Facebook's Hack programming language builds code safety into PHP

Hack pairs PHP's ease with the safety controls of older languages like C++

Facebook has released a programming language called Hack, which marries the ease of PHP with the rigorous safety controls of older languages such as C++.

PHP programmers should easily understand Hack, which replicates many of the same features and functions of PHP, and adds a few of its own for greater productivity, said Bryan O'Sullivan, a Facebook engineer on the project.

Over the past year, Facebook has converted nearly all of its PHP code base to Hack, which makes up the core of its website.

In creating Hack, Facebook took an approach that was similar to Microsoft's with TypeScript, which is basically a superset of JavaScript that, like Hack, adds static typing.

Both projects set out to strengthen a popular dynamic programming language so it can be more easily used by large software teams to design mission-critical applications.

Individuals would also benefit by using Hack, O'Sullivan said, both in terms of increasing performance of their websites and improving the overall quality of their code.

Hack requires Facebook's HHVM (Hip Hop Virtual Machine) to run. HHVM is a virtual machine that compiles PHP, normally an interpreted language, into byte code, so it can run more quickly.

Hack is basically an extension of the PHP language with built-in static typing, a feature found in more traditional programming languages such as C/C++ and Java, O'Sullivan said.

Many of the newer Web-oriented programming languages, such as PHP and JavaScript, do not have static typing, hence they are referred to as dynamically typed languages. With dynamic typing, "there is no explicit information in the source code that describes what kind of information the program is dealing with," O'Sullivan said.

In contrast, static typing requires the programmer to define the data type for each variable before that program is compiled or run. Though it takes extra work to implement, static typing prevents run-time errors occurring when the wrong data type is entered into the program, either by human input or some other computer function.

"There are certain kinds of errors and crashes that can occur," if the programmer is not careful about what data is assigned to variables, O'Sullivan said. "These latent errors can hide for a long time in a dynamically typed languages."

The HHVM virtual machine has a built-in type checker to ensure that all of the typed information is correct. Hack even allows the programmer to define unique data types.

"Syntactically, Hack is very close to PHP. We allowed it to be possible to run PHP and Hack code side-by-side so you can gradually convert your language codebase from PHP to Hack," O'Sullivan said.

Certain deprecated PHP features, however, are not supported in Hack, and neither are a handful of features that don't work well with static typing.

Hack also comes with a number of additions not found in PHP. One is Collections, a way to create arrays with more nuance than the array function offered by PHP itself, O'Sullivan said.

Hack also eases the use of closures through the use of Lambda expressions. Closures, which were added to Java 8, "make it easy to succinctly write fairly complicated data transformations," O'Sullivan said.

Hack's Lambda expressions provide a way to create closures "with a fewer number of keystrokes, which is a big win for productivity," he said.

Facebook has supplied a number of text editor plug-ins on the Hack website to help coders write in the language, though the company is hoping volunteers will build a few more elaborate ones.

O'Sullivan didn't reveal any specific plans to offer the Hack augmentations back to the keepers ofPHP, though he did note that the company plans to "work closely with the open-source community," to further develop the language.

Read more ...

Researchers pocket record $400K at Pwn2Own hacking contest's first day

Internet Explorer, Firefox, and Adobe Flash and Reader are the first technologies to fall at the convention; Safari and Chrome are today's targets

Researchers on Wednesday cracked Microsoft's IE11 (Internet Explorer 11), Mozilla's Firefox, and Adobe's Flash and Reader at the Pwn2Own hacking contest, earning $400,000 in prizes, a one-day record for the challenge.

Pwn2Own continues today, when other teams and individual researchers will take their turns trying to break Apple's Safari and Google's Chrome.

A team from Vupen, a French vulnerability research firm and seller of zero-day flaws to governments and law enforcement agencies, ended Wednesday $300,000 richer, having hacked Adobe Flash, Adobe Reader, Firefox, and IE11 for a one-day foursome, another record.

Firefox was victimized a total of three times in just over six hours, once by Vupen and then two other times by researchers Mariusz Mlynski and Jri Aedla, with each winner picking up $50,000 for their exploit.

Although Pwn2Own was originally going to offer cash prizes only to the first who hacked each target, the contest organizer, Hewlett-Packard's ZDI (Zero Day Initiative), changed the ground rules on the fly, saying early Wednesday that it would pay for all vulnerabilities used by the contestants.

With that move, ZDI, a bug bounty program that's part of HP's TippingPoint division, said it and co-sponsor Google -- the latter pitched in 25 percent of the prize money -- would end up paying more than $1 million if all 15 entrants, another record, were successful.

Wednesday's efforts were impressive in their own right, with each scheduled target falling to researchers within five minutes. Contestants come to Pwn2Own with zero-day vulnerabilities and exploits in their pockets, and do not find the bugs and craft attack code on-site.

