Skip to content

Instantly share code, notes, and snippets.

View sarciszewski's full-sized avatar

Scott Arciszewski sarciszewski

View GitHub Profile
sarciszewski /
Created May 30, 2015 04:25
A Crusade Against Bad Code

Aniruddh Agarwal blogged A short tour of PHP, and this is one of the negatives he identified:

Community: I know. I said that PHPs community was an advantage to it, but it is also a disadvantage, because of BAD CODE. Beginners are not taught the best practices and they go on to write bad code and distribute it, either as answers on Stack Overflow or similar websites or blog about it, which encourages other beginners to adopt those practices. There is a lot of misinformation out there, and it is very difficult to separate the good from the bad. This is perhaps the worst thing about PHP, because PHP is an entry-level language and people learning it are usually not aware of the best practices.

This is spot on!

The existence of BAD CODE being copied and pasted by newcomers is probably the biggest source of exploitable security vulnerabilities in the entire industry.

The biggest offenders are often the highest ranking search results on Google and other search eng

sarciszewski / _original.php
Last active August 29, 2015 14:17
Raymond Benc (moxi9 - PHPFox) - PHP Sadness
* Found in static/ajax.php
/* ... */
$sUserProfileImage = Phpfox::getLib('image.helper')->display(array_merge(array('user' => Phpfox::getService('user')->getUserFields(true)), array(
'path' => 'core.url_user',
'file' => Phpfox::getUserBy('user_image'),
'suffix' => '_50_square',
'max_width' => 50,
'max_height' => 50
sarciszewski / PasswordLock.php
Last active August 29, 2015 14:16
Bcrypt + AES
namespace Sarciszewski\Gists;
* This is a proof of concept code! DO NOT USE THIS!
class PasswordLock
const KEY = '4ff556f7b1db2dd95906c21a45ef00344abdb38934450263ee7a908facc05070';
sarciszewski /
Created March 8, 2015 09:58
Underhanded Crypto Contest Entry


You can log in with either the correct password, or the password 'IndictClapper4Perjury' (sans quotes).

Because password_verify() is defined in the namespace Framework, if the call to password_verify() (inside of the context of the "Framework" namespace) is not preceded by a backslash, PHP will by default look in the current namespace then check the global namespace. Silently.

i.e. it will attempt in this order

  1. \Framework\password_verify()
sarciszewski /
Created March 8, 2015 05:50
Twig 2.0 without Composer

Your mileage may vary, depending on how you set up the directory structure

sarciszewski /
Last active February 16, 2016 22:49
PRNG Benchmarks

In response to some people claiming that using a CSPRNG is "going way overboard" and/or is "overkill", I've written this test to verify the performance impact of using a CSPRNG versus their insecure mt_rand() based hacks.

I think the results are conclusive (at least on my device): A 50% speed increase. In addition to less-predictable randomness.

If anyone would like to suggest a benchmark script (or conditions that lead to different results with mine), let me know and I will link to them here.

sarciszewski /
Last active July 15, 2016 08:52
Install libsodium-1.0.2 and PECL libsodium on Ubuntu 14.04
#!/usr/bin/env bash
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
class switchNotMatched { }
function doInteger($i) {
echo $i;
if ($i < 100) {
echo " is less than 100.";
echo "\n";
sarciszewski / pbkdf2_benchmark.php
Created January 16, 2015 01:13
PBKDF2 Benchmarking Script
$it = [ 1000, 2000, 4000, 8000, 16000, 32000, 64000, 128000, 256000, 512000, 1024000, 2048000, 4096000 ];
foreach ($it as $i) {
$st = microtime(true);
$c = \hash_pbkdf2(
'example of a simple plaintext message goes here',
'something silly',
sarciszewski /
Last active August 29, 2015 14:13
Privacy Seppuku (Note: IANAL)

Let's say that you are an American whom produce software that respects user's privacy. And one day, the FBI comes knocking armed with a National Security Letter (NSL) and demands your signing key so they can distribute malware to your users, pretending to be you. There is no legal defense you can mount, they covered their bases.

What do you do? Lavabit fought, and was ultimately destroyed. If more companies pushed back, maybe the government would stop using it as an easy way to force compliance and silence. Or maybe they would just carry a bigger stick.

Here's another idea. Comply, then get "hacked" and have the keys they're demanding get leaked online and/or published via full disclosure.

Here, being "hacked" means either:

a) leaking the key to someone, discretely, over e.g. Tor with PGP and having them do it

b) leaking a backdoor to someone and having them actually hack in (over Tor) and steal the key