[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:08.76,Default,,0000,0000,0000,,{\i1}preroll music{\i0}
Dialogue: 0,0:00:10.08,0:00:13.46,Default,,0000,0000,0000,,Herald: And I'm gonna introduce Netanel Rubin.
Dialogue: 0,0:00:14.17,0:00:18.64,Default,,0000,0000,0000,,He has been here last year with a talk \Nthat he got some bashing for.
Dialogue: 0,0:00:19.31,0:00:23.55,Default,,0000,0000,0000,,This year he's gonna ensure,\Nit's not the programmer's fault,
Dialogue: 0,0:00:23.69,0:00:27.43,Default,,0000,0000,0000,,it's the language itself. No?
Dialogue: 0,0:00:27.51,0:00:29.88,Default,,0000,0000,0000,,Well, here we go, well here we go.
Dialogue: 0,0:00:29.95,0:00:33.60,Default,,0000,0000,0000,,Netanel, he is working for \NPerimeterX in Tel Aviv,
Dialogue: 0,0:00:33.63,0:00:35.49,Default,,0000,0000,0000,,welcome on stage, your talk!
Dialogue: 0,0:00:35.52,0:00:37.63,Default,,0000,0000,0000,,Netanel: Thank you very much, {\i1}applause{\i0}
Dialogue: 0,0:00:37.67,0:00:41.13,Default,,0000,0000,0000,,thank you, thank you!
Dialogue: 0,0:00:44.75,0:00:52.76,Default,,0000,0000,0000,,Last year I stood right on this very stage\Nand I talked about several of Perl's
Dialogue: 0,0:00:52.76,0:00:56.41,Default,,0000,0000,0000,,less thought out "features".
Dialogue: 0,0:00:56.41,0:01:04.71,Default,,0000,0000,0000,,Now, I got some bashing from the Perl community, \Nbut mainly what happened was,
Dialogue: 0,0:01:04.71,0:01:10.29,Default,,0000,0000,0000,,that the Perl community completely rejected my talk \Nclaiming that the language
Dialogue: 0,0:01:10.29,0:01:16.36,Default,,0000,0000,0000,,is completely fine and great \Nand all of this stuff are just improvements.
Dialogue: 0,0:01:17.57,0:01:20.72,Default,,0000,0000,0000,,It was clear I had to give another talk.
Dialogue: 0,0:01:21.42,0:01:29.05,Default,,0000,0000,0000,,This is why I'm very proud to present \N"Perl Jam 2 – The Camel strikes back"!
Dialogue: 0,0:01:29.05,0:01:33.62,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:01:33.62,0:01:36.19,Default,,0000,0000,0000,,Thank you
Dialogue: 0,0:01:38.06,0:01:45.87,Default,,0000,0000,0000,,At the last talk, I showed that "lists" are expressions, \Nused in… many confusing ways.
Dialogue: 0,0:01:45.87,0:01:52.92,Default,,0000,0000,0000,,I also showed how CGI parameters can create lists, \Ndirectly from user input.
Dialogue: 0,0:01:52.92,0:02:00.16,Default,,0000,0000,0000,,But most importantly, I showed \Nthat when these two things combine, shit happens.
Dialogue: 0,0:02:01.70,0:02:04.07,Default,,0000,0000,0000,,Great
Dialogue: 0,0:02:04.08,0:02:08.95,Default,,0000,0000,0000,,But the really interesting part \Nwas the PerlMonks response.
Dialogue: 0,0:02:08.95,0:02:16.20,Default,,0000,0000,0000,,The Perl community…\N{\i1}laughter{\i0}
Dialogue: 0,0:02:19.27,0:02:24.45,Default,,0000,0000,0000,,The Perl community had a long discussion \Nat the PerlMonks forum
Dialogue: 0,0:02:24.45,0:02:29.48,Default,,0000,0000,0000,,that started with the words \N"Sad news from Germany".
Dialogue: 0,0:02:29.48,0:02:32.23,Default,,0000,0000,0000,,A bit dramatic, but who am I to judge?
Dialogue: 0,0:02:32.23,0:02:38.93,Default,,0000,0000,0000,,So, after a long, long discussion, \Nthey came to the unavoidable conclusion
Dialogue: 0,0:02:38.93,0:02:47.100,Default,,0000,0000,0000,,that my talk was, in fact, a "polemic shit", \Nand they should all just "piss on it". Wink.
Dialogue: 0,0:02:49.72,0:02:55.76,Default,,0000,0000,0000,,They also realized I'm just a \N"script kiddie preaching to other script kiddies",
Dialogue: 0,0:02:55.76,0:03:01.16,Default,,0000,0000,0000,,and not just any script kiddies, the CCC audience is a
Dialogue: 0,0:03:01.16,0:03:06.44,Default,,0000,0000,0000,,"heterogeneous group of chaotic punks \Nwho love to see themselves in the hacker
Dialogue: 0,0:03:06.44,0:03:18.09,Default,,0000,0000,0000,,image of Hollywood media". \N{\i1}applause and whistling from audience{\i0}
Dialogue: 0,0:03:18.09,0:03:24.08,Default,,0000,0000,0000,,What hacker image? \NWhat are they talking about?
Dialogue: 0,0:03:24.08,0:03:26.22,Default,,0000,0000,0000,,We have no hacker image.
Dialogue: 0,0:03:26.31,0:03:34.28,Default,,0000,0000,0000,,Anyway, it got quite surreal, as in some point \Nthey even critized
Dialogue: 0,0:03:34.28,0:03:41.99,Default,,0000,0000,0000,,the "crude use of propaganda \Nin the camel images". WAT?
Dialogue: 0,0:03:42.46,0:03:46.02,Default,,0000,0000,0000,,{\i1}laughing{\i0}\N{\i1}applause{\i0}
Dialogue: 0,0:03:46.02,0:03:50.74,Default,,0000,0000,0000,,Propaganda in the camel images. Alright.
Dialogue: 0,0:03:50.74,0:03:58.35,Default,,0000,0000,0000,,Anyway, they completely rejected the entire talk, \Neven though the technical points were valid.
Dialogue: 0,0:03:58.35,0:04:03.60,Default,,0000,0000,0000,,They rejected it because of \Nsome jokes and camel images.
Dialogue: 0,0:04:03.60,0:04:12.81,Default,,0000,0000,0000,,But still, they got so offended they just threw \Nlame excuses as to why their language sucks.
Dialogue: 0,0:04:12.81,0:04:19.62,Default,,0000,0000,0000,,Two of these lame excuses were \Nrepeated over and over again.
Dialogue: 0,0:04:19.62,0:04:24.73,Default,,0000,0000,0000,,The first was that I should \Nread the fucking manual, which is funny
Dialogue: 0,0:04:24.73,0:04:27.41,Default,,0000,0000,0000,,because I thought I was the only one who did…
Dialogue: 0,0:04:27.41,0:04:29.18,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:04:29.18,0:04:30.75,Default,,0000,0000,0000,,…and the second is that
Dialogue: 0,0:04:30.75,0:04:35.38,Default,,0000,0000,0000,,I'm using the old, ancient Perl, \Nand not the new, modern Perl.
Dialogue: 0,0:04:35.38,0:04:39.92,Default,,0000,0000,0000,,{\i1}more laughter{\i0}
Dialogue: 0,0:04:40.81,0:04:46.32,Default,,0000,0000,0000,,Remember these two points carefully \Nas I'll later break them in the presentation.
Dialogue: 0,0:04:46.32,0:04:52.17,Default,,0000,0000,0000,,But, enough with the intro, \Nlet's start with the new madness.
Dialogue: 0,0:04:52.17,0:04:58.79,Default,,0000,0000,0000,,So, Perl allows declaring variables \Nwithout specifying their data type.
Dialogue: 0,0:04:58.79,0:05:03.13,Default,,0000,0000,0000,,Of course, this functionality exists \Nin many dynamic languages,
Dialogue: 0,0:05:03.13,0:05:06.88,Default,,0000,0000,0000,,and is completely fine and very convenient.
Dialogue: 0,0:05:06.88,0:05:12.77,Default,,0000,0000,0000,,But, as usual, Perl took it \Nto a whole different level.
Dialogue: 0,0:05:12.77,0:05:19.20,Default,,0000,0000,0000,,Perl went as far as removing \Ndata type declarations from function arguments.
Dialogue: 0,0:05:19.20,0:05:20.85,Default,,0000,0000,0000,,You can see that in this example,
Dialogue: 0,0:05:20.85,0:05:27.76,Default,,0000,0000,0000,,I'm just receiving two different arguments \Nwithout knowing what type they are.
Dialogue: 0,0:05:27.76,0:05:29.76,Default,,0000,0000,0000,,Let me be clear about that,
Dialogue: 0,0:05:29.76,0:05:34.54,Default,,0000,0000,0000,,you don't get to choose whether you want \Nto specify argument data types or not,
Dialogue: 0,0:05:34.54,0:05:41.05,Default,,0000,0000,0000,,you can't specify \Nwhat data types you're expecting to get.
Dialogue: 0,0:05:41.05,0:05:44.76,Default,,0000,0000,0000,,So even if I built a function \Nthat only works with strings,
Dialogue: 0,0:05:44.76,0:05:49.33,Default,,0000,0000,0000,,I have no way of forcing that \Nat the function declaration.
Dialogue: 0,0:05:49.33,0:05:51.32,Default,,0000,0000,0000,,Now that's annoying.
