Things That Matter Most

Things That Matter Most

I Won’t be at ZendCon

by 2 Comments

Next week kicks off the latest version of ZendCon in Las Vegas. Though I had, for a time, expected to be there … I won’t be. You should know why.

Speaking Habits

I really enjoy speaking in public. It’s been a regular part of my career for the past decade, and it gives me ample opportunity to connect with and learn from the communities I care so deeply about.

I tend to submit multiple talks to multiple events per year. On average, I think I’ve spoken at 4-5 conferences per year for the past 6 years – in one “season” I presented in some form at 14 events during the period of the year. This gives me a lot of time on stage, but even more time connection with members of the community.

It’s opened my eyes to quite a few things; one in particular is the lack of diversity (or at least the representation thereof) at many events. We have a wildly diverse community, but a fairly homogenous lineup of “experts” presenting on stage.

Representation matters. I got involved in tech because people I related to were standing on stage telling me that I could. I want everyone to have that opportunity. To have that experience. More often than not, this means I need to step aside and encourage someone else to stand in the limelight. That’s humbling, but perfectly OK with me.

And it’s why I won’t be in Vegas next week …

Acceptance

My original acceptance email was lost to the aether, but eventually the organizing team was able to make contact and confirmed that yes, I was invited to speak. They’d selected both a workshop on security and a shorter talk about promise-driven architecture in PHP.

ZendCon Twitter announcement of my attendance and presentations.
Original Twitter announcement that I’d be speaking.

I was ecstatic!

ZendCon is one of the larger PHP events every year. Better yet, it’s a super short flight from Portland – there aren’t very many high-profile events I can attend to spend time with my community in my neck of the woods. I immediately accepted the invitation and flagged my calendar so I could schedule my time away from the office.

But then … my conscience got to me.

Withdrawal

Don’t get me wrong, the speakers’ lineup for this event looks to bring in solid experts who will be presenting great content. However, it’s also the speakers’ lineup that led me to withdraw from the event.

At the time I was asked to speak, there were 37 other speakers listed on the website. This group of individuals consisted of:

  • 4 women
  • 2 (apparent) people of color

For those who don’t want to do the math, this meant the speakers group was 89% male and 95% white. Adding my name to that list did nothing to make those numbers better.

My presence as a speaker at ZendCon would have actively diminished the value of the event. I refuse to be another white, male face among a speaker list comprised overwhelmingly of white men. This is not reflective of our community, and my ignoring that feeling and speaking anyway would be a betrayal of that community.

I hold no animosity towards the organizers of or speakers at ZendCon. However, I will not participate in your event until you address this discouraging lack of representation.

Moving Forward

I’ve taken fairly strong stances towards many things. I will not participate in events that lack a code of conduct. I will not abide racists, sexists, ageists, ableists, or similar.

I will not participate in events that fail to address serious issues regarding diversity, representation, or inclusion in our community. It’s one thing to say “well, people didn’t apply …” It’s another thing entirely to actively encourage members of the community to engage.

Said another way – if members of particular subcommunities are not organically responding to your CfP in volumes that would make a diverse speakers’ panel easy, you have far deeper problems with your event than you realize and it’s likely something I will not engage with in the first place.

As I’ve said on many topics recently: we can do better. We must do better. Those to whom we leave our projects, businesses, industry, profession behind deserve that we do better. Everything we do today is paving the way for generations to come – I am committed to doing everything in my power to ensure that the future of our community recognizes, respects, and values diversity.

Right now, that means calling out an inclusivity issue and refusing to be a part of the event that’s done little to solve it. In my white, male, cisgendered privilege, one of the strongest statements I can make is to not participate. If that makes room for one more person who doesn’t reflect “me” to the world, it’s a net positive.

Mastodon: Social Media Made Social

by Leave a Comment

March 23, 2008 was the day my friend Sean introduced me to Twitter. It was a foreign concept to me. A website that would forward text messages from you to a group of friends – and forward any messages they sent back to you.

I was hooked. Sean had called the system “crack” and, honestly, it was addictive. I didn’t have a smart phone (or a reliable laptop), so getting content via text message was brilliant! I started following more and more people and, eventually, exhausted my limited capacity to pay attention to anything.

