08 Nov 2011
I know better than to write this particular post, especially after selling more copies of Lasso in the last month than since May 2007. Lasso is taking off again.
However, I'm going to write it anyway, if only because of the importance that Lasso developers hear good things about Lasso, to be used as ammunition to attract potential clients. We need to answer the "why Lasso?" in a way the client will understand and appreciate: Security.
Recently, I asked an open question on the LassoTalk list: "Is anyone on this list aware of a case where Lasso or Lasso code itself was definitively responsible for a compromised server?" Although I did receive some answers (which I will discuss later), I didn't receive very many responses.
Now every software vendor knows better than to bait a group of potential hackers by suggesting that their software is unhackable. Not that I would ever even consider such a foolhardy hubristic comment - it's just not true. I am certain that Lasso has vulnerabilities. Not because LassoSoft is aware of any (there are currently no known vulnerabilities in Lasso 8 or 9), but because I have seen enough of other products to note that issues can be identified many years after the product's release. Also, you can't sell door locks and claim that no-one has ever gotten through the door when they shouldn't have; any coder can just leave the door open, by mistake or intentionally.
I would also render a guess that at some point or another there has been a server compromised as a result of Lasso code, and we are not aware of the issue. Either a) the person who created the code still isn't aware of the issue or b) the person left the Lasso world (possibly as a result of this issue!) and therefore I'm not aware of the incident.
Having said this - at this exact moment, I am not aware of a single instance in which Lasso itself was responsible for a compromised server. Even though Lasso has been around since the beginning of the commercialized web, and a number of vulnerabilities have been reported, Lasso code just hasn't been a target.
"Ah", you say, "That's because of Security through Obscurity. The few people in the world who use Lasso are too small a target."
I'd like to unpack this common comment a bit. If I do a simple search for "filetype" on Google, I get some interesting results about how many "known" Lasso pages Google has indexed;
filetype: rb - 1,560,000 (Ruby)
filetype: lasso - 6,140,000 (Lasso)
filetype: py - 10,900,000 (Python)
filetype: cfm - 504,000,000 (ColdFusion)
filetype: asp - 3,450,000,000 (Active Server Pages)
filetype: php - 22,750,000,000 (PHP)
And yes, I know this is a silly exercise; we all moved to readable, extension-less URLs in the late 90's. However, a simple search on Google proves the following: there are at least six million easily identifiable Lasso pages out there on the web. A little more research would net you millions more.
My point is this: for many years, people have said to me: "The reason Apple products don't have security vulnerabilities or viruses is because very few people use Apple computers." There is just no speaking to these people. The internet suggests Apple has sold over 100 million Macs. To count all of these computers, if they were lined up in a row, would take someone more than their entire lifespan. What kind of rubbish theory suggests that this isn't a big enough target?
It's because the Mac OS is a fundamentally more difficult target to circumvent that your average hacker (or script kiddie) chooses to pick on the the target that is easier to pick on. They don't necessarily leave the Mac alone, but why rob a police station when you can rob a convenience store? PHP is a convenience store of opportunity for the hacker world.
As well, there still are definitely more people using Windows than Mac, by a factor of 1:20 or so. There are more monkeys at typewriters who might alternatively write Shakespeare or stumble across some vulnerability while they poke away. People who buy Macs are buying them to use them, not monkey around with them. Also, you have to buy Mac hardware in order to hack it, which makes it economically out of reach for people with nothing better to do. In the Windows world, any haphazard piece of hardware gets you access to a plethora of ne're-do-welling.
Now I can speak for Treefrog as well in this case. We have built thousands of websites with millions of pages within the last decade (all with extension-less URLs, btw, so they are not visible on Google as Lasso sites). We run dozens of servers, Lasso and others. And our servers have been hacked a number of times in the past few years. Every one of these hacks was as a result of PHP - mainly, Wordpress and various forums. We have never *knock on wood, twenty Hail Marys* been compromised due to an installation of Lasso. In other words, we keep PHP off our Lasso servers and those servers have not been hacked—ever.
Sure, Lasso may not be perfect (though we are working on that). But we sure do have a compelling competitive strategic advantage in this case.
Perhaps this is why we count among our developer's clients: The US Department of Defence, CSIS (Canadian Security Intelligence Service), The United Nations, SpamHaus, NASA, etc.
Many of you are aware of the fairly famous Lasso "Crack-a-mac" contest where Lasso was used to hack a computer, and Blueworld paid out the ransom (of about $13k).
A few notes though. Number one: it was 14 years ago. Number two: it wasn't Lasso code that was compromised. It was actually Lasso that was used to access files that were not protected by the filesystem. Not only that, but the individual who "hacked" the server had access to edit the Lasso files, and the compromised password file was located in the web root. In other words: the hacker already had keys to the farm, and the horses were already saddled and ready for riding. Are you giving out passwords to anyone but administrators or putting filesystem passwords in the web root? I hope not.