Dialogue: 0,0:05:51.32,0:05:57.39,Default,,0000,0000,0000,,But, the real kicker \Nis how this feature is used.
Dialogue: 0,0:05:57.44,0:06:03.83,Default,,0000,0000,0000,,Apparently, it is very common to write \Ntwo completely different blocks of code,
Dialogue: 0,0:06:03.83,0:06:07.68,Default,,0000,0000,0000,,one that handles scalar types, \Nlike strings or ints,
Dialogue: 0,0:06:07.68,0:06:13.22,Default,,0000,0000,0000,,and one that handles non-scalar types, \Nlike arrays or hashes.
Dialogue: 0,0:06:13.22,0:06:15.34,Default,,0000,0000,0000,,Let me repeat that:
Dialogue: 0,0:06:15.34,0:06:23.80,Default,,0000,0000,0000,,Writing multiple code, for multiple data-types, \Nin one function, is a Perl standard.
Dialogue: 0,0:06:23.80,0:06:31.78,Default,,0000,0000,0000,,And that's sad. You shouldn't write redundant code \Nbecause the language lacks the capability
Dialogue: 0,0:06:31.78,0:06:35.97,Default,,0000,0000,0000,,of letting you decide \Nwhich cases you don't want to handle.
Dialogue: 0,0:06:35.97,0:06:40.49,Default,,0000,0000,0000,,By the way, Python doesn't let you \Ndeclare your function argument data types too,
Dialogue: 0,0:06:40.49,0:06:45.72,Default,,0000,0000,0000,,but unlike Perl, writing redundant code \Nto cover that up
Dialogue: 0,0:06:45.72,0:06:49.73,Default,,0000,0000,0000,,is definitely not the standard.
Dialogue: 0,0:06:49.73,0:06:54.72,Default,,0000,0000,0000,,Anyway, sad as this may be, \Nthis Perl convention is not dangerous.
Dialogue: 0,0:06:54.72,0:06:56.89,Default,,0000,0000,0000,,The dangerous part begins
Dialogue: 0,0:06:56.89,0:07:02.96,Default,,0000,0000,0000,,when hashes and arrays \Nare considered as "secure" data types,
Dialogue: 0,0:07:02.96,0:07:07.74,Default,,0000,0000,0000,,mainly because they can't be created \Nby user input.
Dialogue: 0,0:07:07.74,0:07:10.37,Default,,0000,0000,0000,,This results in this kind of code,
Dialogue: 0,0:07:10.37,0:07:14.19,Default,,0000,0000,0000,,where if the function argument \Nis a hash, for example,
Dialogue: 0,0:07:14.19,0:07:18.71,Default,,0000,0000,0000,,it is used un-escaped in dangerous functions.
Dialogue: 0,0:07:18.71,0:07:25.66,Default,,0000,0000,0000,,Hashes, specifically, are considered so secure, \Nthat even if you use "taint mode",
Dialogue: 0,0:07:25.66,0:07:28.29,Default,,0000,0000,0000,,which is some kind of safe mode for Perl,
Dialogue: 0,0:07:28.29,0:07:33.53,Default,,0000,0000,0000,,hash keys are not tainted, meaning \Nthat, even if you use safe mode,
Dialogue: 0,0:07:33.53,0:07:36.72,Default,,0000,0000,0000,,they can be still used in dangerous functions
Dialogue: 0,0:07:36.72,0:07:41.64,Default,,0000,0000,0000,,without any validation, \Nas opposed to other data types.
Dialogue: 0,0:07:41.64,0:07:46.62,Default,,0000,0000,0000,,Now this kind of code appears a lot \Nin Perl applications,
Dialogue: 0,0:07:46.62,0:07:49.76,Default,,0000,0000,0000,,and apart from the many bugs \Nthis method can cause,
Dialogue: 0,0:07:49.76,0:07:54.40,Default,,0000,0000,0000,,it also makes your code exploitable.
Dialogue: 0,0:07:54.40,0:07:58.37,Default,,0000,0000,0000,,So we know function arguments are of unknown data type.
Dialogue: 0,0:07:58.37,0:08:03.07,Default,,0000,0000,0000,,And we know developers treat hashes and arrays \Nas "secure" data types,
Dialogue: 0,0:08:03.07,0:08:06.60,Default,,0000,0000,0000,,inserting their values into dangerous functions.
Dialogue: 0,0:08:06.60,0:08:09.14,Default,,0000,0000,0000,,But this practices isn't something
Dialogue: 0,0:08:09.14,0:08:14.06,Default,,0000,0000,0000,,that was created a long time ago, \Nand found only on redundant code.
Dialogue: 0,0:08:14.06,0:08:20.34,Default,,0000,0000,0000,,Because of how the language is built, \Nits supposedly restriction-less type of developing,
Dialogue: 0,0:08:20.34,0:08:26.69,Default,,0000,0000,0000,,even now it is the natural way to code \Nwhen you're using Perl.
Dialogue: 0,0:08:26.69,0:08:31.18,Default,,0000,0000,0000,,And that's the real problem: \NPerl is like a shotgun,
Dialogue: 0,0:08:31.18,0:08:36.55,Default,,0000,0000,0000,,with one trigger you know about \Nand a dozen that you don't.
Dialogue: 0,0:08:36.55,0:08:40.82,Default,,0000,0000,0000,,So for now, we know \Nthat if we'll somehow manage
Dialogue: 0,0:08:40.82,0:08:46.05,Default,,0000,0000,0000,,to create these "secure" data types, \Nwith our user input,
Dialogue: 0,0:08:46.05,0:08:49.01,Default,,0000,0000,0000,,we could exploit the code.
Dialogue: 0,0:08:49.01,0:08:53.100,Default,,0000,0000,0000,,So the only question remaining really \Nis what are we gonna exploit?
Dialogue: 0,0:08:53.100,0:08:58.18,Default,,0000,0000,0000,,And the answer, again, \Nis Bugzilla.
Dialogue: 0,0:08:58.18,0:09:02.77,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:09:03.18,0:09:08.71,Default,,0000,0000,0000,,Like every other Perl project, \NBugzilla is heavily using functions
Dialogue: 0,0:09:08.71,0:09:13.28,Default,,0000,0000,0000,,that treat scalar and non-scalar \Nargument types very differently.
Dialogue: 0,0:09:13.28,0:09:17.40,Default,,0000,0000,0000,,This is one of them: the load_from_DB function is responsible
Dialogue: 0,0:09:17.40,0:09:21.54,Default,,0000,0000,0000,,for extracting object specific data \Nout of the database.
Dialogue: 0,0:09:21.54,0:09:28.94,Default,,0000,0000,0000,,Like I just said, it treats scalars, \Nand in this case hashes, very differently.
Dialogue: 0,0:09:28.94,0:09:34.15,Default,,0000,0000,0000,,If the function argument is a hash, \Nit takes one of its values
Dialogue: 0,0:09:34.15,0:09:39.84,Default,,0000,0000,0000,,and inserts it as is, un-escaped, \Ninto an SQL statement.
Dialogue: 0,0:09:39.84,0:09:44.60,Default,,0000,0000,0000,,Again, because hashes \Nare considered secure,
Dialogue: 0,0:09:44.60,0:09:47.81,Default,,0000,0000,0000,,so there's no point of escaping them.
Dialogue: 0,0:09:47.81,0:09:50.92,Default,,0000,0000,0000,,On the other hand, \Nif the argument is a scalar,
Dialogue: 0,0:09:50.92,0:09:55.80,Default,,0000,0000,0000,,it converts it into an integer \Nand only then use it in an SQL statement.
Dialogue: 0,0:09:55.80,0:09:59.02,Default,,0000,0000,0000,,Because scalar values are not secure.
Dialogue: 0,0:09:59.02,0:10:00.68,Default,,0000,0000,0000,,hashes: secure
Dialogue: 0,0:10:00.68,0:10:03.06,Default,,0000,0000,0000,,scalar: not secure
Dialogue: 0,0:10:03.06,0:10:06.24,Default,,0000,0000,0000,,This means that if we could control \Nthe function argument entirely,
Dialogue: 0,0:10:06.24,0:10:10.96,Default,,0000,0000,0000,,including its data type, \Nwe could control the SQL query,
Dialogue: 0,0:10:10.96,0:10:14.40,Default,,0000,0000,0000,,effectively exploiting an SQL injection attack,
Dialogue: 0,0:10:14.40,0:10:17.72,Default,,0000,0000,0000,,by inserting a hash \Ncontaining that specific value.
Dialogue: 0,0:10:17.72,0:10:21.23,Default,,0000,0000,0000,,But…
Dialogue: 0,0:10:21.23,0:10:26.86,Default,,0000,0000,0000,,CGI input doesn't allow hashes, right?
Dialogue: 0,0:10:26.86,0:10:32.34,Default,,0000,0000,0000,,The whole Perl security module \Nis built on that assumption.
Dialogue: 0,0:10:32.34,0:10:37.31,Default,,0000,0000,0000,,The problem is that, like us, \Ndevelopers are assuming
Dialogue: 0,0:10:37.31,0:10:42.49,Default,,0000,0000,0000,,CGI input is the only input method available.
Dialogue: 0,0:10:42.49,0:10:45.58,Default,,0000,0000,0000,,CGI.
Dialogue: 0,0:10:45.58,0:10:48.54,Default,,0000,0000,0000,,But CGI isn't the only way to go.
