Skip to content.

Scott Arciszewski

Software, Privacy, Security, Innovation

Scott Arciszewski in Open Source

For the most up-to-date coverage on my involvement in open source projects, check out my GitHub account.

Contributions to Others' Projects

Anchor CMS
  • Disclosed a security concern that led to the deprecation of the offending cookie-based session driver.
CodeIgniter Framework
  • Discovered and reported a timing attack to PHP object injection vulnerability in the session class which affected all versions up to CodeIgniter 2.1.4 but was patched in 3.0-develop.
    • This and vulnerabilities discovered by other researchers led to the release of CodeIgniter 2.2.0.
  • Provoked and participated in the discussion that led to the new Encryption library in CodeIgniter 3.
Drupal Core
  • Made drupal_random_pseudo_bytes() fallback to mcrypt_create_iv() if it exists.
  • Added Double-HMAC hash comparison to add resistance to side-channel attacks.
Facebook PHP SDK v4
  • Improved their code for generating random numbers to be cryptographically secure.
Faceless IM
  • Reported a timing side-channel in their crypto code, which the repository maintainer patched with Double-HMAC after much discussion.
Joomla CMS
  • Submitted a patch to prevent timing attacks on all hash comparisons throughout the framework.
  • Submitted a patch that would implement NIST compliant AES instead of 256-bit Rijndael.
Kohana Framework
  • Implemented a constant-time hash comparison utility
  • Fixed a timing attack to PHP object injection attack vector in the session class
  • Submitted a slightly more-reliable (but still bad) userspace RNG for when /dev/urandom isn't available
OpenWireless Firmware (Electronic Frontier Foundation)
  • Wrote a diceware passphrase generator.
  • Modified the password verification code to compare hashes in constant time.
  • Changed Crypt::generateKey() to return a 256-bit key, rather than a 1464-bit key with a misleading comment.
Password Hashing Library (Defuse Security)
  • Submitted example code so PHP developers can see how to use the library properly.
  • Added support for window.msCrypto for MSIE browsers.
  • Submitted a pull request to generate more reliably secure passwords.
  • Submitted a patch to strengthen the random number generator.
  • Fixed a division-by-zero bug in BaseDrawing.php
PHP scrypt extension
  • Proposed a patch to the random salt generator to prioritize CSPRNGs
Yii 2 Framework
  • Updated the base security helper to consistently use openssl_random_pseudo_bytes() instead of mt_rand()

Projects I've Started

Onionimbus — Dedicated Reverse Proxy for Tor Hidden Services
PHP File API — An API for securely allowing users to upload/download files
PW Strength — PHP Library to estimate password strength via compression ratios and chi-square randomness tests

Want to hire Scott Arciszewski as a technology consultant? Need help securing your applications? Need help with secure data encryption in PHP?

Contact Paragon Initiative Enterprises and request Scott be assigned to your project.