Early Twitter was revolutionary. It helped connect me to people I barely knew and tied me in to the communities I cared about most. Twitter was how I got started in the open source community. It’s how I learned about and interacted with WordPress. It’s how I built my blog. How I started making a name for myself in the world.

Sadly, Twitter today is not the thing that early Twitter was. It’s grown up, and I don’t like the thing it’s grown up to be.

Twitter Today

I follow less than 300 people on Twitter as a rule. It keeps my timeline manageable, and it forces me to carefully curate the content I consume. Despite that, Twitter (the company) has found a way to corrupt that stream of content. It’s disgusting.

I use “likes” to bookmark content for later consumption, research, or reply. Many of my friends do this, too. The thing is, Twitter started using “likes” as a form of passive promotion – and feeding content liked by my peers into my feed as if it had been explicitly promoted by them. 1

Twitter today fills my feed with ads – most of which are flagged as “promoted” content. Some of which are not flagged in any way. The other day, I noticed advertisements for Accenture Security in my timeline, all retweeted by “null.” Attempts to suss out the identity of “null” failed, as the Twitter API merely told me “usernames are unavailable.”

I later found out that “null” was Accenture Security itself! A few days later, I saw other content “shadow promoted” in my feed; content retweeted by accounts I do not follow was showing up in my feed along with content I wanted. This is … problematic at best. Nefarious at worst.

Most likely nefarious.

Then there’s the fact that Twitter the company “owns” the platform. They control the content that does or does not appear. They conduct shadow bans of users. They lock users’ accounts with or without reason. 2 They refuse to lock other accounts, then publicly defend their non-action despite evidence.

I joined Twitter because it connected me to the communities I care about. I’m now leaving Twitter because it’s actively worked to damage those communities.

Introducing Mastodon

Some time ago, the tech community started moving towards Mastodon – a federated social network with a similar interface and use case to Twitter. Unlike Twitter, however, it’s not controlled by a single entity.

Every Mastodon community is a unique installation of the software on some server or servers managed by that community. Individual users belong to one or another community and interact with other users on that same site – exactly like Twitter.

Unlike Twitter, these disparate Mastodon installations can all communicate with one another. A user on mastodon.technology can follow a user on mastodon.social from any other community. The servers handle transferring and copying content from one installation to another. All you need to keep track of is your own account and the list of users you follow.

Again, unlike Twitter, no one company or individual is in charge of when, how, or why accounts are locked or purged. It’s a community effort. And, because it’s a community effort, for-profit companies can’t inject themselves into the workflow with ad buys or any of the aforementioned potentially-nefarious activity I’ve seen on Twitter.

I explained it to a friend using the WordPress community as an illustration:

Twitter is to WordPress.com as Mastodon is to WordPress.org

One is a monolith run by a single, for-profit company. The other is a piece of software created and powered by the community that allows individuals to democratize the otherwise monolithic system.

I run my blog on WordPress to own my own content and avoid answering to anyone else. As of this week, I run my own Mastodon instance so I can own my own social network and avoid the malicious interference of corporations with their own interests.

My instance runs on AWS and has closed registration to prevent abuse. It’s invite-only at the moment and is home to a few of my close, personal friends. If you want to join, drop me a line and we’ll talk about it. Server costs are shouldered by the entire community, and we operate on a rule of personal respect. Oh, and no Nazis.

What Comes Next

My Twitter account will stay around. For a while.

I won’t be actively using it much as I’m trying incredibly hard to force myself to cut the “crack” Sean introduced me to out of my life. I will interact with these communities primarily through Mastodon.

If you DM me or @-message me on Twitter, I’ll see it. It just might take me a few days (or weeks) to respond. If you contact me through Mastodon I’ll be as responsive as I used to be. Remember, it’s becoming my primary tool.

Blog posts will still auto-publish tweets for now. I might still cross-post meaningful content at intervals. But, come 2019, I will archive and remove my Twitter account.

Said another way, I will be removing my Twitter account on December 31, 2018. All new content and interactions will take place on Mastodon.

I invite you to join me!

There are a lot of Mastodon communities out there. Find one that fits you and join the conversation. Together, we can own our content. Together, we can have engaging conversations. Together, we can build a network like Twitter used to be. Like Twitter should have been. The network and community we deserve.

I’m on Mastodon. Are you?