Dialogue: 0,0:10:48.54,0:10:52.98,Default,,0000,0000,0000,,Bugzilla developers missed the fact \Nthat their own system
Dialogue: 0,0:10:52.98,0:10:57.72,Default,,0000,0000,0000,,is also featuring an XMLRPC and a JSONRPC,
Dialogue: 0,0:10:57.72,0:11:05.05,Default,,0000,0000,0000,,both supporting input of non-scalar data types \Nlike arrays and hashes!
Dialogue: 0,0:11:05.05,0:11:06.50,Default,,0000,0000,0000,,But I'm not blaming them.
Dialogue: 0,0:11:06.50,0:11:12.49,Default,,0000,0000,0000,,Yes, they forgot that there are more ways \Nfor a user to input than CGI,
Dialogue: 0,0:11:12.49,0:11:16.70,Default,,0000,0000,0000,,but still, they're just the product \Nof how Perl programming is taught,
Dialogue: 0,0:11:16.70,0:11:20.68,Default,,0000,0000,0000,,filled with false assumptions and inconsistencies.
Dialogue: 0,0:11:20.68,0:11:25.98,Default,,0000,0000,0000,,Expecting anything but this kind \Nof security problems is just naive.
Dialogue: 0,0:11:25.98,0:11:28.55,Default,,0000,0000,0000,,But back to the vulnerability.
Dialogue: 0,0:11:28.55,0:11:30.43,Default,,0000,0000,0000,,If we'll use one of these RPCs,
Dialogue: 0,0:11:30.43,0:11:34.14,Default,,0000,0000,0000,,sending our input parameter with a malicious hash,
Dialogue: 0,0:11:34.14,0:11:37.20,Default,,0000,0000,0000,,instead of just a regular numeric parameter,
Dialogue: 0,0:11:37.20,0:11:39.99,Default,,0000,0000,0000,,we will be able to exploit the SQL injection!
Dialogue: 0,0:11:39.99,0:11:44.43,Default,,0000,0000,0000,,So, if we'll send this regular request, \Nusing the JSONRPC interface,
Dialogue: 0,0:11:44.43,0:11:48.61,Default,,0000,0000,0000,,the number 1 will be used \Nas the ID of a bug to extract,
Dialogue: 0,0:11:48.61,0:11:51.27,Default,,0000,0000,0000,,but if we'll send this request,
Dialogue: 0,0:11:51.27,0:11:53.99,Default,,0000,0000,0000,,where instead of an integer we'll supply a hash,
Dialogue: 0,0:11:53.99,0:11:57.36,Default,,0000,0000,0000,,then suddenly we will be able \Nto inject any SQL we'd like
Dialogue: 0,0:11:57.36,0:12:03.02,Default,,0000,0000,0000,,into that statement, effectively \Ncompromising the entire database.
Dialogue: 0,0:12:03.12,0:12:07.05,Default,,0000,0000,0000,,Now when you look at this request, you realize
Dialogue: 0,0:12:07.05,0:12:11.40,Default,,0000,0000,0000,,that this is not a sophisticated vulnerability.
Dialogue: 0,0:12:11.40,0:12:20.86,Default,,0000,0000,0000,,All I did was just change the input data type \Nfrom scalar in this case to a hash,
Dialogue: 0,0:12:20.86,0:12:24.98,Default,,0000,0000,0000,,and that's it, the system is compromised.
Dialogue: 0,0:12:24.98,0:12:29.07,Default,,0000,0000,0000,,It was so heavily built on the assumption
Dialogue: 0,0:12:29.07,0:12:32.22,Default,,0000,0000,0000,,that hashes are secure, that it offered me
Dialogue: 0,0:12:32.22,0:12:36.68,Default,,0000,0000,0000,,almost unlimited access security wise.
Dialogue: 0,0:12:36.68,0:12:41.66,Default,,0000,0000,0000,,The funny thing about that is, that \Nalthough it's so simple,
Dialogue: 0,0:12:41.66,0:12:45.97,Default,,0000,0000,0000,,the attack has existed for over 5 years.
Dialogue: 0,0:12:45.97,0:12:48.91,Default,,0000,0000,0000,,That's the year I was born in.
Dialogue: 0,0:12:48.91,0:12:55.09,Default,,0000,0000,0000,,So, we now proved this "unknown-argument-type" feature
Dialogue: 0,0:12:55.09,0:12:58.23,Default,,0000,0000,0000,,is a huge source for problems.
Dialogue: 0,0:12:58.23,0:13:02.90,Default,,0000,0000,0000,,We also know writing different code \Nto handle different data types
Dialogue: 0,0:13:02.90,0:13:06.95,Default,,0000,0000,0000,,just causes a lot of false assumptions.
Dialogue: 0,0:13:06.95,0:13:13.53,Default,,0000,0000,0000,,But most importantly, treating non-scalar \Ndata types such as hashes as "secure",
Dialogue: 0,0:13:13.53,0:13:17.35,Default,,0000,0000,0000,,just because they supposedly can't be created by the user,
Dialogue: 0,0:13:17.35,0:13:22.96,Default,,0000,0000,0000,,is very, very, BAD. Just ask Bugzilla.
Dialogue: 0,0:13:22.96,0:13:30.14,Default,,0000,0000,0000,,But the shocking part really, is that, again, \Nthis is the Perl Standard!
Dialogue: 0,0:13:30.14,0:13:33.89,Default,,0000,0000,0000,,You're not expected to use it, you have to
Dialogue: 0,0:13:33.89,0:13:36.64,Default,,0000,0000,0000,,as you don't have any other choice.
Dialogue: 0,0:13:36.64,0:13:43.83,Default,,0000,0000,0000,,This security mess \Nis a fundamental part of the language.
Dialogue: 0,0:13:43.83,0:13:51.78,Default,,0000,0000,0000,,The problem is that creating non-scalar data types \Nis impossible in some cases.
Dialogue: 0,0:13:51.78,0:13:54.91,Default,,0000,0000,0000,,We can't rely that some kind of RPC
Dialogue: 0,0:13:54.91,0:13:58.86,Default,,0000,0000,0000,,will exist in the code \Nand support different data types,
Dialogue: 0,0:13:58.86,0:14:05.03,Default,,0000,0000,0000,,and we can't create data types \Nusing regular user input… Right?
Dialogue: 0,0:14:05.03,0:14:06.94,Default,,0000,0000,0000,,Well, let's have a look at
Dialogue: 0,0:14:06.94,0:14:10.53,Default,,0000,0000,0000,,how different CGI modules \Nhandle different kind of input.
Dialogue: 0,0:14:10.53,0:14:13.92,Default,,0000,0000,0000,,First, we'll take the most trivial scenario.
Dialogue: 0,0:14:13.92,0:14:17.81,Default,,0000,0000,0000,,A single valued parameter, \Nsomething that looks like this request,
Dialogue: 0,0:14:17.81,0:14:22.21,Default,,0000,0000,0000,,where the "foo" parameter \Nis assigned the string "bar".
Dialogue: 0,0:14:22.21,0:14:26.82,Default,,0000,0000,0000,,In this case, a scalar is created on all three CGI modules,
Dialogue: 0,0:14:26.82,0:14:31.20,Default,,0000,0000,0000,,which doesn't really help us, \Nbut is pretty much what we've expected.
Dialogue: 0,0:14:31.20,0:14:32.91,Default,,0000,0000,0000,,It is secure.
Dialogue: 0,0:14:32.91,0:14:37.85,Default,,0000,0000,0000,,But what happens if instead of \Nsending a single-valued parameter,
Dialogue: 0,0:14:37.85,0:14:42.38,Default,,0000,0000,0000,,we'll send a multi-valued parameter, \Nlike in this request?
Dialogue: 0,0:14:42.38,0:14:46.03,Default,,0000,0000,0000,,Now things are starting to get complicated.
Dialogue: 0,0:14:46.03,0:14:50.55,Default,,0000,0000,0000,,On CGI.PM, as we already know, \Na list is created,
Dialogue: 0,0:14:50.55,0:14:55.01,Default,,0000,0000,0000,,which is very useful for us, \Nbut not what we're after.
Dialogue: 0,0:14:55.01,0:15:01.85,Default,,0000,0000,0000,,Let's have a look at \Nwhat the "new" Perl modules are creating.
Dialogue: 0,0:15:01.85,0:15:09.99,Default,,0000,0000,0000,,We'll see that both of them are returning \Narrays containing our values.
Dialogue: 0,0:15:09.99,0:15:14.55,Default,,0000,0000,0000,,Arrays! WAT?
Dialogue: 0,0:15:14.55,0:15:19.28,Default,,0000,0000,0000,,I thought you can't create \Nthese kind of data types with regular input,
Dialogue: 0,0:15:19.28,0:15:22.44,Default,,0000,0000,0000,,after all, they're considered safe.
Dialogue: 0,0:15:22.44,0:15:24.24,Default,,0000,0000,0000,,But let's continue.
Dialogue: 0,0:15:24.24,0:15:27.64,Default,,0000,0000,0000,,What happens if instead of sending a regular value,
Dialogue: 0,0:15:27.64,0:15:31.88,Default,,0000,0000,0000,,we'll try and upload a file in that parameter?
Dialogue: 0,0:15:31.88,0:15:35.23,Default,,0000,0000,0000,,Now things are really getting out of hand,
Dialogue: 0,0:15:35.23,0:15:44.41,Default,,0000,0000,0000,,because CGI.PM now returns a file descriptor, \Nand Catalyst and Mojolicious returns a hash.
