Interview with Vinícius Campitelli
Eric Van Johnson and John Congdon interview feature contributor Vinícius Campitelli about his article Cryptography with Libsodium.
According to the just-released 2021 version of OWASP Top 10 (a curated list of the most critical web application security risks out there), “Cryptographic Failures” are the 2nd most important of the many security concerns we should have as web developers. These concerns include a lot of misuses of cryptographic systems, like choosing weak algorithms, poor randomness sources, or usage of deprecated methods. That is why this is also the second article covering the main topics for cryptography: on our last issue, we covered the main theory, which sometimes is the cause of those errors mentioned above, and right now we will see how to use libsodium, a modern library with the most recommended algorithms already built-in and no weak settings available per default. It is a cross-platform tool, available to use on Windows, Mac, and Linux, and has been included in PHP’s core since 7.2. It also has bindings for Java, NodeJS, Python, Go, and several other languages. So we are safe to say it runs pretty much everywhere. The official website is libsodium.org, and you can find the full documentation there instead of the PHP.net manual as it is sometimes not complete. There is also a Quick Reference and a “Using Libsodium in PHP Projects” article.
Listen
Podcast (episodes): Play in new window | Download | Subscribe
Transcript
Eric Van Johnson 0:00
You’re listening to the PHP podcast interview edition for November 2021. I am your host, Eric Van Johnson and with me is Jon Congdon. Hey, Lou and joining us again back in studio. This yes kept a tally.
Vinícius Campitelli 0:14
Yeah,
Eric Van Johnson 0:16
yeah baby I’ve been practicing. Yeah, I see that. It’s almost been a year since we spoke. The last time we spoke was December of 2020. We’re number of 2021. You had just moved to San Pablo, Brazil, you had just left your startup? Exactly, em, you’re going on some new adventures? I think one of them was teaching, you’re gonna teach I teach a class. What’s been going on? How’s how’s life? What’s you still in San Pablo? And
Vinícius Campitelli 0:45
what? Yeah, yeah, I am. Crazy here, right? We’re just talking about it before joining here. So I decided to quit my startup. And I was like, Okay, I don’t want to work as a developer anymore. I need some time for myself. And then after a month, I started working as a freelance PHP developer. And I was like, I don’t want to develop Yeah. I don’t know why I did it. Because I didn’t need money that much on that month. But I was okay, this came up, shouldn’t miss it. But yeah, I started giving some workshops and lectures, I found this company that they want to hire me as a developer, and I said, I don’t want to develop anymore. But hey, I could teach you and I’d be teaching them every single week or every week, or not, on eight or 10 months right now. So it’s like a four hour workshop twice or three times a month, on several subjects, you know, cryptography security, solid Kubernetes, Docker, everything else. So I set up a list of subjects that a developer should know. And I just started teaching them. So it’s been awesome. And I’ve been working for a US based company also called Altera, it’s it’s based on La, it’s for streaming. It’s for OTT. So it’s a streaming platform for anyone that wants to deliver channels to TVs, and create their own apps. So I’ve been working there as well, since February, I guess. So it’s been a crazy year
John 2:20
for all of your teaching. Is it mainly for just one or two big companies? Are you doing it for lots of different companies?
Vinícius Campitelli 2:26
No, it’s for a for a couple of companies right now. I can’t do more than two companies at the same time. No, because I always like to customize the workshops. So I have some code from Dan, and I review their code. And I tried to be more practical, you know. So hey, take a look at this, though. We’re talking about solid. So here’s the code that you guys got wrong. Let’s talk about TDD. So here’s a test that you guys should have wrote for this function, because it’s huge. And it’s very complicated. So even though there’s a tear theoretic part, that is the same, I like to customize the workshop for each company. No, so I can’t handle more than one or two companies at the same time.
John 3:08
That’s awesome that you found like a company that will bring you in for multiple sessions to keep training their developers. Yeah. Versus bringing you in just to do one subject. And then moving on.
Vinícius Campitelli 3:20
Yeah. And like I said, it’s almost 10 months now. So it’s almost like, I’m part of the group, you know. So they just called me to play soccer with them last week. So it’s, I’m like, I’m a third party guy. I’m and they are outsourcing me. So it’s what? And they’re like, set sometimes just hire someone to to answer our questions about one subject. And that’s it. You’ll never see that guy anymore. So I’m on workshop number 18 or 19. With Dan right now. So it’s been awesome.
Eric Van Johnson 3:54
Very cool. And the solid principle was actually the topic we talked about last year with you and your interview. This year, you’ve written a couple of feature articles with US based around security, lib, sodium and cryptography. What what’s taking you down that path?