Notes:

  1. I know it’s fed my content into others’ feeds as well. I once “liked” a racist tweet by a former colleague so I could draft a cohesive response later … someone took my action to be agreement and endorsement of their position. My mistake using the tool in such a way. Twitter’s mistake in conflating my bookmarking of content with endorsement.
  2. I’ve had my account locked once in the past year for no reason whatsoever. Twitter claimed I’d violated a rule, but refused to clarify which rule or how I violated it.

System76 Oryx Pro – First Impressions

by 12 Comments

The past few weeks have been exciting! I recently purchased the new Oryx Pro by System76 and have been absolutely loving the new machine. Here are some photos and first thoughts from my setup experience.

Unboxing

First and foremost, it took a bit longer for my machine to arrive than I’d expected. I was one of the early pre-orders for the new machine, so the build took a while and shipping added a few days after that. This all being said, I am ecstatic about the build quality and the level of support I received even before my laptop arrived!

System76 Shipping Box

Several people had tried to warn me away from the new machine given the laptop’s size. When I got the box from UPS, I was … a bit worried they were right. It was huge.

The shrink-wrapped laptop inside an oversized shipping box.

But the laptop itself wasn’t nearly as large as the box. I was intrigued by this innovative packaging (though I’m sure System76 aren’t the only ones who use it). The laptop was undamaged and dwarfed by the shipping box. All of that extra space ensured nothing would jar the machine in transit.

  • Side-by-side with my Mac at work.
  • The Oryx Pro is just a tiny bit larger.
  • The Oryx Pro is just a tiny bit thicker.
  • That display finish reduces both glare and reflection. Major wins for working remote!

I had shipped the machine to my office so I didn’t have to worry about it walking away from my front door had I shipped it home. This had the added benefit of allowing me to do some side-by-side comparisons with my existing 15″ Retina MBP.

Yes, the Oryx Pro is a bit larger than the MBP. But not by much. Considering how much more power it’s packing under the hood (my MBP was one of the last models not to feature a separate graphics card), I’m not surprised. I’m happy with the built-in 10-key on the keyboard, and the matte finish on the display reduces glare and reflection when I’m working in oddly-lit environments.

The Oryx Pro is also lighter than the Mac. It’s a noticeable difference.

Setup

It was a challenge, but I managed to delay actually booting the machine until I got home. The setup was … just like what I’d expect from a Linux machine.

Standard Linux boot screen.

I was impressed by how quickly pop_OS! booted – and the backlit gaming keyboard wasn’t a bad addition, either.

pop_OS! installation start screen.

I’ve installed various flavors of Linux on various machines over the years. The installation always feels a bit rough, but pop_OS! felt much more like the friendly Windows/Mac first-boot experience many consumers would recognize. It walked me through language settings, wireless configuration, then was off to the races on its own. Except for the initial scrolling-shell boot screen, it didn’t feel like a “hacker setting up Linux” installation.

pop_OS! home screen

Installation was remarkably fast and had me using the computer in less time than it took for me to write this intro post. I enjoy the super clean home screen look, but it did take me a second or two to figure out how to find the app launcher. The “Windows Key”/”Command Key” workflow we know and love from Windows/Mac has bled over to the Linux world with a “Launcher Key.” I’m OK with that.

First Thoughts

The first software I installed included a browser (Firefox), email client (Thunderbird), my dev IDEs (IntelliJ and friends), and Docker. I took things a few steps further and set up Python with Tensorflow so I can work on some hobby machine learning projects.

My only gripes with the machine are related to the above:

  • The graphics card is new enough, and the pop_OS! CUDA support modern enough that I had to downgrade a few things to get Tensorflow to even compile. This wasn’t too much of an issue, but makes following “just install X” tutorials a bit useless.
  • The system doesn’t seem to ship with any video decoders by default. I had to install a couple of my own in order to stream from Amazon (as DRM-protected media needs special support)
  • The battery life while using the NVIDIA graphics card is sub-par. It’s usable, sure, but this is more a “portable workstation” than a “keep it unplugged” laptop. On Intel graphics mode, the battery is super! Just need to keep in mind which mode you’re using, when.
  • The built-in fingerprint reader is disabled by default and requires some beta software to configure. I haven’t installed it yet – I’m lazy – but look forward to it. I just wish all of the hardware were immediately operable out of the box.