Dialogue: 0,0:15:44.41,0:15:46.38,Default,,0000,0000,0000,,WAT?
Dialogue: 0,0:15:46.38,0:15:54.01,Default,,0000,0000,0000,,We just exploited \Nthe most popular Perl project in the world
Dialogue: 0,0:15:54.01,0:15:58.23,Default,,0000,0000,0000,,because they assumed hashes can't be created by the user,
Dialogue: 0,0:15:58.23,0:16:02.98,Default,,0000,0000,0000,,and now we're finding out \Nthat not only we can create hashes,
Dialogue: 0,0:16:02.98,0:16:05.48,Default,,0000,0000,0000,,it is a god-damned feature?!
Dialogue: 0,0:16:05.48,0:16:07.16,Default,,0000,0000,0000,,That's insane!
Dialogue: 0,0:16:07.16,0:16:11.50,Default,,0000,0000,0000,,The whole Perl security standard is built on that assumption
Dialogue: 0,0:16:11.50,0:16:14.95,Default,,0000,0000,0000,,that users can't create non-scalar data-types
Dialogue: 0,0:16:14.95,0:16:19.87,Default,,0000,0000,0000,,and now suddenly these are features?
Dialogue: 0,0:16:19.87,0:16:27.69,Default,,0000,0000,0000,,But let's send a multi-file upload request \Nas in several files in the same parameter.
Dialogue: 0,0:16:27.69,0:16:34.18,Default,,0000,0000,0000,,Watch closely, because this is where it gets ridiculous.
Dialogue: 0,0:16:34.18,0:16:39.43,Default,,0000,0000,0000,,Now, CGI.PM returns a list of File Descriptors,
Dialogue: 0,0:16:39.43,0:16:42.55,Default,,0000,0000,0000,,Catalyst returns a list of Hashes
Dialogue: 0,0:16:42.55,0:16:49.28,Default,,0000,0000,0000,,and Mojolicious returns an Array of Objects! WAT?!
Dialogue: 0,0:16:49.28,0:16:53.34,Default,,0000,0000,0000,,{\i1}laughter and applause{\i0}
Dialogue: 0,0:16:53.44,0:16:58.10,Default,,0000,0000,0000,,Almost any Perl project in the world
Dialogue: 0,0:16:58.10,0:17:03.47,Default,,0000,0000,0000,,uses one of these modules \Nfor parsing CGI input.
Dialogue: 0,0:17:03.47,0:17:10.52,Default,,0000,0000,0000,,Just think how many developers assumed \Nthe exact same thing Bugzilla assumed
Dialogue: 0,0:17:10.52,0:17:15.85,Default,,0000,0000,0000,,and treated hashes and arrays as secure data types.
Dialogue: 0,0:17:15.85,0:17:17.75,Default,,0000,0000,0000,,So if you're using CGI.PM,
Dialogue: 0,0:17:18.38,0:17:21.27,Default,,0000,0000,0000,,instead of the expected scalar value you could be getting
Dialogue: 0,0:17:21.27,0:17:25.72,Default,,0000,0000,0000,,a list, a file descriptor or a list of file descriptors
Dialogue: 0,0:17:25.72,0:17:27.64,Default,,0000,0000,0000,,and if you're using Catalyst
Dialogue: 0,0:17:27.64,0:17:30.90,Default,,0000,0000,0000,,you could receive a scalar, an array, a hash or a list,
Dialogue: 0,0:17:30.90,0:17:35.38,Default,,0000,0000,0000,,which is basically any data type.
Dialogue: 0,0:17:36.32,0:17:39.42,Default,,0000,0000,0000,,So expecting your function… yeah
Dialogue: 0,0:17:40.09,0:17:44.09,Default,,0000,0000,0000,,{\i1}audience chuckling{\i0}
Dialogue: 0,0:17:45.94,0:17:53.100,Default,,0000,0000,0000,,So expecting your function arguments \Nto be of a specific data type is false.
Dialogue: 0,0:17:53.100,0:18:00.12,Default,,0000,0000,0000,,Expecting hashes and arrays to be secure is also false.
Dialogue: 0,0:18:00.12,0:18:02.97,Default,,0000,0000,0000,,Expecting scalar only user input
Dialogue: 0,0:18:02.97,0:18:06.83,Default,,0000,0000,0000,,is a major false.
Dialogue: 0,0:18:06.83,0:18:13.16,Default,,0000,0000,0000,,And to be honest, it seems that in Perl expecting is false!
Dialogue: 0,0:18:13.16,0:18:17.34,Default,,0000,0000,0000,,{\i1}laughter and applause{\i0}
Dialogue: 0,0:18:21.42,0:18:25.92,Default,,0000,0000,0000,,You just can't expect anything
Dialogue: 0,0:18:25.92,0:18:32.46,Default,,0000,0000,0000,,even the most basic of things \Nsuch as what data type your variable is made of.
Dialogue: 0,0:18:32.46,0:18:35.76,Default,,0000,0000,0000,,You just don't know.
Dialogue: 0,0:18:37.87,0:18:42.93,Default,,0000,0000,0000,,But I felt all of these points will \Ngo un-noticed
Dialogue: 0,0:18:42.93,0:18:48.63,Default,,0000,0000,0000,,without an extreme example of Perl's absurdity.
Dialogue: 0,0:18:48.63,0:18:52.60,Default,,0000,0000,0000,,So I found an extreme example.
Dialogue: 0,0:18:52.60,0:18:55.25,Default,,0000,0000,0000,,One that will clearly show
Dialogue: 0,0:18:55.25,0:18:59.20,Default,,0000,0000,0000,,the ridiculous nature of the language.
Dialogue: 0,0:18:59.20,0:19:00.90,Default,,0000,0000,0000,,And this is it:
Dialogue: 0,0:19:00.90,0:19:06.83,Default,,0000,0000,0000,,All this code does is print an uploaded file's content.
Dialogue: 0,0:19:06.83,0:19:14.52,Default,,0000,0000,0000,,And to show you how basic and simple that code is, \NI'll explain each line.
Dialogue: 0,0:19:14.52,0:19:20.36,Default,,0000,0000,0000,,The first line just creates a new CGI instance, \Nso we could get the file from the user.
Dialogue: 0,0:19:20.36,0:19:26.78,Default,,0000,0000,0000,,The second line checks if a file \Nhas been uploaded in the "file" parameter.
Dialogue: 0,0:19:26.78,0:19:31.55,Default,,0000,0000,0000,,The third line gets the file descriptor from the CGI module,
Dialogue: 0,0:19:31.55,0:19:37.44,Default,,0000,0000,0000,,while the fourth line loops through the file \Nand the fifth prints it.
Dialogue: 0,0:19:37.44,0:19:44.46,Default,,0000,0000,0000,,That's it. Again: all this code does \Nis get a file and print it.
Dialogue: 0,0:19:44.46,0:19:45.52,Default,,0000,0000,0000,,{\i1}clapping{\i0}\NThat's it.
Dialogue: 0,0:19:45.52,0:19:52.13,Default,,0000,0000,0000,,A user has uploaded a file to the server \Nand the server is just returning its content.
Dialogue: 0,0:19:52.13,0:19:55.68,Default,,0000,0000,0000,,It's not saving it anywhere, \Nit's not moving it anywhere,
Dialogue: 0,0:19:55.68,0:19:58.77,Default,,0000,0000,0000,,it just prints its content.
Dialogue: 0,0:19:58.77,0:20:03.52,Default,,0000,0000,0000,,There should be absolutely \Nnothing dangerous in this code,
Dialogue: 0,0:20:03.52,0:20:07.09,Default,,0000,0000,0000,,it contains literally five lines.
Dialogue: 0,0:20:07.09,0:20:09.83,Default,,0000,0000,0000,,Yet, it's demo time.
Dialogue: 0,0:20:09.83,0:20:12.33,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:20:12.41,0:20:15.02,Default,,0000,0000,0000,,So trust me, you don't need to see the text,
Dialogue: 0,0:20:15.02,0:20:19.82,Default,,0000,0000,0000,,all you need to see is that \Nwhen I'm sending a regular request nothing happens.
Dialogue: 0,0:20:19.82,0:20:23.58,Default,,0000,0000,0000,,When I send it now, nothing happens,\NI'm just getting the file content.
Dialogue: 0,0:20:23.58,0:20:26.24,Default,,0000,0000,0000,,We're having fun, you don't see the burp…
Dialogue: 0,0:20:26.24,0:20:30.42,Default,,0000,0000,0000,,Now, nice. Okay.
Dialogue: 0,0:20:30.42,0:20:34.18,Default,,0000,0000,0000,,So…\N…L't me just…
Dialogue: 0,0:20:34.68,0:20:37.18,Default,,0000,0000,0000,,…I have no idea where my mouse is, okay.
Dialogue: 0,0:20:37.39,0:20:38.32,Default,,0000,0000,0000,,So…
Dialogue: 0,0:20:39.18,0:20:42.23,Default,,0000,0000,0000,,I'm sending a regular request, \Nnothing happens, just getting the content.
Dialogue: 0,0:20:42.23,0:20:46.07,Default,,0000,0000,0000,,I know, you can't see the text…\N…and…
Dialogue: 0,0:20:46.07,0:20:49.52,Default,,0000,0000,0000,,when I'm sending my malicious request,
Dialogue: 0,0:20:49.52,0:20:51.90,Default,,0000,0000,0000,,something interesting will pop up.
