Skip to content

Instantly share code, notes, and snippets.

View sarciszewski's full-sized avatar

Scott Arciszewski sarciszewski

101 followers · 30 following
  • Orlando, FL
View GitHub Profile
@sarciszewski
sarciszewski / install-libsodium.sh
Last active July 15, 2016 08:52
Install libsodium-1.0.2 and PECL libsodium on Ubuntu 14.04
#!/usr/bin/env bash
PECLVER="0.1.1"
LIBSODIUMVER="1.0.2"
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
@sarciszewski
sarciszewski / README.md
Last active February 16, 2016 22:49
PRNG Benchmarks

In response to some people claiming that using a CSPRNG is "going way overboard" and/or is "overkill", I've written this test to verify the performance impact of using a CSPRNG versus their insecure mt_rand() based hacks.

I think the results are conclusive (at least on my device): A 50% speed increase. In addition to less-predictable randomness.

If anyone would like to suggest a benchmark script (or conditions that lead to different results with mine), let me know and I will link to them here.

@sarciszewski
sarciszewski / README.md
Created March 8, 2015 05:50
Twig 2.0 without Composer

Your mileage may vary, depending on how you set up the directory structure

@sarciszewski
sarciszewski / README.md
Created March 8, 2015 09:58
Underhanded Crypto Contest Entry

Explanation

You can log in with either the correct password, or the password 'IndictClapper4Perjury' (sans quotes).

Because password_verify() is defined in the namespace Framework, if the call to password_verify() (inside of the context of the "Framework" namespace) is not preceded by a backslash, PHP will by default look in the current namespace then check the global namespace. Silently.

i.e. it will attempt in this order

  1. \Framework\password_verify()
@sarciszewski
sarciszewski / PasswordLock.php
Last active August 29, 2015 14:16
Bcrypt + AES
<?php
namespace Sarciszewski\Gists;
/**
* This is a proof of concept code! DO NOT USE THIS!
*/
class PasswordLock
{
const KEY = '4ff556f7b1db2dd95906c21a45ef00344abdb38934450263ee7a908facc05070';
@sarciszewski
sarciszewski / _original.php
Last active August 29, 2015 14:17
Raymond Benc (moxi9 - PHPFox) - PHP Sadness
/**
* Found in static/ajax.php
*/
/* ... */
$sUserProfileImage = Phpfox::getLib('image.helper')->display(array_merge(array('user' => Phpfox::getService('user')->getUserFields(true)), array(
'path' => 'core.url_user',
'file' => Phpfox::getUserBy('user_image'),
'suffix' => '_50_square',
'max_width' => 50,
'max_height' => 50
@sarciszewski
sarciszewski / README.md
Created May 30, 2015 04:25
A Crusade Against Bad Code

Aniruddh Agarwal blogged A short tour of PHP, and this is one of the negatives he identified:

Community: I know. I said that PHPs community was an advantage to it, but it is also a disadvantage, because of BAD CODE. Beginners are not taught the best practices and they go on to write bad code and distribute it, either as answers on Stack Overflow or similar websites or blog about it, which encourages other beginners to adopt those practices. There is a lot of misinformation out there, and it is very difficult to separate the good from the bad. This is perhaps the worst thing about PHP, because PHP is an entry-level language and people learning it are usually not aware of the best practices.

This is spot on!

The existence of BAD CODE being copied and pasted by newcomers is probably the biggest source of exploitable security vulnerabilities in the entire industry.

The biggest offenders are often the highest ranking search results on Google and other search eng