I also immediately customized the home and lock screen graphics. I like the “unleash your potential” slogan, but the solid, non-gradient color schemes make the machine feel … old. I’ve used Ubuntu (both server-side and on the desktop) for ages and the solid full screens of orange and blue just feel unpolished and unprofessional. This is definitely a polished and professional machine, so it needs a modern look.

I’ve installed at least one game (Minecraft) and the play experience is incredible! I’ll be setting up Steam later for even more playtime. Writing on the rig is fantastic. The integration with 1Password is a bit rough, but their new 1Password X extension for Firefox makes things work smoothly. I also configured my Yubikey for use as both a GPG/SSH smartcard and a U2F security token – I had to customize some system interfaces to get U2F support, but this is well-documented on Yubico’s website.

At the end of the day, almost every problem I had was solved by reminding myself “this is a Linux system, I know this” and donning my sysadmin hat to find the right file and install the right software. I absolutely love this new machine.

If you work in software or manage linux machines in the cloud, I’d encourage you to take a look at System76 for your next personal machine. It’s head and shoulders above the rest of the field. You won’t be disappointed.

Configuring Yubikeys, GPG, and Keybase

by 2 Comments

Rather than use GPG and SSH keys housed on individual machines, I embed my GPG private keys on Yubikeys by default. This allows me to keep my keys somewhat portable (i.e. I can use them on multiple devices) while preventing my keys from leaking if anyone accesses my machine without my permission.

This is the same workflow I use with my team to enforce various cryptographic controls with our projects. A specific encryption key manages email encryption and access to git-crypt-protected credentials. A signing key manages email and Git commit signing. A separate authentication key manages SSH access.

It’s a strong way to protect our identities within the various tools we use, and one I recommend for just about any development team. To that end, a version of this article appeared in the March 2018 issue of php[architect], and I have an even longer version I distribute in person to developers.

Setting up your Yubikey

The goal of this walkthrough is to help you configure your GPG identity and port your keys to a secure hardware token – I recommend a Yubkey 4 (as it supports 4096-bit RSA keys). You can also use a Yubikey Neo, but this will only work with 2048-bit keys.

The basics we’re going to set up:

  • A 4096-bit master key that will be kept offline
  • A revocation certificate that will also be kept offline
  • 4096-bit sub-keys for encryption, signing, and authentication
  • Publication of keys to Keybase and other directories
  • Automatic signing of Git commits with the GPG key
  • Configuring gpg-agent to act as ssh-agent for remote access

I’d love to recommend everyone use the newer elliptic curves available in GPG as they’re powered by Libsodium and rapidly becoming a new industry standard. Unfortunately, the Yubikey hardware doesn’t yet support this family of cryptography, so we’ve got to stick with battle-tested RSA for now. Using a 4096-bit key size with RSA gives us equivalent protection to a 256-bit elliptic curve key, so it’s “good enough” for the moment.

Installing GPG

The following instructions require some format of GnuPG installed locally to behave. On Mac, this is as simple as running:



$ brew install gnupg2

On Windows, this requires installing GPG4Win.

If you’re running things on Windows, I’d highly recommend you reference Scott Hanselman’s amazing walkthrough as well. The instructions that follow are more targeted towards *NIX environments, but Scott’s article deals with some of the various edge cases that might pop up during Windows use.

Once installed, you can use either gpg2 or gpg from the command line to interact with the system (I’ll use gpg2 below as it refers explicitly to the version of GPG we just installed).

Creating the Keys

Master Key

To begin generating keys, start with:



$ gpg2 --full-generate-key

On the menus that follow:

  • Select (4) RSA (sign only)
  • Set keysize to 4096 bits
  • I typically set expiration to infinity (0) – use a reasonable value for your use case
  • Set your real name
  • Use your email address
  • Leave the comment blank
  • Use a strong passphrase – but make sure it’s easy enough to remember/type (you’ll need it later)

Make a note of the generated key fingerprint and key ID. The key ID will be used in subsequent steps.

Sub-keys

Start adding sub-keys by editing the key we just created. Make sure to substitute your real key ID when you see KEYID in the steps that follow:



$ gpg2 --expert --edit-key KEYID



$ addkey

On the menus that follow:

  • Select 4 – RSA (sign only)
  • Set keysize to 4096 bits
  • I typically set expiration to infinity (0) – use a reasonable value for your use case

Make a note of the generated fingerprint and key ID.