Dialogue: 0,0:20:51.90,0:20:54.99,Default,,0000,0000,0000,,Watch closely! It's gonna be quick.
Dialogue: 0,0:20:55.09,0:20:56.68,Default,,0000,0000,0000,,Ready?
Dialogue: 0,0:20:58.27,0:21:00.52,Default,,0000,0000,0000,,Oh, you haven't seen it, it's on the different screen.
Dialogue: 0,0:21:00.52,0:21:06.64,Default,,0000,0000,0000,,Just a second… oh… duplicate…
Dialogue: 0,0:21:07.81,0:21:09.24,Default,,0000,0000,0000,,(from audience): … magnify it!
Dialogue: 0,0:21:09.24,0:21:11.78,Default,,0000,0000,0000,,Netanel: I'll magnify you!
Dialogue: 0,0:21:11.78,0:21:14.25,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:21:14.42,0:21:18.14,Default,,0000,0000,0000,,Alright, so… watch closely.
Dialogue: 0,0:21:18.89,0:21:22.77,Default,,0000,0000,0000,,Ohh, uuh? What was that?
Dialogue: 0,0:21:24.47,0:21:26.56,Default,,0000,0000,0000,,Let's see it again.
Dialogue: 0,0:21:26.56,0:21:29.53,Default,,0000,0000,0000,,{\i1}mocking{\i0} Uuuuuh?!
Dialogue: 0,0:21:30.34,0:21:36.50,Default,,0000,0000,0000,,{\i1}laughter and applause{\i0}
Dialogue: 0,0:21:36.89,0:21:40.44,Default,,0000,0000,0000,,Yupp, {\i1}clearing throat{\i0}
Dialogue: 0,0:21:40.75,0:21:44.65,Default,,0000,0000,0000,,… just a second.
Dialogue: 0,0:21:44.80,0:21:46.08,Default,,0000,0000,0000,,Nice.
Dialogue: 0,0:21:46.08,0:21:49.28,Default,,0000,0000,0000,,So you're probably asking yourself right now
Dialogue: 0,0:21:49.28,0:21:52.41,Default,,0000,0000,0000,,"What the fuck did I just see?"\N{\i1}laughter{\i0}
Dialogue: 0,0:21:52.41,0:21:55.81,Default,,0000,0000,0000,,"Was that a terminal screen?"
Dialogue: 0,0:21:55.81,0:22:00.24,Default,,0000,0000,0000,,And the answer is … "Yes"\NYes, it was,
Dialogue: 0,0:22:00.24,0:22:04.47,Default,,0000,0000,0000,,specifically the "ipconfig" command output.
Dialogue: 0,0:22:04.47,0:22:07.41,Default,,0000,0000,0000,,Or in other words: What you just saw
Dialogue: 0,0:22:07.41,0:22:15.37,Default,,0000,0000,0000,,was me exploiting that five lines \Nwith a remote code execution attack.
Dialogue: 0,0:22:15.37,0:22:20.51,Default,,0000,0000,0000,,So now that you saw the magic happens, \NI think it's time for some explanations.
Dialogue: 0,0:22:20.51,0:22:22.49,Default,,0000,0000,0000,,The first line, responsible for checking
Dialogue: 0,0:22:22.49,0:22:26.22,Default,,0000,0000,0000,,if a file has been uploaded in the "file" parameter,
Dialogue: 0,0:22:26.22,0:22:29.96,Default,,0000,0000,0000,,doesn't exactly do as it says.
Dialogue: 0,0:22:29.96,0:22:33.80,Default,,0000,0000,0000,,Instead of checking if the "file" \Nparameter is an uploaded file,
Dialogue: 0,0:22:33.80,0:22:39.23,Default,,0000,0000,0000,,it checks if one of its values is a file descriptor.
Dialogue: 0,0:22:39.23,0:22:45.11,Default,,0000,0000,0000,,Let me clarify that, instead of checking \Nif the parameter is only a file,
Dialogue: 0,0:22:45.11,0:22:48.98,Default,,0000,0000,0000,,it checks if the parameter is also a file.
Dialogue: 0,0:22:48.98,0:22:50.48,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:22:50.48,0:22:52.84,Default,,0000,0000,0000,,Meaning that uploading a file
Dialogue: 0,0:22:52.84,0:22:57.02,Default,,0000,0000,0000,,and assigning another scalar value to the same parameter
Dialogue: 0,0:22:57.02,0:23:00.15,Default,,0000,0000,0000,,will still work and bypass the check!
Dialogue: 0,0:23:00.15,0:23:01.46,Default,,0000,0000,0000,,WAT?
Dialogue: 0,0:23:01.46,0:23:06.44,Default,,0000,0000,0000,,{\i1}more laughter and applause{\i0}
Dialogue: 0,0:23:12.07,0:23:15.72,Default,,0000,0000,0000,,Creative fellows those guys are.
Dialogue: 0,0:23:15.72,0:23:22.14,Default,,0000,0000,0000,,So now we can assign the "file" parameter \Nboth a regular file and a scalar value.
Dialogue: 0,0:23:22.14,0:23:26.22,Default,,0000,0000,0000,,But what happens when we try to get \Nthe "file" parameter value?
Dialogue: 0,0:23:26.22,0:23:31.18,Default,,0000,0000,0000,,In a regular request, it should return \Nthe uploaded file descriptor,
Dialogue: 0,0:23:31.18,0:23:35.82,Default,,0000,0000,0000,,but now that we're adding another value to that parameter,
Dialogue: 0,0:23:35.82,0:23:40.60,Default,,0000,0000,0000,,param() returns a list containing all the values we sent:
Dialogue: 0,0:23:40.60,0:23:44.36,Default,,0000,0000,0000,,the file we've uploaded and our scalar value.
Dialogue: 0,0:23:44.36,0:23:49.19,Default,,0000,0000,0000,,But the "file" variable \Ncan't contain two values, right?
Dialogue: 0,0:23:49.19,0:23:55.22,Default,,0000,0000,0000,,So instead of converting \Nthe returned list into an array
Dialogue: 0,0:23:55.22,0:23:59.33,Default,,0000,0000,0000,,Perl only uses the first element of that list.
Dialogue: 0,0:23:59.33,0:24:05.56,Default,,0000,0000,0000,,So if we'll send our scalar value \Nbefore we send our file,
Dialogue: 0,0:24:05.56,0:24:09.99,Default,,0000,0000,0000,,the $file variable will be assigned \Nour scalar value
Dialogue: 0,0:24:09.99,0:24:14.31,Default,,0000,0000,0000,,instead of the uploaded file descriptor.
Dialogue: 0,0:24:14.31,0:24:19.62,Default,,0000,0000,0000,,Which means, that $file \Nis now a regular string!
Dialogue: 0,0:24:19.62,0:24:22.11,Default,,0000,0000,0000,,{\i1}in high pitched voice:{\i0} WAT?
Dialogue: 0,0:24:23.18,0:24:26.13,Default,,0000,0000,0000,,But what happens to this operator \Nwhen we use a string
Dialogue: 0,0:24:26.13,0:24:28.56,Default,,0000,0000,0000,,instead of a file descriptor?
Dialogue: 0,0:24:28.56,0:24:32.96,Default,,0000,0000,0000,,Well, the brackets operator \Ndoesn't work with strings, right?
Dialogue: 0,0:24:32.96,0:24:36.55,Default,,0000,0000,0000,,It works with file descriptors, \Nwhy should it work with strings?
Dialogue: 0,0:24:36.55,0:24:39.20,Default,,0000,0000,0000,,Well, that appears true
Dialogue: 0,0:24:39.20,0:24:42.82,Default,,0000,0000,0000,,unless that string is "ARGV".
Dialogue: 0,0:24:42.82,0:24:47.64,Default,,0000,0000,0000,,{\i1}laughter and applause{\i0}
Dialogue: 0,0:24:55.47,0:24:57.63,Default,,0000,0000,0000,,That's not a crazy part.
Dialogue: 0,0:24:57.63,0:24:59.76,Default,,0000,0000,0000,,{\i1}more laughter{\i0}
Dialogue: 0,0:24:59.76,0:25:04.69,Default,,0000,0000,0000,,In that case the brackets operator, listen closely,
Dialogue: 0,0:25:04.69,0:25:07.67,Default,,0000,0000,0000,,loops through the script arguments,
Dialogue: 0,0:25:07.67,0:25:12.49,Default,,0000,0000,0000,,which in CGI comes directly from the \Nquery string instead the command line,
Dialogue: 0,0:25:12.49,0:25:18.84,Default,,0000,0000,0000,,and it treats them as file paths, \Ninserting each one into an open() call!
Dialogue: 0,0:25:18.84,0:25:19.98,Default,,0000,0000,0000,,{\i1}again laughter{\i0}
Dialogue: 0,0:25:19.98,0:25:22.66,Default,,0000,0000,0000,,WAT?
Dialogue: 0,0:25:25.63,0:25:29.48,Default,,0000,0000,0000,,Yeah, that made sense in some point, I guess.
Dialogue: 0,0:25:29.48,0:25:32.49,Default,,0000,0000,0000,,All of this basically means that now,
Dialogue: 0,0:25:32.49,0:25:35.87,Default,,0000,0000,0000,,instead of displaying \Nour own uploaded file content,
Dialogue: 0,0:25:35.87,0:25:39.75,Default,,0000,0000,0000,,we can display the content \Nof any file on the server.
