Blogger Hacked Redux
I wrote a letter to Anil Dash about his remarks claiming that the weblog developer community is nothing but a bunch of amatuers who have no knowledge of computer security:
From: steve jenson
To: Anil Dash
Quoting from your site:
"""But, with the exception of Mena and Ben Trott's work on Movable Type, which has been informed by Ben's background in cryptography and other security practices, there hasn't been a seriousness about the responsibility of developing these applications as weblogs move to being a critical communication tool for people. """
While I appreciate the mostly positive outlook you've taken in your coverage of the Blogger crack fiasco, I'm rather offended by the above paragraph. My own background in computer security is quite strong. I don't particularly feel the need to qualify that but I will if you want. Also, I take Blogger development very seriously. Ev's worked with me for over a year now, I think he could vouch.
I know you don't claim to be an expert in this area but a knowledge of cryptography is not a panacea when it comes to system software security. As often as not, misimplemented crypto is the catalyst of vulernabilities. This is exactly how DeCSS came to exist; a set top box manufacturer didn't fully appreciate the nuances of key management and the rest of us are pretty darn glad for it.
There's a bigger fish to fry here, I think. System software is still written in C, a 30-year old language with 30-year old security flaws. "Modern" operating systems still lack decent confinement mechanisms, stuff which has been understood for at least the past two decades (look at the KeyKOS operating system and it's modern ancestor EROS (eros-os.org)), PKI is a house of cards; your SSL'd credit card transactions only _seem_ secure through a faulty (and faulted) third party. Toolkits for creating trusted channels between parties are still not widely deployed; your IMs are unprotected and there's no way of even verifying that this email actually came from me.
Instead of the punditocracy rehashing the same "beware the ides of march and don't store your passwords on a remote server" line, maybe they could learn and talk about these issues instead? Perhaps you could start this trend.
BTW, you're site is running with a remotely exploitable version of PHP. You should talk to your hosting provider about it.
# — 26 October, 2002