Most people tend to agree that live in interesting times. I believe this is, fundamentally, a good thing. For me, the past year was freckled with occasional downtime and lulls in activity (not to be confused with lulz in activity, although one tends to cause the other), but as the year went on these days became fewer in number. (Hence, why I haven't updated this blog very much.)
In February, we learned that EC-Council is incompetent and Certified Ethical Hackers should be regarded with skepticism. Not long after that, I got around to posting my article that was published in 2600. In April, I highlighted why Your Digital File is snake-oil that nobody should trust. In July, Sebastian Bergmann decided to school every other PHP project on the Internet by immediately adopting asymmetric cryptographic signatures in their setup instructions when I complained. As the year drew to a close, I turned a critical eye towards the bad security advice spewed by White House Cybersecurity advisor Michael Daniel.
Of course, it wasn't all fun and games. In May, We Live Security decided their reputation needed to be knocked down a notch or two, so they published vapid rhetoric and libel that could have been easily debunked by 5 minutes of research. Ethics in journalism has become somewhat of a meme this year.
Behind the scenes, there has been a lot of good and a little bit of bad.
GOOD: The people who maintain Composer are finally working with me to abolish their
curl | php abomination and move towards code-signing.
GOOD: In a similar note, WordPress's auto-updater will soon be fitted with RSA signature verification (facilitated through OpenSSL).
GOOD: Andrey Andreev of the CodeIgniter development team wrote a new encryption library and removed cookie-based sessions for CodeIgniter 3.
GOOD: Onionimbus development has resumed. I know a handful of people were looking forward to it, and many more will probably come to love it when it's ready for release.
GOOD: Most of the other issues I reported to various GitHub projects ended happily ever after.
Anyone who follows me on Twitter might be expecting me to highlight some of the drama that has taken place over the past year: From hordes of technologists suddenly realizing that Andrew Auernheimer is a white nationalist to Randi Harper's recent war on skeptical inquiry as a basis for personal opinion to GamerGate's idiotic obsession with Zoe Quinn or any of the other hundreds of microcosmic controversies that have taken place. The meme of the past year has been, "How do we make the technology industry more welcome towards women?" followed by widespread backsliding because the Tumblr feminists, in service of their addiction to feelings of vindication, have created an echo chamber for themselves. A pessimist might view 2015 as the year that morons who believe there ought to be a "Right to Not Be Offended" finally assassinates what little hope there is for our species as critical thinkers.
But I'm a programmer, not a social scientist, so let's focus on the exciting stuff instead!
- Adam Caudill has started the development of an Encrypting Camera app to help journalists in hostile environments. I suggest that everyone keep an eye on this project and contribute a little if you can.
- I already plugged Onionimbus above.
- LibSodium has arrived in PECL and will hopefully be available in the stable channel early 2015.
- PHP 7 is likely to remove support for libmcrypt which has been collecting dust since 2007; possibly in favor of shimming OpenSSL. This means PHP 7 applications will have faster and better studied cryptography implementations (e.g. ones that leverage AES-NI for fast and cache-timing-resistant symmetric cryptography).
2015 has the potential to be a very good year for application security. Let's make sure this isn't wasted.