3. Don't use RNCryptor-PHP

Don't use RNCryptor-PHP

I don't mind seeing your posts, but I gotta say this is a really strange way to build your "brand" as a security expert.

I'm not really trying to build my brand here, I'm trying to raise an alert to anyone that uses this library that they've ignored this report for months and therefore shouldn't be relied on for security. As I'll explain further, these posts are actually against my best interest and I share this knowledge for the good of the community.

You make public github issues exposing security flaws, rather than contact the teams privately. Maybe the private contact fails, so you go public -- I don't know because I only see posts like this one, not what lead up to it.

When it comes to cryptography, especially if it degrades the security of previously encrypted messages, I generally opt for immediate full disclosure.

I privately disclose vulnerabilities in the same realm as remote code execution (mostly: SQLi, LFI, RFI, PHP Object Injection, and XXE) for a short period of time. They will eventually be disclosed publicly anyway, unless it's a paying client who maintains the code that I discovered the flaws in. Then, it depends on the terms of our contract.

None of the public disclosures you've seen from me were related to paid work.

Anyway, my point is that you may be better off sharing knowledge to establish yourself as an expert rather than shaming libraries that aren't on your approved list.

Hmm. The point isn't "let's shame the libraries that aren't on [my] approved list," the point is, "these libraries have real vulnerabilities and have done nothing to address them". Maintaining silence is actively harmful.

Write a blog post about timing attacks (yes, I realize there are tons out there already) and teach people how to recognize code that vulnerable to them.

Heh. I'm not really a fan of echo chambers and repeating the wheel. ircmaxell and padraicb covered that topic so well that I couldn't possibly have anything of value to add to that topic.

To me this post, and your comment on it, read like some shit marketing copy saying, "Library X is terrible, but if you look at my list of Y libraries you'll never be vulnerable again because I'm an experttm ."

That probably works for those of us that know more about you. Who have seen you be helpful in other contexts here or otherwise and know that you do know your shit (because you do!).

(Emphasis mine.)

There's clearly a disconnect somewhere between what's going on and how it's being perceived, and that's likely my fault. If this were some "shit marketing copy", what do I possibly stand to gain out of this?

Some context: I'm the lead developer for a consulting company that people pay to find security vulnerabilities in their infrastructure (with an emphasis on code and configuration, and especially crypto, since that's our specialty). Telling people, "We recommend these libraries to not be terribly broken," means less people will be running vulnerable cryptography in production. Which means less demand for our services. If I were trying to market anything, I'd be far more successful if I shut up and Google dorked our way to finding scared, paying clients.

My goal here is simple:

  1. Raise awareness of vulnerable libraries with irresponsible authors.
  2. If people have an, "Oh shit," moment and don't know where to turn, I included a link to a blog post explaining several good cryptography library choices. Better that than they, say, google for a drop in replacement and find something worse (e.g. ECB mode).

If anyone is running this in production, instead of, "Oh hey, the library you depend on being broken, good luck!" I thought it would be more useful to preemptively tackle the "I used this library, what do I switch to?" questions.

But if that's seen as "shit marketing copy", then I'll take your word and never link to that blog or website on Reddit again (even when it's relevant to the discussion).

But to someone who's first experience with you is this post or many others like it you don't come off as an expert, just a bit of a dick. That negative experience will color every interaction they have with you from there on out.

If people hate me, but are not running vulnerable code in production, then that's a price I'm willing to pay.

I'm not telling you stop looking for vulnerabilities: that you do so benefits us all. Maybe just try to establish your expertise in ways other than public shaming.

I don't feel that I need to establish my expertise here.

Am I an expert? No, I'm not, and I likely never will be.

Do I have a tiny bit of knowledge that is apparently uncommon? Unfortunately, I do. I'm not sure what the best way to change this would be.

If anyone really dislikes the way I come off, please do acquire this knowledge yourself, find these vulnerable libraries, and handle the disclosures your way. Render me obsolete. Many eyes, etc.

/r/PHP Thread Parent Link - github.com
Previous
Next

Recently removed from /r/PHP

My company wants me to start having some PHP knowledge Longhorn PHP is November 3-5 (Thursday-Saturday) this year. Schedule's out, Early Bird pricing available. Small appreciation post for PHP8 What pragmatic value does PHP provide? Facebook PHP source code from August 2007 PHPStan composer license: MIT or GPL ? Are there apps that will send me an email when PHP errors happen? If so, what are some good ones I should know about? Valid concerns are raised about the JIT What is the perception (and value) of PHP in the marketplace today? Performance issues storing images in MySQL blobs? (high load website) PHP and the secrets of emergent architecture The PHP Desktop project is seeking companies to help make the project great again. Please see the Sponsors and Fundings sections on the project's main page. 5 Benefits of Choosing PHP Programming for Website Development PHP Weekly Discussion (September) TIL that json_decode() returns NULL if the json is malformed.

More Random Comments

HELP - Need advice about Sub maintenance, pain management and prescriptions. ELI5: The law, in relation to security guards, bodyguards, and boucers TIL that a woman, aged 63, suffered a blood clot, torn leg muscles and sciatica after being squashed against a 23-stone woman during an 11-hour flight. The woman described it as follows: "Her left leg was pressing down on my right leg and her arm was across my chest, pinning me down." Me [26M] found out my gf [30F] of ~5 months, was married Dodetot äror foföror lolitote rorövovarorsospoproråkok popå ror/alollol Served a customer on the weekend. When he stood up I made a comment on his height. He handed me this card and walked away. [PM]Give me a prompt and I'll attempt to answer it as best I can! I'm amateur at this so don't go to hard! How would your ex describe you? [PI] Given to me in a post I made asking for any prompts. Prompt and response in the post! [Serious] [NSFW] What is the creepiest and/or most unexplainable thing that has ever happened to you or someone you know? Does this FHA Refi make sense ¿COMO PUEDE HABER UN 40% DE ABSTENCIÓN CON LA QUE ESTÁ CAYENDO? Payday 2 to be Supported Until at Least 2017 Ever Had A Female Friend Distance Themselves From You After Unrequited Feelings (x-post from r/askwomen) A map of the 2015 US Open Cup entrants kick off this spring (x-post /r/mls)