$ addkey

On the menus that follow:

  • Select 6 – RSA (encrypt only)
  • Set keysize to 4096 bits
  • I typically set expiration to infinity (0) – use a reasonable value for your use case

Make a note of the generated fingerprint and key ID.



$ addkey

On the menus that follow:

  • Select 8 – RSA (own capabilities)
  • Press s to toggle signing
  • Press e to toggle encryption
  • Press a to toggle authentication
  • Press q to save settings and create an auth-only key
  • Set keysize to 4096 bits
  • I typically set expiration to infinity (0) – use a reasonable value for your use case

Make a note of the generated fingerprint and key ID.



$ save

Publishing the Keys

If no one has your public key, they can’t verify your identity. Upload your public key to a keyserver with:



$ gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --send-key KEYID

If you’re using Keybase, you can also add your key quickly with:



$ keybase pgp select --multi

Then select the appropriate key.

Add Additional Identities

It’s often more trouble than you care to deal with to manage multiple identities and keys. Instead, it’s easier to add secondary identities to the key we created above (i.e. your personal and professional email addresses). For example, my keys are bound to all of my online identities to make it easier for people to find me.

If you need to use GPG keys for personal emails/identities as well, you can add them with the following steps:



$ gpg2 --expert --edit-key KEYID



$ adduid

On the menus that follow, provide your real name, your email address, and an optional comment. You can add as many secondary IDs as you need. Once you’re done, commit the changes with:



$ save

Generate a Revocation Certificate for the Master Key

If your keys are ever compromised, you will need to revoke them with the public keyserver. Remember, if you lose your private key there is no way to revoke a key from the server so keeping a revocation certificate is a necessary step to proactively protect your security.

Generate the key easily with:



$ gpg2 --output KEYID.asc --gen-revoke KEYID

Specify the revocation reason that “key has been compromised” and store the generated certificate in a safe, secure, and preferably offline location. You might not ever need this certificate, but if you do having it in a trustworthy place is critical.

Transfer Keys to the Yubikey

Configuring the Yubikey

The Yubikey ships with two default PINs, one for administrative use and one for daily use (i.e. unlocking your key for signing/decryption).

  • Default PIN = 123456
  • Default Admin PIN = 12345678

We need to change both of these to non-default values:



$ gpg2 --card-edit



gpg/card> admin



gpg/card> passwd

First change the PIN (remember it needs to be 6-digits long).

Now change the Admin PIN (needs to be 8-digits lon)

Press Q to save and quit the password menu. Type quit and press enter to exit the card editing screen.

Export Backups

Exporting your secret key to a backup is vital if you ever need to recreate your Yubikey for any reason. Preferably, this storage location is encrypted and offline (i.e. an encrypted USB stick) and in a safe, secure location.



$ gpg2 -a --export-secret-key KEYID >> /some/secure/location/KEYID.master.key



$ gpg2 -a --export-secret-subkeys KEYID >> /some/secure/location/KEYID.sub.key

I have two Yubikeys configured with the same keys. One is the primary I use day-to-day, the other is a backup in case of emergency. By exporting your keys, you can re-import a key to another Yubikey if necessary.

You won’t likely need the backed-up subkeys any time soon, but if you ever want to sign someone else’s keys you’ll need the master key to do so. It’s a good idea to not keep your master key available – think of it like root access to your identity. Instead, using your master key should require intentionality – like getting something out of a vault across town.

It’s incredibly powerful; you should take care to protect it.

Actually Transfer the Keys

If you have other keys stored on your Yubikey, the following steps will overwrite them. It is impossible to extract a key from a Yubikey once it is there, so the previous step of exporting backups is vital if you ever need to recover a lost key or recreate your Key.

The following steps assume you created subkeys in the order specified above (signing first, then encryption, then authentication). If you followed a different order, your selections below might vary.



$ gpg2 --edit-key KEYID



gpg> toggle



gpg> key 1



gpg> keytocard



Please select where to store the key: 1 (Signing)



gpg> key 1



gpg> key 2



gpg> keytocard



Please select where to store the key: 2 (Encryption)



gpg> key 2



gpg> key 3



gpg> keytocard



Please select where to store the key: 3 (Authentication)



gpg> save

Once your keys are exported to the Yubikey they will no longer be present on your machine. Be sure to remove your master key (assuming it’s properly backed-up) as well to make sure your machine is safe.