Dialogue: 0,0:25:39.75,0:25:43.33,Default,,0000,0000,0000,,But that's not the end, \Nas we haven't executed code yet.
Dialogue: 0,0:25:44.21,0:25:48.81,Default,,0000,0000,0000,,To execute code, we have \Nto look at the open() function.
Dialogue: 0,0:25:48.81,0:25:56.68,Default,,0000,0000,0000,,Again, this is the function being called \Nwith the ARGV values as file paths.
Dialogue: 0,0:25:56.68,0:26:03.05,Default,,0000,0000,0000,,open() is responsible for opening \Na file descriptor to a given file.
Dialogue: 0,0:26:03.05,0:26:05.87,Default,,0000,0000,0000,,Unless a "pipe" character is added
Dialogue: 0,0:26:05.87,0:26:09.04,Default,,0000,0000,0000,,to the end of the string,\N{\i1}laughter{\i0}
Dialogue: 0,0:26:09.04,0:26:13.26,Default,,0000,0000,0000,,and in that case instead of opening the file,
Dialogue: 0,0:26:13.26,0:26:16.23,Default,,0000,0000,0000,,it executes it…\N{\i1}applause rising{\i0}
Dialogue: 0,0:26:16.23,0:26:22.15,Default,,0000,0000,0000,,…acting as an exec() call!\N{\i1}more applause{\i0}
Dialogue: 0,0:26:22.58,0:26:28.51,Default,,0000,0000,0000,,So … when we send our exploit,
Dialogue: 0,0:26:28.51,0:26:34.63,Default,,0000,0000,0000,,containing our uploaded file, \Nthe "ARGV" malicious scalar value,
Dialogue: 0,0:26:34.63,0:26:37.64,Default,,0000,0000,0000,,and the ipconfig command followed by a pipe
Dialogue: 0,0:26:37.64,0:26:42.49,Default,,0000,0000,0000,,this is what we get.\NWAT?
Dialogue: 0,0:26:42.49,0:26:46.64,Default,,0000,0000,0000,,WAT?\N{\i1}applause{\i0}
Dialogue: 0,0:26:49.16,0:26:56.36,Default,,0000,0000,0000,,I know, I'm shocked too, but I'm not done yet. \N{\i1}laughter{\i0}
Dialogue: 0,0:26:56.36,0:27:00.72,Default,,0000,0000,0000,,Truth be told, I didn't write that code.
Dialogue: 0,0:27:00.72,0:27:06.16,Default,,0000,0000,0000,,Remember that PerlMonks told me \Nthat I should read their fucking manual?
Dialogue: 0,0:27:06.16,0:27:10.66,Default,,0000,0000,0000,,{\i1}more laughter{\i0}\NGuess where that code came from:
Dialogue: 0,0:27:10.66,0:27:22.98,Default,,0000,0000,0000,,the official CGI documentation!\N{\i1}big applause and audience whistling{\i0}
Dialogue: 0,0:27:32.54,0:27:36.35,Default,,0000,0000,0000,,But, I'm not blaming CGI.PM developers.
Dialogue: 0,0:27:36.35,0:27:41.36,Default,,0000,0000,0000,,Nor am I blaming developers \Nwho copied from CGI.PM examples.
Dialogue: 0,0:27:41.36,0:27:46.91,Default,,0000,0000,0000,,After all, who could have known \Nthat this is what this code will do?
Dialogue: 0,0:27:46.91,0:27:49.24,Default,,0000,0000,0000,,This is how it could be exploited?
Dialogue: 0,0:27:49.24,0:27:54.31,Default,,0000,0000,0000,,There's no exec calls, \Nthe file is not saved anywhere,
Dialogue: 0,0:27:54.31,0:27:58.16,Default,,0000,0000,0000,,and we're only using a "print".
Dialogue: 0,0:27:58.16,0:28:07.33,Default,,0000,0000,0000,,The sole responsible for this mess, \Nis the Perl language.
Dialogue: 0,0:28:07.33,0:28:11.41,Default,,0000,0000,0000,,Perl is the one silently expanding lists,
Dialogue: 0,0:28:11.41,0:28:14.55,Default,,0000,0000,0000,,Perl is the one mixing up your data types,
Dialogue: 0,0:28:14.55,0:28:19.88,Default,,0000,0000,0000,,Perl is the one executing user input \Nwith no exec calls,
Dialogue: 0,0:28:19.88,0:28:22.80,Default,,0000,0000,0000,,Perl is the problem,
Dialogue: 0,0:28:22.80,0:28:25.50,Default,,0000,0000,0000,,not its developers.\N{\i1}applause rising{\i0}
Dialogue: 0,0:28:25.50,0:28:31.88,Default,,0000,0000,0000,,And until this god-damned, bizarre, \Ndangerous language is fixed,
Dialogue: 0,0:28:31.88,0:28:34.22,Default,,0000,0000,0000,,you could only \Nstop
Dialogue: 0,0:28:34.22,0:28:35.32,Default,,0000,0000,0000,,using
Dialogue: 0,0:28:35.32,0:28:40.21,Default,,0000,0000,0000,,Perl!
Dialogue: 0,0:28:40.21,0:28:47.00,Default,,0000,0000,0000,,Thank you!\N{\i1}more applause{\i0}
Dialogue: 0,0:28:59.02,0:29:02.75,Default,,0000,0000,0000,,Herald: So I guess \Nwe have some time for questions now.
Dialogue: 0,0:29:02.75,0:29:04.35,Default,,0000,0000,0000,,{\i1}laughter{\i0}\NNetanel: Maybe
Dialogue: 0,0:29:04.35,0:29:08.17,Default,,0000,0000,0000,,Herald: And I have the funny feeling, \Nwe will have some questions now.
Dialogue: 0,0:29:08.17,0:29:12.92,Default,,0000,0000,0000,,Ok, so we have some microphones here. \NPlease queue up.
Dialogue: 0,0:29:12.92,0:29:17.96,Default,,0000,0000,0000,,Please do not shout in, because we need \Nto record it on the stream.
Dialogue: 0,0:29:17.96,0:29:19.16,Default,,0000,0000,0000,,Well, here we go.
Dialogue: 0,0:29:19.16,0:29:22.78,Default,,0000,0000,0000,,And we also have some questions \Nfrom the internet, don't we?
Dialogue: 0,0:29:22.78,0:29:27.27,Default,,0000,0000,0000,,Signal Angel: Oh yes, we do!\N{\i1}laughter{\i0}
Dialogue: 0,0:29:27.27,0:29:30.14,Default,,0000,0000,0000,,Signal: But before we come \Nto the technical questions,
Dialogue: 0,0:29:30.14,0:29:33.41,Default,,0000,0000,0000,,the IRC wants you to know, \Nwhat you did to it:
Dialogue: 0,0:29:33.41,0:29:37.42,Default,,0000,0000,0000,,it felt like there were explosions \Nand camels everywhere.
Dialogue: 0,0:29:37.42,0:29:39.58,Default,,0000,0000,0000,,Netanel {\i1}laughing{\i0}: That's the point
Dialogue: 0,0:29:39.58,0:29:44.62,Default,,0000,0000,0000,,Signal: And incidently they want to know, \Nif you have a list of those camel pics somewhere?
Dialogue: 0,0:29:46.40,0:29:49.66,Default,,0000,0000,0000,,Netanel: I think Google has it? \N{\i1}more laughter{\i0}
Dialogue: 0,0:29:49.66,0:29:53.80,Default,,0000,0000,0000,,Just there search camels.
Dialogue: 0,0:29:53.80,0:29:59.22,Default,,0000,0000,0000,,Signal: So for the first question. \NOpello(?) wants to know,
Dialogue: 0,0:29:59.22,0:30:04.29,Default,,0000,0000,0000,,if the take-away is, that Perl project authors \Nso shouldn't trust input
Dialogue: 0,0:30:04.29,0:30:10.44,Default,,0000,0000,0000,,and instead verify types with REF \Nand always use prepared SQL statements?
Dialogue: 0,0:30:13.62,0:30:20.63,Default,,0000,0000,0000,,Netanel: That's a good question. The take-away should be… \N{\i1}laughter{\i0}
Dialogue: 0,0:30:24.04,0:30:28.43,Default,,0000,0000,0000,,well, how will I phrase it …
Dialogue: 0,0:30:29.42,0:30:32.73,Default,,0000,0000,0000,,I think I have a slide … somewhere … \N{\i1}more laughter{\i0}
Dialogue: 0,0:30:32.73,0:30:36.30,Default,,0000,0000,0000,,Oh wait, where's my slide?
Dialogue: 0,0:30:37.63,0:30:40.20,Default,,0000,0000,0000,,Don't worry, have it right here.
Dialogue: 0,0:30:44.22,0:30:49.08,Default,,0000,0000,0000,,But really, trusting user input \Nis always a bad idea
Dialogue: 0,0:30:49.08,0:30:51.83,Default,,0000,0000,0000,,and most developers know it.
Dialogue: 0,0:30:51.83,0:30:54.21,Default,,0000,0000,0000,,The problem is, that…
Dialogue: 0,0:30:54.21,0:30:57.18,Default,,0000,0000,0000,,well, at least from the code \NI saw written in Perl,
Dialogue: 0,0:30:57.18,0:31:00.09,Default,,0000,0000,0000,,and that's a lot of code, trust me
Dialogue: 0,0:31:00.09,0:31:04.79,Default,,0000,0000,0000,,…is that hashes and arrays \Nare almost always considered secured
Dialogue: 0,0:31:04.79,0:31:09.14,Default,,0000,0000,0000,,as they supposedly can't be \Ncreated by user input, as I said.