"All the exploits were unique in their own way," said Brian Gorenc, manager of vulnerability research for ZDI, in an interview after the conclusion of Pwn2Own's first day. Gorenc declined to single out the most impressive or elegant exploit. "It was fascinating seeing the different ways that researchers are bypassing sandboxes and the ways they chained multiple vulnerabilities."

A "sandbox" is an anti-exploit technology deployed by some software -- Internet Explorer, Flash and Reader all rely on sandboxes -- that is designed to isolate an application so that if attackers do find a vulnerability in the code, they must circumvent, or "escape" the sandbox, to execute their malicious code on the machine. Sandbox escapes typically require chained exploits of two or more vulnerabilities.

The day's total of $400,000 nearly matched last year's Pwn2Own two-day payout of $480,000.

Vupen kicked off the day by hacking Adobe Reader, winning $75,000 for the feat.

"We've pwnd Adobe Reader XI with a heap overflow + PDF sandbox escape (without relying on a kernel flaw). Exploit reported to Adobe!," Vupen said on its Twitter account.

Next up was IE11 on a notebook running Windows 8.1, Microsoft's most-current operating system. "We've pwnd IE11 on Win 8.1 using a use-after-free combined to an object confusion in the broker to bypass IE sandbox," Vupen announced on Twitter after grabbing $100,000 for the hack.

"Use-after-free" is a term for a type of memory management bug, while "broker" is the label for the part of the sandbox that acts as the supervisor for all protected processes. A flaw in a broker, as Vupen demonstrated, can have catastrophic effects, letting a hacker escape the sandbox and execute attack code.

Vupen also exploited Adobe Flash and Firefox, Mozilla's open-source browser, winning prizes of $75,000 and $50,000, respectively.

Mlynski and Aedla each won $50,000 for hacking Firefox. Gorenc confirmed that the three Firefox attempts exploited different vulnerabilities.

Both Mlynski and Aedla are experienced researchers: Mlynski has reported several Firefox vulnerabilities to that browser's security team, while Aedla earned more than $10,000 in bug bounties by submitting numerous Chrome flaws to Google in 2011 and 2012.

TippingPoint and its ZDI bounty program have sponsored or co-sponsored Pwn2Own since its 2007 inception. After researchers hand over the vulnerabilities they used to hack targets -- and their exploit code -- ZDI confirms the results, then passes the information to the pertinent vendors, which all had representatives on-site, ready to jump on patching.

"I think we hit it out of the park this time," said Gorenc of ZDI, referring to how smoothly Pwn2Own ran Wednesday. "We gave the contestants 30 minutes each, but most of them demonstrated their exploits within minutes, all within five minutes, and then used the remaining time to go to the disclosure room where vendors waited."

Before Pwn2Own kicked off at noon PT Wednesday at CanSecWest -- the Vancouver, British Columbia, security conference that has hosted the contest for the last eight years -- ZDI and Google sponsored a new challenge, dubbed "Pwn4Fun," where the two sponsors raised $82,500 for the Canadian Red Cross by presenting vulnerabilities and exploits of their own.

The Google team cracked Apple's Safari at Pwn4Fun, while ZDI presented a multi-exploit hack of IE11 and disclosed six additional Internet Explorer vulnerabilities that its own researchers had found over the last two weeks, said Gorenc.

Some had taken to Twitter over the last week to criticize Google and ZDI for Pwn4Fun, arguing that because the two teams had "banked" vulnerabilities to use in the charity drive, they were being hypocritical by not immediately informing the vendors -- Apple and Microsoft in this case -- of the bugs.

But Gorenc defended Pwn4Fun. "We made the browsers safer [with Pwn4Fun], and we're excited about that," Gorenc said.

Pwn2Own continues today, with Vupen and several independent researchers slated to tackle Apple's Safari and Google's Chrome, as others take additional attempts at Adobe Flash, Firefox and Internet Explorer.

Among today's scheduled contestants is George Hotz, also known as "geohot," a noted iPhone and Sony PlayStation 3 hacker, who will try his hand at breaking Firefox. Hotz has participated in previous Pwn2Own challenges, including last year's, where he exploited Adobe Reader for a $70,000 prize.

Also yesterday, Google ran its own one-day "Pwnium 4" contest at CanSecWest, pitting researchers against Chrome OS, the browser-based operating system that powers Chromebook laptops. According to a company post on Google+, one researcher successfully exploited Chrome OS on an HP Chromebook 11, winning the notebook and a $150,000 prize.

"We'll be considering partial credit for a second researcher working on the same platform," Google wrote, adding that it would publish a longer recap after CanSecWest concludes on Friday.

ZDI has posted a brief description of the results on its website.

"This is a first for the white hat market," said Gorenc of the first day's total awards of $400,000. "Over two days, we'll probably pay out over a million dollars for responsibly disclosed vulnerabilities. We're excited to do that."

This article, Researchers pocket record $400K at Pwn2Own hacking contest's first day, was originally published at Computerworld.com.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+, or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@computerworld.com. See more articles by Gregg Keizer.

