

Indie Software Security: A ~12-Step Program - tptacek
http://chargen.matasano.com/chargen/2009/9/24/indie-software-security-a-12-step-program.html

======
weaksauce
I just watched the talk you gave. Really impressive presentation. You three
definitely have a good dynamic up there.

I have a question on passwords. For authentication bcrypt and a one way hash
is great, but is there any reversible encryption that you would use to store
passwords(not for clients more for personal use with throwaway passwords on a
per site basis)? Is 256bit twofish using CFB secure enough for your tastes in
the short term(5 years) storage of passwords?

------
tptacek
I think the talk itself is better than the slides or the blog post, but I
don't know how many people actually sit through talks. Mike and Nate killed in
that talk.

~~~
skolor
It is definitely an interesting blog post, at the very least. I started
watching the talk (Thanks for mentioning it, I missed the link when reading
the blog), but I won't have time to watch all of it until tomorrow. From what
I've watched, however, you guys (all three of you) have a really good stage
dynamic.

~~~
tptacek
That's all Mike (he's an Improv guy). I'm _really_ happy with how the talk was
received; it's the most fun I've ever had doing a talk.

Advice to startup entrepreneurs re: public speaking: hire someone who does
improv.

~~~
wallflower
Taking an improv class and going to improv workshops was and is still a
stretch for my logical, dominant right-brained personality. I highly recommend
it for anyone who wants to experience what it feels like to be spontaneous
and/or funny (and sometimes both).

The exercises that you do literally are designed to get you comfortable with
thinking on your feet. Starting with simple exercises like A-Z (conversation
with someone, one statement ping pong 'A beautiful day', 'Because you got out
of bed' etc.) and going all the way to 15-20 min improvised loosely-tied
sketches.

------
there
you should care less about security so that you have to hire matasano to care
about it, right?

~~~
tptacek
Pretty sure I made the case for the opposite of that with this talk.

People who don't put security extremely high on their list of priorities don't
tend to commission app penetration tests

You are, in fact, _exactly the audience_ for this talk. I'd love to know more
about what you didn't like about it.

~~~
there
it just comes off as smug. you're security experts, we're all idiots. don't
even bother trying if we can't get it right, yeah?

how about instead of telling everyone they're "doin it rong" (seriously?) how
about you put your wisdom to good use and contribute a better solution? people
don't write their own (bad) encryption schemes and password hashing mechanisms
because they want to feel special, they do it because doing it the right way
is not easy or natural. you guys know that. integer overflows in c happen
because people don't think about them and get burned. they don't happen in
ruby because people don't have to think about them. a novice php programmer
probably comes across the php.net/sha1 page to find out about storing
passwords rather than having a built-in php function that uses bcrypt or
something secure (yes, its crypt() does blowfish now but it's not the default
or easy). same thing for encrypting data. they should be using gpg but
probably end up using mcrypt because it's what everyone else does and they
don't know any better. mcrypt has enough options and arguments to pass around
that i'm sure people screw it up.

to use your own 37signals fanboyism, 37signals frequently talks about how they
work and how they think it's the right way to do it, not just what other
companies do wrong. where's the matasano libraries to fix all these security
issues we're not supposed to care about?

i'll look past the openbsd/theo jabs because i know you personally don't like
openbsd, but seriously, nobody in the project takes the "two holes in the
default install" thing seriously anymore. it's not "marketing", it's just
something that's been on the website for a decade so it stays. by the way, in
the video you mention wordpress' poor security; wasn't matasano.com defaced a
month or two ago from you guys running wordpress?

~~~
skolor
I believe that's the point. What you do is make cool applications, and get
people to use it. What he (they) do, is security. You wouldn't try and explain
the minutia of using ruby over django for web based applications that involve
micro-blogging with SMS capabilities and micro-payments to a security
researcher/expert. It may be within their grasp of understanding, but it is in
no way worth the time to understand all of the requisite knowledge to
understand all the underlying information.

Taking just the password hashing stuff. There are entire books on breaking
passwords, and how to do it more efficiently. You're not going to go through
the minutia of making sure your random number generator is seeded well, with a
suitably random number, that your algorithm does not have any flaws, that...
the list goes on, but its what needs to be done to make sure that the password
is secure. You (as a developer) should not be doing that, just trying to learn
about it would take far too much time to be worthwhile. Instead, do like he
said in the post/talk, go find someone else who knows about it to do it for
you.

~~~
tptacek
There are things, like crypto, where I think it's an actively bad thing for
you to try to learn enough to implement them properly. I feel OK about
pentesting apps that try to use well-understood crypto. I do _not_ feel OK
about implementing apps that try to use well-understood crypto. Crypto is
radioactive.

Other things, like user-controlled templating or DOM injection plugins, are so
fraught with implementation errors that I think you're better off avoiding the
features, or at least using well-known open source implementations.

In no place do i want to argue that you should be _paying_ to get this stuff
done. The thesis behind everything we're talking about today is "here's what
you do when you have no money to spend on this stuff --- and if you're a non-
financial startup, you shouldn't be spending money on this stuff in any case".

~~~
skolor
That was more or less what I was trying to get across: unless you know it,
don't do it.

~~~
tptacek
Sorry, I meant to expand what you were saying, not push back on it.

