February 25, 2016

The beatuty of security research

I was lounging around my pc and I decided to have a look at Full Disclosure ML. I was reading the subjects in the digests, when I was like "hey, I know that guy!". Long story short, CVE-2016-2212. You can read more about the bug Here, but the crux is that the programmers wrote == instead of  ===, causing PHP to behave out of their expectations.

I think that this is half part of the programmers, but half it's the language faults. Who design a language should expect their user to be averagely stupid, especially if it's easy to adopt that language.

This episode reminded me of PHP: a fractal of bad design: a PHP rant that I read from time to time. You can find simply by googling the previous title a few related interesting answers to this article.

It also made me thought about the beauty of security research, where a small single detail can change the behavior of a enormously complex system, and you have to think of all the single details of what the code is doing. :) A nice exercise in understanding.

So, Kudos to Egidio, and to all of us: keep up with the good code, hopefully in a good language.