Dialogue: 0,0:31:09.14,0:31:18.20,Default,,0000,0000,0000,,But, when you're expecting your user input \Nto be a scalar, a string or even a list
Dialogue: 0,0:31:18.20,0:31:25.85,Default,,0000,0000,0000,,and instead you get a hash from unexpected \Ndirections, you get confused.
Dialogue: 0,0:31:25.85,0:31:30.78,Default,,0000,0000,0000,,And you can't always \Nlive in the fear of not knowing
Dialogue: 0,0:31:30.78,0:31:33.61,Default,,0000,0000,0000,,what data type you're trying to handle.
Dialogue: 0,0:31:33.61,0:31:40.08,Default,,0000,0000,0000,,Well, not trusting scalar data types \Nis a wise decision, because it's dangerous.
Dialogue: 0,0:31:40.08,0:31:46.12,Default,,0000,0000,0000,,But not trusting your hashes, \Nas well not trusting your arrays?
Dialogue: 0,0:31:46.12,0:31:49.58,Default,,0000,0000,0000,,What's next? Not trusting your own code?
Dialogue: 0,0:31:49.58,0:31:54.27,Default,,0000,0000,0000,,You just can't expect anything \Nto really work as it should.
Dialogue: 0,0:31:54.27,0:31:56.44,Default,,0000,0000,0000,,When you're writing Perl,
Dialogue: 0,0:31:56.44,0:32:03.90,Default,,0000,0000,0000,,you are constantly attacked \Nby all these different directions.
Dialogue: 0,0:32:03.90,0:32:08.58,Default,,0000,0000,0000,,And even the data type direction is a problem now.
Dialogue: 0,0:32:08.58,0:32:12.65,Default,,0000,0000,0000,,I hope that answered the question \Nbeside the slide.
Dialogue: 0,0:32:12.65,0:32:16.34,Default,,0000,0000,0000,,Herald: Well, then we're gonna go over \Nand start with number one.
Dialogue: 0,0:32:16.34,0:32:19.49,Default,,0000,0000,0000,,Questioner: So thank you for opening our eyes.
Dialogue: 0,0:32:19.49,0:32:24.25,Default,,0000,0000,0000,,Even I use Perl, I would say, \Nfor cooking and yes …
Dialogue: 0,0:32:24.25,0:32:25.72,Default,,0000,0000,0000,,Netanel: I remember you\NQ: Sorry?
Dialogue: 0,0:32:25.72,0:32:27.38,Default,,0000,0000,0000,,N: I remember you from the last talk! \NQ: No no
Dialogue: 0,0:32:27.38,0:32:30.51,Default,,0000,0000,0000,,N: Oh, you're new? Oh… {\i1}smirking{\i0}\NQ: I'm new, I'm new…
Dialogue: 0,0:32:30.51,0:32:36.07,Default,,0000,0000,0000,,Q: So… I can't say, I'm not guilty of that, \Nbut I still would say yes,
Dialogue: 0,0:32:36.07,0:32:39.51,Default,,0000,0000,0000,,Perl is a bit like cooking with my mum.
Dialogue: 0,0:32:39.51,0:32:46.32,Default,,0000,0000,0000,,Sometimes I put something into…\Nthe… with the boiling thing…
Dialogue: 0,0:32:46.32,0:32:50.86,Default,,0000,0000,0000,,and sometimes she, sometimes I go away, \Nsometimes she go away
Dialogue: 0,0:32:50.86,0:32:53.89,Default,,0000,0000,0000,,and the only thing you can do is always taste.
Dialogue: 0,0:32:53.89,0:32:57.81,Default,,0000,0000,0000,,And yes, you're maybe right, Perl is a language
Dialogue: 0,0:32:57.81,0:33:01.82,Default,,0000,0000,0000,,where you never know what comes out, \Nbut it's real cool!
Dialogue: 0,0:33:01.82,0:33:04.58,Default,,0000,0000,0000,,If you get the right response you can use it,
Dialogue: 0,0:33:04.58,0:33:08.68,Default,,0000,0000,0000,,if you use it to write web applications \NI would agree.
Dialogue: 0,0:33:08.68,0:33:12.86,Default,,0000,0000,0000,,Web applications, the professional ones \Nat least, are not for cooking,
Dialogue: 0,0:33:12.86,0:33:18.47,Default,,0000,0000,0000,,but for doing funny things and \Nhave some fun, I think it's a perfect language.
Dialogue: 0,0:33:18.47,0:33:22.30,Default,,0000,0000,0000,,N: I think Perl is a lot of fun. \N{\i1}laughter{\i0}
Dialogue: 0,0:33:22.30,0:33:26.63,Default,,0000,0000,0000,,I completely agree on that. {\i1}laughing{\i0}
Dialogue: 0,0:33:26.63,0:33:29.14,Default,,0000,0000,0000,,Herald: Then we're gonna go over to two.
Dialogue: 0,0:33:29.14,0:33:33.74,Default,,0000,0000,0000,,Question: Was your life ever threatened \Nwhile interacting with the Perl community?
Dialogue: 0,0:33:33.74,0:33:35.79,Default,,0000,0000,0000,,{\i1}laughter{\i0}\NN: Could you please repeat that? I …
Dialogue: 0,0:33:35.79,0:33:39.54,Default,,0000,0000,0000,,Q: Was your life ever threatened \Nwhile interacting with the Perl community?
Dialogue: 0,0:33:39.54,0:33:42.52,Default,,0000,0000,0000,,N: Definitely. Definitely,
Dialogue: 0,0:33:42.52,0:33:46.73,Default,,0000,0000,0000,,I'm getting hate mail every day, \Nliving in fear …
Dialogue: 0,0:33:46.73,0:33:48.65,Default,,0000,0000,0000,,H: And over to the three, please.
Dialogue: 0,0:33:48.65,0:33:53.26,Default,,0000,0000,0000,,Q: I think I speak for all of us, \Nwhen I thank you for this wonderful talk,
Dialogue: 0,0:33:53.26,0:34:00.09,Default,,0000,0000,0000,,N: Uh, thank you. Thank you really! Thank you.\N{\i1}applause{\i0}
Dialogue: 0,0:34:00.09,0:34:06.66,Default,,0000,0000,0000,,Q: Brilliantly executed, but… ehm… \Nyou spoke about Perl 5 I think.
Dialogue: 0,0:34:06.66,0:34:11.16,Default,,0000,0000,0000,,N: Yes, you are absolutely right.\NQ: As some of you might know, this christmas…
Dialogue: 0,0:34:11.16,0:34:15.03,Default,,0000,0000,0000,,{\i1}laughter{\i0}\NQ: …so tomorrow Ingo Blechschmidt
Dialogue: 0,0:34:15.03,0:34:20.05,Default,,0000,0000,0000,,is going to give a talk about how Perl 6 \Nwill make everything better
Dialogue: 0,0:34:20.05,0:34:24.16,Default,,0000,0000,0000,,and how everyone should start \Nusing Perl 6 and…
Dialogue: 0,0:34:24.16,0:34:27.89,Default,,0000,0000,0000,,N: It also craps rainbows\NQ: Yeah, of course…
Dialogue: 0,0:34:27.89,0:34:31.39,Default,,0000,0000,0000,,Q: My personal comment is: \Nwouldn't it have happened
Dialogue: 0,0:34:31.39,0:34:33.94,Default,,0000,0000,0000,,with a statically typed language?
Dialogue: 0,0:34:33.94,0:34:39.45,Default,,0000,0000,0000,,So I think some nice folks at Haskell \Nin IRC are waiting for you Perl developers
Dialogue: 0,0:34:39.45,0:34:44.75,Default,,0000,0000,0000,,to please come, join us … Thank you!\NN: {\i1}smirking{\i0}
Dialogue: 0,0:34:44.75,0:34:46.46,Default,,0000,0000,0000,,{\i1}Herald and Netanel start speaking simultaneously{\i0}
Dialogue: 0,0:34:46.46,0:34:49.45,Default,,0000,0000,0000,,H: …sorry, to answer first, where am I… sorry\NN: Ah, no..., I am not answering, just...
Dialogue: 0,0:34:49.45,0:34:55.53,Default,,0000,0000,0000,,just a quick note about Perl 6. \NThis talk is all about Perl 5, alright?
Dialogue: 0,0:34:55.53,0:35:01.11,Default,,0000,0000,0000,,I … Perl 6 came out a couple of days ago and …
Dialogue: 0,0:35:01.11,0:35:06.85,Default,,0000,0000,0000,,...from …at least from what I saw, \NPerl 6 is to Perl as…
Dialogue: 0,0:35:06.85,0:35:11.93,Default,,0000,0000,0000,,C++ is to C. It's the same name, \Nbut it's a whole different language.
Dialogue: 0,0:35:11.93,0:35:17.31,Default,,0000,0000,0000,,So yes, this is Perl 5. \NMaybe I'll come back next year about Perl 6?
Dialogue: 0,0:35:17.31,0:35:19.05,Default,,0000,0000,0000,,{\i1}laughter{\i0}\NWho knows?
