Thoughts on the PHP Core Breach
In summary: It's complicated. I shared my thoughts on the path forward.
In my working life as a so-called “Senior Application Security Consultant”, I spend a lot of time breaking software, training development teams, and designing improved processes/tooling to generally make the security of seriously critical systems better overall.
At work, our clients tend to be prominent companies that, on a large scale, play important roles in the lives of everyday people. I feel a great sense of purpose in the scale and impact of my work: In my own way, I do what I do because it helps people be safe. It’s a humbling role, one defined by a responsibility to both those clients and their users.
Anyways, I’m writing this post to direct people’s attention to an extremely in-depth and detailed writeup I produced on the PHP Core breach back in March of 2021. Check it out here:
In broad strokes, I cover the following topics:
- The end-to-end analysis of the breach itself,
- The PHP project’s threat model,
- The Linux Kernel developers' threat model,
- The PHP project’s response to the breach, and why it’s inadequate,
- Git internals and PGP commit signatures,
- Zerodium & the role of economics in this breach (and supply chain attacks in general),
- and much more.
I put a whole lot of thought and effort into this, so I hope it’s both informative and thought-provoking. If you enjoyed it and want to share your thoughts, hit me up via email!