Configure GitHub Commit Signing

Export a Public Key

To export the public signing key for use with GitHub, merely ask GPG to export it to a file (the key will have ASCII armor so it will remain human-readable):



$ gpg2 -a --export KEYID > KEYID.asc

Configure GitHub

  • Log in to GitHub
  • Go to your settings by selecting Settings from the dropdown by your avatar
  • Select SSH and GPG keys
  • Add a new GPG key, coping in the ASCII armored text exported in the step above

Configure Git

Adding a default signing key is straight-forward. Merely run:



$ git config --global user signingkey KEYID

This sets your key, but commits will not be signed by default (you must manually specify -S when committing to sign). To sign by default, run the following:



$ git config --global commit.gpgsign true

From this point forward, every commit you make will be signed with your GPG key (and will appear as “Verified” on GitHub). This has the advantage of proving that you and only you authored the commit (i.e. no one spoofed your identity in the commit logs).

Verified commit

GPG commit signature on GitHub

If for any reason you want to create an unsigned commit, add –no-gpg-sign in the command line when authoring your commit. This is useful if you’re working remotely and temporarily lack access to your Yubikey.

Configure SSH Authentication

SSH will still use your default id_rsa.pub key for authentication at this point. We have to tell the machine how to use GPG instead and, conveniently, GPG agent has a flag to do just that:



$ gpg-agent --daemon --enable-ssh-support --write-env-file ~/.gpg-agent-info

This command generates the environment variables necessary for SSH to use GPG for authentication and writes them to ~/.gpg-agent-info for future use. It’s easier, though, to add them directly to ~/.bash_profile for consumption with the following block:



# GPG Agent



if test -f ~/.gpg-agent-info -a -n "$(pgrep gpg-agent)"; then

  source ~/.gpg-agent-info

  export GPG_AGENT_INFO

  export SSH_AUTH_SOCK

  export SSH_AGENT_PID

else

  eval $(gpg-agent --daemon --write-env-file ~/.gpg-agent-info)

fi

This code will test for the file first and regenerate it if it doesn’t exist – if it does exist, it loads everything for you. From here on out, if you execute ssh-add -L to list out your loaded SSH keys, you will see one reported as an identity with your Yubikey’s card number instead of an email address or path name. If you want to grab your public key directly, run:



$ gpg2 --export-ssh-key SUBKEYID

Where SUBKEYID is the ID of the third sub-key you generated earlier. (This will often be the last key in the list if you run gpg2 --list-secret-keys as well.)

Next Steps

This walkthrough just covers the GPG features of your Yubikey. The hardware can also be used as a PIV card to house X509 certificates. It’s also a great 2FA device, supporting both OTP generation and FIDO’s universal second factor (U2F) spec.

I use my Yubikey daily to:

  • GPG-sign every email I send from my workstation
  • GPG-sign every Git commit
  • Authenticate to remote SSH servers
  • Encrypt/decrypt sensitive credentials on my machine
  • Respond to U2F challenges from services like GitHub and Gmail

How will you use your Yubikey?

Disclosure: SQL Injection in Cart66 Pro

by Leave a Comment

This vulnerability was reported earlier directly to both the Cart66 team and to Semper Fi Web Design (the maintainers of the GitHub clone). This post follows a 30-day responsible disclosure window.

Last month, a friend pointed me to the no-longer-in-development Cart66 Pro module for WordPress. The plugin ceased development about two years ago when the team moved to a hosted SaaS model, but it’s still available by way of a GitHub mirror for anyone still actively using the tool. Just one problem: it has some significant security holes.

Password Use

The first critical flaw in the plugin is the way protects it fails to protect user credentials. WordPress isn’t widely known for its strong stance on user password hashing, but at least leverages multiple hashing rounds and a random salt to prevent the creation of rainbow tables for brute forcing a login.

Cart66, however, uses a single round of MD5 hashing on the password. Without a cryptographic salt.

This fails to offer much protection at all on a user password. Further, MD5 is considered a broken hash and it’s relatively easy to use an aforementioned rainbow table to reverse from a hash to a user-specified string.