Dialogue: 0,0:35:19.05,0:35:22.18,Default,,0000,0000,0000,,Herald: I'm looking forward to that already.\N{\i1}applause{\i0}
Dialogue: 0,0:35:22.18,0:35:25.13,Default,,0000,0000,0000,,{\i1}Herald pointing to Signal Angel{\i0}
Dialogue: 0,0:35:25.13,0:35:31.10,Default,,0000,0000,0000,,Signal: Yeah… Joerd(?) wants to know: \Nof course you talked a lot about CGI.PM
Dialogue: 0,0:35:31.10,0:35:37.29,Default,,0000,0000,0000,,which you know was removed from repository from Perl \Neven before your talk last year.
Dialogue: 0,0:35:37.29,0:35:43.40,Default,,0000,0000,0000,,So what about it's replacements \Nfrom CPAN like CGI::Simple.
Dialogue: 0,0:35:43.40,0:35:48.26,Default,,0000,0000,0000,,Netanel: I don't know, I haven't checked it. \NWhen I decided on which modules to check,
Dialogue: 0,0:35:48.26,0:35:55.61,Default,,0000,0000,0000,,I took CGI.PM because even though it is old, \Nit is the most popular in the world as of today
Dialogue: 0,0:35:55.61,0:36:03.16,Default,,0000,0000,0000,,and I took Mojolicious and Catalyst because \Nthey were really popular, too.
Dialogue: 0,0:36:03.16,0:36:08.13,Default,,0000,0000,0000,,So I didn't take the newest modules, \NI take the most popular modules.
Dialogue: 0,0:36:08.13,0:36:15.97,Default,,0000,0000,0000,,And I think, that's the important \Naspect of … deciding.
Dialogue: 0,0:36:17.69,0:36:20.87,Default,,0000,0000,0000,,Herald: And over to one, please.
Dialogue: 0,0:36:20.87,0:36:29.01,Default,,0000,0000,0000,,Questioner: Hi… I'm… part of the Perl community, and…\N{\i1}laughter{\i0}
Dialogue: 0,0:36:29.01,0:36:33.17,Default,,0000,0000,0000,,N: Hi!\NQ: But I just start with Perl – 5
Dialogue: 0,0:36:33.17,0:36:40.32,Default,,0000,0000,0000,,N: Uhh… ehm… uhh… didn't you… nhaa…\N{\i1}laughter{\i0}
Dialogue: 0,0:36:40.32,0:36:44.33,Default,,0000,0000,0000,,Q: We use Perl for almost every module \Nthat we have at work
Dialogue: 0,0:36:44.33,0:36:47.31,Default,,0000,0000,0000,,and this worked really fine. \NN: …yeah…
Dialogue: 0,0:36:47.31,0:36:51.92,Default,,0000,0000,0000,,Q: And I don't know why you're picking Perl as language to attack.
Dialogue: 0,0:36:51.92,0:36:59.10,Default,,0000,0000,0000,,It's a really old language, it's also every language \Nthat we can pick, that has problems.
Dialogue: 0,0:36:59.10,0:37:05.03,Default,,0000,0000,0000,,But it doesn't mean this has to die or \Nstop using it. So I don't know why…
Dialogue: 0,0:37:05.03,0:37:08.56,Default,,0000,0000,0000,,N: …you're right, you're right. \NFirst of all, you're completely right,
Dialogue: 0,0:37:08.56,0:37:11.96,Default,,0000,0000,0000,,because a language shouldn't die, it should improve.
Dialogue: 0,0:37:11.96,0:37:16.88,Default,,0000,0000,0000,,C got critized and it improved. \NPHP got critized and it improved.
Dialogue: 0,0:37:16.88,0:37:20.16,Default,,0000,0000,0000,,Why can't Perl be critized, too?
Dialogue: 0,0:37:20.16,0:37:24.24,Default,,0000,0000,0000,,Why is it like a code, when you say \Nsomething bad about Perl, then,
Dialogue: 0,0:37:24.24,0:37:27.25,Default,,0000,0000,0000,,I don't know, a horde of PerlMonks jumps on you?
Dialogue: 0,0:37:27.25,0:37:32.55,Default,,0000,0000,0000,,Why don't improve the language? \NDon't use it in your work though,
Dialogue: 0,0:37:32.55,0:37:37.77,Default,,0000,0000,0000,,it's dangerous. \N{\i1}laughter and applause{\i0}
Dialogue: 0,0:37:39.51,0:37:42.11,Default,,0000,0000,0000,,H: Then we're gonna jump over to five, please.
Dialogue: 0,0:37:42.11,0:37:48.51,Default,,0000,0000,0000,,Q: Hi. I'm not a Perl developer, \Nbut I use a lot of Ruby and Python.
Dialogue: 0,0:37:48.51,0:37:51.06,Default,,0000,0000,0000,,Is this really limited to Perl or
Dialogue: 0,0:37:51.06,0:37:54.17,Default,,0000,0000,0000,,does this apply to more or less \Nany dynamic language?
Dialogue: 0,0:37:54.17,0:37:58.64,Default,,0000,0000,0000,,N: As I said in one of the first few slides,
Dialogue: 0,0:37:58.64,0:38:03.61,Default,,0000,0000,0000,,some of it also applies to Python. \NSpecifically the thing
Dialogue: 0,0:38:03.61,0:38:09.87,Default,,0000,0000,0000,,when you can't specify what data types \Nyour function arguments can get.
Dialogue: 0,0:38:09.87,0:38:15.95,Default,,0000,0000,0000,,But, what's unique to Perl is that \Nwriting different code
Dialogue: 0,0:38:15.95,0:38:20.25,Default,,0000,0000,0000,,for different data types in one function \Nis very, very common.
Dialogue: 0,0:38:20.25,0:38:23.18,Default,,0000,0000,0000,,You can do it in every language, of course!
Dialogue: 0,0:38:23.18,0:38:28.28,Default,,0000,0000,0000,,But it is very common only in Perl! \NAnd that is unique about it,
Dialogue: 0,0:38:28.28,0:38:32.50,Default,,0000,0000,0000,,of course besides the thing \Nthat hashes and arrays are secure.
Dialogue: 0,0:38:32.50,0:38:37.12,Default,,0000,0000,0000,,That's of course Perls only fault.
Dialogue: 0,0:38:37.12,0:38:40.10,Default,,0000,0000,0000,,H: Good, then we're gonna go over to six, please.
Dialogue: 0,0:38:40.10,0:38:47.30,Default,,0000,0000,0000,,Q: Hey! Did you say WAT more \Nwhile preparing this talk or while holding it?
Dialogue: 0,0:38:47.30,0:38:56.78,Default,,0000,0000,0000,,N: Uhm. Both. {\i1}Laughing{\i0}. \NDid I rant? That was the … right?
Dialogue: 0,0:38:56.78,0:39:00.91,Default,,0000,0000,0000,,Q: Did you say it more \Nwhile preparing it or while holding it?
Dialogue: 0,0:39:00.91,0:39:02.96,Default,,0000,0000,0000,,N: I'm missing your word, man, can you...
Dialogue: 0,0:39:02.96,0:39:11.47,Default,,0000,0000,0000,,Ahh, wat… WAT! Ohh… Yeah, both!\N{\i1}laughter{\i0}
Dialogue: 0,0:39:11.47,0:39:14.83,Default,,0000,0000,0000,,H: Ok, do we have another from the internet?
Dialogue: 0,0:39:14.83,0:39:19.42,Default,,0000,0000,0000,,Signal: Does your exploit \Nalso work in tainted mode?
Dialogue: 0,0:39:19.42,0:39:23.66,Default,,0000,0000,0000,,N: No, I believe not. No, it doesn't.
Dialogue: 0,0:39:24.47,0:39:26.68,Default,,0000,0000,0000,,H: And another one...
Dialogue: 0,0:39:26.68,0:39:35.54,Default,,0000,0000,0000,,S: Is there any Perl obfuscated code exploits \Nlike this for Catalyst or Mojolicious?
Dialogue: 0,0:39:36.14,0:39:39.44,Default,,0000,0000,0000,,{\i1}someone chuckling in audience{\i0}
Dialogue: 0,0:39:39.44,0:39:43.41,Default,,0000,0000,0000,,N: I've no idea, man, maybe. \NI didn't check it of course.
Dialogue: 0,0:39:43.41,0:39:48.08,Default,,0000,0000,0000,,I didn't check every module \Nfor every exploit, I ever want to create, but
Dialogue: 0,0:39:48.08,0:39:55.08,Default,,0000,0000,0000,,on CGI.PM, which is again \Nthe most popular CGI library, it did.
Dialogue: 0,0:39:55.08,0:40:02.57,Default,,0000,0000,0000,,So, maybe the internet \Ncan find more exploits. I know it can.
Dialogue: 0,0:40:02.57,0:40:06.62,Default,,0000,0000,0000,,H: Bring it on. That's it?\NN: That's it?
Dialogue: 0,0:40:06.62,0:40:07.78,Default,,0000,0000,0000,,Thank you!
Dialogue: 0,0:40:07.78,0:40:09.16,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:40:09.16,0:40:12.40,Default,,0000,0000,0000,,Herald: Thank you very much!\NNetanel: Thank you!
Dialogue: 0,0:40:12.40,0:40:17.68,Default,,0000,0000,0000,,{\i1}postroll music{\i0}
Dialogue: 0,0:40:17.68,0:40:24.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 2016. Join, and help us!