This one time, at band camp, Gadi Evron wrote:

>

> > 3. Staying on top of new PHP vulnerabilities has become impossible,

> > popping around everywhere.

>

> What vulnerabilities in PHP?

> Are implying the fault is within the language itself?

 

I think Gadi meant vulnerabilities in PHP applications; though the language doesn’t make it particularly easy to write secure code.

 

> This is akin to saying C has vulnerabilites because some script kiddie

> wrote a poor application.

 

Like this ?

 

“We can give you advice on how to write good cryptographic code. Avoid any programming language that allows buffer overflows. Specifically:

don’t use C or C++” — Practical Cryptography, Schneier and Ferguson,

(p149 in my copy).

 

It’s a point of view that has
something to be said for it. You *can* write secure code in C and PHP, but it takes a lot of care and most programmers don’t take that care. I’ve been told privately that one penetration tester could gain system privileges on the majority of webservers he checked; that used to surprise me, but doesn’t any longer. I don’t whether that’s a ‘vulnerability’, ‘disadvantage’ or ‘feature’ of PHP and other scripting languages.

cheers,

Jamie

–

Jamie Riden

 

Agreed.  That doesn’t surprise me anymore either .  Why aren’t we surprised by this?  Simple.  We understand that servers are built with money, and nobody wants to spend more money than they have to.  LAMP (Linux, Apache, MySQL, PHP) is a very common web server setup and can be rolled out quickly, easily, and cheaply.  They need little maintenance, and if they aren’t harmed by the users or the guests, then they can stay running for a long time.   If they get infected or hacked, or whatever, they dump the site, and recreate it somewhere else.  If they need to, they can revert back to a old backup of the site once patching a particular hole. 

Why worry about secure software“it doesn’t exist”.

I think this is the mentality that needs to be changed now.

When people think security in their applications they realize that 100% success isn’t going to happen, and that maybe all they can truly offer is 10% or maybe 20% towards that goal.  So they give up or don’t bother.  I hazard that adding that portion will allow us all to get closer and maybe allow the next person to see how to achieve the next 10%.

PHP 5 is showing its progress at dealing with security, but like most good apps, it also relies heavily on the developer to use the tools properly.  PHP has always been a hacker-friendly languange, and there are not a lot of low level design tools to assist in this.  In this regard it allows poorly written apps to be built, but then so does any other language.

We have to judge it on it’s accomplishments with secure design inherit to the language. 

But we shouldn’t think any particular language is “out to get us”.  And this highlights the importance of not relying on any ONE language thinking it’s solutions are the best.  If that was the case we’d never have matured passed FORTRAN.  Maple is so much better to use.

Recently Visual Studio 9 was being released and as I uncovered from the opinionated source ‘eweek’, Peter Coffee mentions about this new developer tool:

I get a queasy feeling, though, from a combination of comments by Visual Studio Team System Lead Program Manager Jeff Beehler, who told us all on his blog last week that (i) “we’ve been fixing tons of bugs” and (ii) “we’re only fixing the most critical of issues to help prevent regressions.”

Does that give anyone else a sense of “uh-oh”? There’s plenty of room for debate about the precise behavior of bug discovery rates as the number of remaining defects in code shrinks down, but I don’t know of any model that estimates a sharp and sudden cutoff between “tons of bugs” and “good to go.”

 

Pasted from <http://www.eweek.com/article2/0,1895,1914426,00.asp>

So, yes in order to reduce costs (regressions) microsoft will concentrate on the critical issues.  No statement that they will fix them, just concentrate efforts towards them.

I too am skeptical about the cutoff point and where that occurs.  But that won’t change the fact that (i) it will happen and (ii) there will be issues and (iii) there will be supporters and defectors as a result. 

Oh I almost forgot, (iv) a holy war.

I’d normally start this paragraph out with ‘in conclusion’ or some such official closing remark, but is this really concluded?  Not by a long shot.