Considering how frequently end users reuse passwords, getting a copy of the unsalted single-round MD5 hashes from a Cart66 database would give any attacker a solid starting point for trying to steal a customers’ account elsewhere. Perhaps they reused the same password for PayPal? For another ecommerce site? For their email address?

The weak state of password hashing on Cart66 Pro-powered sites results in databases ripe for abuse if they can be stolen by a malicious party.

SQL Injection

Like all good ecommerce and marketing tools, Cart66 Pro presents an efficient way both to email customers and for customers to opt-out of receiving emails. Unfortunately, the opt-out mechanism is vulnerable to a somewhat trivial SQL injection vulnerability!

The opt-out system is powered by a WordPress shortcode. A WordPress administrator adds this shortcode to a standard post or page in WordPress, then visitors hit that page when they click an opt-out link in the footer of an email. PHP code running on the page will then extract certain query parameters from the URL to identify and flag the user as opted out of messaging.

One of these parameters is the customer’s email address (as that’s their primary identifier in the database). By default, the email address is passed as a Base64-encoded, URL-encoded parameter in the request.

For example, eric@thisisareallybadidea.com would be encoded as ZXJpYyU0MHRoaXNpc2FyZWFsbHliYWRpZGVhLmNvbQ==.

However, there is zero sanitization on this input. While a typical user would click a link in their email client, an attacker could craft their own URL with whatever parameters they want specified. Imagine instead that an attacker passed JTI3JTNCVFJVTkNBVEUrd3BfY2FydDY2X2FjY291bnRzJTNCLS0= as the email parameter in the request.

This decodes to ';TRUNCATE wp_cart66_accounts;--, which is obviously not an email address. To understand why it’s an issue, you have to understand that, after decoding the email parameter, Cart66 Pro passes the value directly into a SQL statement:



$itemsTable = Cart66Common::getTableName('accounts');

$sql = "SELECT id from $itemsTable where email = '$email'";

$id = $this->_db->get_var($sql);

Running through the interpolation, this will have the effect of running the following query directly against the WordPress database:

SELECT id from wp_cart66_accounts where email = '';TRUNCATE wp_cart66_accounts;--'

The first SELECT statement will obviously fail to match any accounts, but the second TRUNCATE statement will drop all account data from the database!

A well-armed attacker could also craft a request to insert arbitrary information into the database, manipulate the data already present, or even extract whatever contents they want from the WordPress database (including a list of all account logins and weakly-hashed passwords)!

If you are using Cart66 Pro and have not already patched this issue, please do so immediately as your database (and your customers’ information) is at risk!

Moving Forward

SQL injection attacks are one of the most prevalent in the open source software community. It’s incredibly easy to write insecure code and trust that the only inputs to our functions are legitimate. But every developer needs to occasionally put on their “how would someone break my code” hat and protect against the worst case scenario.

WordPress in particular has extensive documentation about how to properly prepare SQL statements to prevent this kind of injection attack. If you’re using WordPress and writing code that queries the database directly, use this approach to avoid a malicious party abusing your code to attack the platform.

If you’re writing PHP but not using WordPress, leverage tools like PDO that support prepared, parameterized statements to protect your code from abuse.

There is literally no excuse to not prepare your SQL statements in modern code. Anything less is reckless and opens not only your customers but also your business to attack and abuse. It’s worth it to take the time and do things right the first time. Security engineers will often find these issues in the wild and give you a head’s up; but usually a malicious party has already found and exploited the hole by then.

-~-

For more advice on writing secure PHP code, I’d encourage you to pick up a copy of my new book, Security Principles for PHP Applications. I’ll walk you through all of the updated OWASP Top Ten, and specifically through properly avoiding both SQL and other forms of injection attacks. It’s a great place to start to keep your project secure.

