Skip to content

Instantly share code, notes, and snippets.

Scott Arciszewski sarciszewski

Block or report user

Report or block sarciszewski

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@sarciszewski
sarciszewski / README.md
Created May 30, 2015
A Crusade Against Bad Code
View README.md

Aniruddh Agarwal blogged A short tour of PHP, and this is one of the negatives he identified:

Community: I know. I said that PHPs community was an advantage to it, but it is also a disadvantage, because of BAD CODE. Beginners are not taught the best practices and they go on to write bad code and distribute it, either as answers on Stack Overflow or similar websites or blog about it, which encourages other beginners to adopt those practices. There is a lot of misinformation out there, and it is very difficult to separate the good from the bad. This is perhaps the worst thing about PHP, because PHP is an entry-level language and people learning it are usually not aware of the best practices.

This is spot on!

The existence of BAD CODE being copied and pasted by newcomers is probably the biggest source of exploitable security vulnerabilities in the entire industry.

The biggest offenders are often the highest ranking search results on Google and other search eng

@sarciszewski
sarciszewski / _original.php
Last active Aug 29, 2015
Raymond Benc (moxi9 - PHPFox) - PHP Sadness
View _original.php
/**
* Found in static/ajax.php
*/
/* ... */
$sUserProfileImage = Phpfox::getLib('image.helper')->display(array_merge(array('user' => Phpfox::getService('user')->getUserFields(true)), array(
'path' => 'core.url_user',
'file' => Phpfox::getUserBy('user_image'),
'suffix' => '_50_square',
'max_width' => 50,
'max_height' => 50
View PasswordLock.php
<?php
namespace Sarciszewski\Gists;
/**
* This is a proof of concept code! DO NOT USE THIS!
*/
class PasswordLock
{
const KEY = '4ff556f7b1db2dd95906c21a45ef00344abdb38934450263ee7a908facc05070';
@sarciszewski
sarciszewski / README.md
Created Mar 8, 2015
Underhanded Crypto Contest Entry
View README.md

Explanation

You can log in with either the correct password, or the password 'IndictClapper4Perjury' (sans quotes).

Because password_verify() is defined in the namespace Framework, if the call to password_verify() (inside of the context of the "Framework" namespace) is not preceded by a backslash, PHP will by default look in the current namespace then check the global namespace. Silently.

i.e. it will attempt in this order

  1. \Framework\password_verify()
@sarciszewski
sarciszewski / README.md
Created Mar 8, 2015
Twig 2.0 without Composer
View README.md

Your mileage may vary, depending on how you set up the directory structure

@sarciszewski
sarciszewski / README.md
Last active Feb 16, 2016
PRNG Benchmarks
View README.md

In response to some people claiming that using a CSPRNG is "going way overboard" and/or is "overkill", I've written this test to verify the performance impact of using a CSPRNG versus their insecure mt_rand() based hacks.

I think the results are conclusive (at least on my device): A 50% speed increase. In addition to less-predictable randomness.

If anyone would like to suggest a benchmark script (or conditions that lead to different results with mine), let me know and I will link to them here.

@sarciszewski
sarciszewski / install-libsodium.sh
Last active Jul 15, 2016
Install libsodium-1.0.2 and PECL libsodium on Ubuntu 14.04
View install-libsodium.sh
#!/usr/bin/env bash
PECLVER="0.1.1"
LIBSODIUMVER="1.0.2"
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
View switch_case_pregmatch.php
<?php
class switchNotMatched { }
function doInteger($i) {
echo $i;
if ($i < 100) {
echo " is less than 100.";
}
echo "\n";
}
@sarciszewski
sarciszewski / pbkdf2_benchmark.php
Created Jan 16, 2015
PBKDF2 Benchmarking Script
View pbkdf2_benchmark.php
<?php
$it = [ 1000, 2000, 4000, 8000, 16000, 32000, 64000, 128000, 256000, 512000, 1024000, 2048000, 4096000 ];
foreach ($it as $i) {
$st = microtime(true);
$c = \hash_pbkdf2(
'sha256',
'example of a simple plaintext message goes here',
'something silly',
$i,
32,
@sarciszewski
sarciszewski / Idea.md
Last active Aug 29, 2015
Privacy Seppuku (Note: IANAL)
View Idea.md

Let's say that you are an American whom produce software that respects user's privacy. And one day, the FBI comes knocking armed with a National Security Letter (NSL) and demands your signing key so they can distribute malware to your users, pretending to be you. There is no legal defense you can mount, they covered their bases.

What do you do? Lavabit fought, and was ultimately destroyed. If more companies pushed back, maybe the government would stop using it as an easy way to force compliance and silence. Or maybe they would just carry a bigger stick.

Here's another idea. Comply, then get "hacked" and have the keys they're demanding get leaked online and/or published via full disclosure.

Here, being "hacked" means either:

a) leaking the key to someone, discretely, over e.g. Tor with PGP and having them do it
b) leaking a backdoor to someone and having them actually hack in (over Tor) and steal the key
You can’t perform that action at this time.