Legend has it that although the contest admitted that the issue was not Lasso's vulnerability, but rather server setup, Blueworld paid out the bounty as a measure of apology as theirs was the mechanism by which the contest lost viability. Blueworld also added functionality to prevent the issue and closed the hole for the other party.
So, I humbly submit: no known examples of a production server being hacked were ever recorded, as this was just a contest.
One good point of learning however: don't goad programmers, or they will kick your ass into submission.
We have a bunch of ideas of how we can maintain this important value and cling to it tenaciously into the future. Here are some of our advantages, as we see them:
1) We have Bil Corry watching our backs.
Admittedly, he is not paid by LassoSoft, and does not stand to benefit from this call-out and thank you. However, he has identified most of the potential vulnerabilities so far in our language, and actively pokes around for new things as time permits in his spare time. (And Bil! If you are reading this, we are partway through the Windows version of Lasso 9 that you have been waiting for). As a senior web security specialist working for one of the largest payment pals in the world, we have a security hero amongst us.
2) We know who you are.
We know who has a copy of Lasso, and as a result can immediately contact you if a vulnerability is discovered. This is one of the truest benefits of commercialization of the product (which is often overlooked) vs. open-source. Unlike the download-install-and-you-are-on-your-own flotsam and jetsam floating about on the web, we can immediately communicate to you when there is an issue. Ergo, we can close holes faster when they appear - and tell you directly to do the same.
3) We have closed source.
...ergo, very few people have access to the source to poke around in it in their spare time looking for holes. And yes, this argument cuts both ways, and history has shown us that open source software has its vulnerabilities discovered quicker. Sure. And those vulnerabilities are also immediately shared with the world and with all of the script kiddies on the planet. In fact, we don't attract script-kiddies, which is both a security benefit and an adoption curse.
4) You have to buy it.
Yes, anyone can download and play with it. But the simple fact that you have to pay for it keeps the user base at a professional level. If you have idle time to fiddle, you aren't making a lot of money. Our product costs. Therefore, people who use Lasso are serious about using it, and not just hanging about in their mom's basement with WoW in the background and some time to kill messing with other people's livelihood.
5) Security is our first value.
We have an internal focus on the value and importance of security. We are continually discussing how we improve Lasso from a security standpoint.
6) We will check your code for you ourselves.
We are introducing and will be pushing more and more code auditing services and training opportunities with a focus on security and writing secure code. We believe that through training and documentation, we can help the Lasso community keep and improve its strength in the development world.
7) We will protect your client of something happens to you.
If you are a Certified Lasso Developer, we offer the additional security benefit in case of the worst-case scenario of your demise—which is the most likely point at which your client would be attacked—that we will step in and ensure that your client is protected as well. In future we have plans to start an end-user database to maintain "Lasso-Signed" websites to ensure that websites using Lasso are using "known versions". Then CLDs who are interested can ensure that websites using said versions can be immediately contacted when a vulnerability arises.
We will maintain this focus on security far into the future. It is our core value.
At the bottom of all of this is a simple but compelling reason to purchase and use Lasso.
We spent tens of thousands of dollars at Treefrog doing a market survey to determine the most important thing to people when building their website (more specifically, in choosing a CMS). The number of answer, across the board, which was completely unexpected: is that people wanted their website to be secure.
Not only is this security benefit a real benefit, but the additional savings to the client are significant. This extends far beyond the cost of prototyping and initial build and into the total cost of ownership of a project in the long term.
Do not be afraid to tell your clients about this benefit of Lasso. It is real, and it has value to to you and your clients above what you have paid for the product.
If you are a hacker, this post was not an attempt to bait you into the challenge of hacking Lasso. We all know you are smarter than us, and we both know you could do damage to our us or our community if you really wanted to.
If you are a server administrator, please continue to light candles, wear charm bracelets and pray to your preferred deity to protect your servers from harm.
Having said this, we will continue to drive security as our most critical value, and do everything we can to maintain you the developer's integrity as well as that of your clients. So, although we may suffer future misfortune, or possibly identify issues from the past of which we are not aware; but as of this moment, I drink my morning coffee in the knowledge that my programming language is looking after my best interests.
Is Lasso ever going to achieve the market penetration of PHP? No.
Are we going to be hacked less? Yes.
Sleep better knowing your code is stronger.
Addendum: Nov 9, 2011
The challenge name was incorrectly stated as 'Hack a Mac'. It has been corrected to 'Crack-a-mac'
The 'access' and 'passwords' vulnerabilities were mistakenly identified as FTP when this was not the case. The text in this section has been corrected to remove reference to FTP.
The statement extending the reason for Blueworld paying the prize money has been corrected.
We also received a link to a hack event that was the pre-cursor to the one involving Lasso which makes interesting reading too! http://www.wired.com/science/discoveries/news/1997/02/2015.