Read more ...

Hackers allegedly hit Mt. Gox CEO's blog, post balance of remaining bitcoins

Hackers claim internal records show Mt. Gox has more bitcoins than it claims it lost

Hackers attacked the personal blog of Mt. Gox CEO Mark Karpeles on Sunday and posted what they claim is a ledger showing a balance of some 950,000 bitcoins based on records they obtained from the defunct exchange for the virtual currency.
They said the sum contradicts Mt. Gox's claim in a Japanese bankruptcy protection filing Feb. 28 that it had lost about 850,000 bitcoins.
[ Follow Simon Phipps' great bitcoin adventure, covering over 6 months and 5 exchanges. | It's time to rethink security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Neither Karpeles nor Mt. Gox officials could immediately be reached to verify the claims.
Karpeles has maintained a low profile since the filing in Tokyo District Court. Mt. Gox, which pulled the plug on its website three days before the court filing, had announced that about 750,000 customer bitcoins it held are missing along with 100,000 of its own bitcoins and $27.3 million in customer deposits.
Karpeles' blog was titled "Magical Tux in Japan -- Geekness brought me to Japan!" Karpeles, who is French, often used the nickname "MagicalTux" when posting on public message or chat forums. His blog went offline on Sunday shortly after it was attacked.
Karpeles did not immediately answer a query sent to his personal email address.
The attackers claim to have obtained database records containing transaction details from Mt. Gox. They wrote they purposely withheld users' personal data. Mt. Gox had as many as 1 million customers as of December.
The data included a screenshot of what appears to be an internal SQL database administration tool, Karpeles' CV, and a Windows executable called "TibanneBackOffice," among many others. Mt. Gox is a subsidiary of Tibanne, a company owned by Karpeles.
The release of the data adds to the mysterious circumstances around Mt. Gox, which at one time was the largest exchange for buying and selling bitcoin.
Mt. Gox's demise has enraged its out-of-pocket customers as efforts continue to derive clues from bitcoin's public ledger, called the blockchain, that might indicate the fate of its virtual currency holdings.
Mt. Gox in part blamed a security issue called transaction malleability for its bitcoin losses. In some instances, transaction malleability can allow an attacker to manipulate transaction identification numbers in order to steal bitcoins.
The long-known security problem is being addressed by the custodians of bitcoin's core software who've said it is usually only an issue if a bitcoin exchange has not coded its own software correctly.
Meanwhile, intense efforts are underway to analyze the blockchain to figure out where large stashes of bitcoins once held by Mt. Gox may have been transferred.
The blockchain records the movement of bitcoins from a user's public bitcoin "address" or "wallet," which is a 32-alphanumeric character. It is possible, for example, to attribute addresses to a person or company based on past transfers.
Adam Levine, who writes a blog dedicated to bitcoin, investigated Mt. Gox's bitcoin balances along with four colleagues. The group found two addresses, one with 90,000 bitcoins and another with 200,000, that may belong to Mt. Gox.

In a phone interview last week, Levine said those two stashes were found by analyzing a transaction Karpeles made in 2011 when Mt. Gox was pressured to prove the company was solvent.
At that time, Karpeles is believed to have moved just over 424,242 bitcoins between two Mt. Gox addresses. Since the transaction was recorded in the blockchain, it would ostensibly be proof that Mt. Gox had the bitcoins.
Levine, who wrote about their findings, cautioned though that their conclusion may not be accurate. There are a lack of technical tools to perform deep analysis of the blockchain that could make it easier to elicit more definitive conclusions, he said.
"There's a lot of technical depth, but when it comes to attributing it to individuals, it's very, very difficult, and it's tempting to draw conclusions because sometimes it seems like it's just obvious," he said.
The 850,000 bitcoins that were lost from Mt. Gox, 100,000 of which were its own, were worth an estimated $474 million. If stolen, the incident would be one of the largest cyber crime thefts on record.
An academic paper published last year that analyzed noted thefts of bitcoins found that following a trail of bitcoins was hard if a thief used certain techniques, including splitting balances into many other addresses, but few did.
"For the thieves who used the more complex strategies, we saw little opportunity to track the flow of bitcoins (or at least do so with any confidence that ownership was staying the same), but for the thieves that did not there seemed to be ample opportunity to track the stolen money directly to an exchange," they wrote.
Because bitcoin is just five years old, law enforcement may still be just catching up with how bitcoin works, let alone honing blockchain forensic techniques.
"A lot of people think of bitcoin as funny money," said Bruce Fenton, board member of The Bitcoin Association, a nonprofit industry organization. "This is serious money for serious people."
Another possible scenario that Mt. Gox simply lost the private keys to the bitcoins, which are required to transfer the virtual currency to another address, through a hardware failure or a software error.
If that's the case, it would appear by looking at the blockchain that Mt. Gox would still have bitcoins sitting in an address known to be under its control, but transferring the bitcoins is impossible.

Read more ...