Introducing Secure Updates for WordPress

by 6 Comments

Skip to the announcement …

One of the earliest conversations I had in the WordPress community almost saw me immediately leave and never return. I’d released some code in a few plugins and was just finally starting to get ramped up as a (very sub-par) developer. I hung around on IRC, subscribed to the various mailing lists, and tried my hardest to learn, improve, and contribute. Then someone pointed out that I’d never internationalized my plugins. Then they proceeded to go on a rant about how any developer who didn’t internationalize their UI was doing a disservice to the community and was betraying their personal bias against and hatred towards non-English speakers. I was horrified. I came to the development world from marketing. I used Windows. I was very comfortable with graphical (often skeuomorphic) interfaces and could work my way around things easily with a mouse. I didn’t understand the command line. I barely understood code. It took me months (and several misfires) just to learn enough Subversion to get my plugins out in the first place. All of the tools for internationalizing a plugin were, at the time, heavy into a command line that I didn’t understand and couldn’t use. I took a break and, ironically, this experience is what started me blogging. My break let me get some distance and gave me the chance to connect with other developers who did understand the command line tools. They taught me things I didn’t know and I came back a much stronger dev. One of my most popular blog posts today is an old introduction I wrote for developers who wanted to use GUI tools to publish a WordPress plugin. Honestly, though, I wrote the walk through more to remind myself how to do things than anyone else … and that’s how I got started with most of my blogging work. A topic I’ve focused on more recently has been cryptography. More specifically, using cryptographic tools to ensure the integrity of various packages and messages. It’s a heady topic, and a lot of the tools available for end users are painfully focused on power users who fully understand command line utilities. I want to change this.

Code Signing

There’s been a lot of talk about the security of the WordPress updater. Primarily, the updater checks the MD5 hash of a package’s contents before proceeding to ensure its integrity, but that’s the only test it runs. Consider what might happen if a malicious party were able to somehow breach the WordPress.org update server and present their own download package. This could potentially inject malicious code onto more than a quarter of the Internet all at once! Considering such a breach has happened with a few plugins in the past, it’s not outside the realm of possibility. Now imagine if a hacker were able to drop themselves somehow between your server and the WordPress.org update system. Such an attacker could impersonate the updater and serve you whatever package they want. Your system wouldn’t know the difference. In the middle of last year, I said I was working on a solution to bring formal code signing to WordPress. I held off for a while because it looked like the WordPress community might bring this feature to core. That didn’t happen. So today, I’m proud to announce the release of DGXPCO: Digital Guarantees for eXplicitly Permitted Core Operations. This plugin integrates directly with the WordPress core updater and requires that any core package have a valid signature in order for installation. For the moment, I am personally signing the contents of every core package distribution and maintaining the collection of signatures in a separate repository that I serve through a secure CDN powered by Amazon Web Services. Every WordPress release includes both the core download fornew installations as well as “partial” upgrade packages for anyone coming from an older install. I’m signing all of these and keeping a record in one spot so that everything from new installs to partial minor updates to major updates can benefit from the added security of checking a signature. The signatures are leverage an Ed25519 public/private keypair and Libsodium to sign the files’ contents. I keep the private key offline, but have published the public key so everyone can keep an eye on things. This key will not change, and if anything is signed by a different key, you can be sure something is amiss. That public key, encoded in Hex, is 5d4c696e571307b4a47626ae0bf9a7a229403c46657b4a9e832fee47e253bc5b. Every commit to the release hashes repository is also signed with my personal PGP key so you can verify that I’m the one who added the new code.

Next Steps

Is this fool-proof? Probably not. It is, however, a huge step forward in terms of WordPress security. There’s quite a bit more we can do, and I want to outline some of my grand plan here. The first release of the plugin checks signatures upon update only, but WordPress will still tell you about an update even if the signature check fails. The next release will not even surface an update unless a signature is available. At the moment, this plugin only secures WordPress core updates. A future release will also secure plugin updates as well, in an opt-in fashion. I’ll start by securing my own plugins as a proof of concept, then allow for other developers to opt-in to the stronger security moving forward. Today, I am the only one allowed to sign release packages. This is OK for the short term, but is not a sustainable model. As I prove out the update system, I’ll also begin adding sets of public keys that are scoped to specific sets of packages. This will, for example, allow me to whitelist a small number of trusted developers to also sign core packages. It might also empower plugin developers to sign their own releases (but not anyone else’s). At the end of the day, I’m looking now for feedback. We don’t have this functionality in WordPress core yet, but DGXPCO is evidence that we can add it. We should add it. So let’s work on the feature together. As I mentioned in my initial post last year, if you want to help with this endeavor, please let me know! If you want to contribute financially,donations are always gladly accepted. This is the first project I’m launching under the name of my new WordPress-related business, Displace Technologies, LLC.