Vinícius Campitelli 4:10
Yeah, it’s funny, actually, because I don’t remember the first time that I that I got in touch with cryptography, but probably was trying to implement API authentication, right. It’s almost 90% of developers, we, we start taking a look at dedications and OAO. For anything else we do, and handling all those client ID and client secret. It’s always a mess, right? We always feel hard when trying to do that. And well, I remember when, when Facebook login was a thing, and we use it everywhere, man. It was hard to get it working right for the first couple of times. So I used to tweet a lot about this this subject. Of course, I learned about a lot about it, but it stood on my mind on the back of my head and I was like okay, this something that I struggled with, but I got a working, but I don’t spend so much more time on it. I think that’s something that most people do, actually. But then five years ago, I guess the company that I worked hearing in San Paolo, we started a cybersecurity project. So we needed to learn. And it was tough, because you guys know, didn’t find any resources or any articles back then it was 2015, or 16. And when we did manage to find articles, it had nothing to do with PHP. So it was very hard. Of course, we had a wasp, and was have them like 20 years ago already, but only the top 10 series, I guess I don’t remember then having those sheets set series they have right now that is awesome. So we have to learn by ourselves, right? You have to read the article, sometimes hire some consultancy fear firms and tell them, hey, please teach us how to do it. Or hire some pen test companies to show test our apps and delivers a huge list of everything we got wrong. So after that, after a lot of struggling and a lot of failed attempts, we finally learned about cryptography and security. And I really liked about it. Of course, I’m not a cryptology or mathematician. So I don’t know the the details of the algorithms. But I really like speaking about security and cryptography, on conferences on meetup. So here I am. No,
John 6:35
knowing enough about the subject, you’re not going to write your own algorithms, like he’s at least kind of having a broad idea of how they work and how you can really mess it up is important.
Vinícius Campitelli 6:44
Yeah, totally. Please don’t write our own article, or don’t mix two articles, right?
John 6:51
Or don’t try to do your own cryptography like, Yeah, I’m just gonna nd find this 100 times and get it right. Yeah, that’s not. That’s not how you do it.
Vinícius Campitelli 6:59
But that’s difficult to get your mind, right. Because sometimes you will think, okay, have MT five and a lot of other hashing functions, maybe if I could combine them together, I could grab the best of them. But it’s not the worst of them. So it’s hard to get that thing on your mind. First,
John 7:16
we’ve come across so many legacy applications in our line of business where the person who did the their login scheme, definitely didn’t understand cryptography. And try just doing security through obscurity. And that just doesn’t work. Yeah, like that. He started with doing it the hard way, the old, open SSL way of doing things. And now PHP has brought lib sodium into core. And it’s so much easier not to say easy to do encryption, but you don’t have to jump through as many hoops able to get really good encryption algorithms correctly with less lines of code.
Vinícius Campitelli 7:50
Yeah, I think one of the most common cases of vulnerabilities is like a guy said, is someone that don’t don’t understand cryptography don’t understand security. And they tried to implement themselves. And they tried to create all this logical design algorithm on their heads. The problem is, the theory here is important. If you don’t know the theory, you’re going to get it wrong. So like I said, I’m not cryptologist or anything else. So you don’t need to learn how the RSA algorithm works all the steps behind, but you need to know the big picture, right? So this is why I wrote the first article. So here’s the big picture, here’s a theory, if you don’t have live zoning, or if you’re writing some legacy, or for maintaining some legacy applications, that you can’t, for whatever reason, upgrade, or if you’re not dealing with PHP. So here’s the hard way. You know,
Eric Van Johnson 8:42
I saw a recent talk that you gave, called Protecting your sensitive variables and deploys. Yeah, really curious why that’s not an article yet. I’m just I’m just wondering,
Vinícius Campitelli 8:53
Hey, we can get dead.
Eric Van Johnson 8:56
That was good. I had I had to was that because obviously, I had to watch it through a translation. Who are you giving that talk to, though? I don’t recall who that was?
Vinícius Campitelli 9:07
Yeah, to be honest, I don’t even remember I gave that talk. Yeah. Because I give that talk a lot. No, because that was the last thing I did before creating my old job before quitting my job to go to my startup. So that was the last thing I did for them. There’s a huge ecommerce company here in Brazil. And they called us to to improve their security. You know, they are they’re having all these problems with CI CD, because it’s a huge company. And every day there’s people joining and people leaving the company. So they were having a hard time trying to get other security credentials, created or deleted when someone left a company. And it was crazy. No, because they had over 1000 employees. They used to buy a lot of small companies every month actually. So they The leaders were crazy man every week, they had to create a setup of Amazon accounts and delete the old ones and rotate the access keys. And they suffered a lot with that. So this is why I wrote that article. It was a great article. It was a great talk actually that, hey, we can turn that into our article. Just you guys just say the word.
Eric Van Johnson 10:21
Yeah, for sure. You told me if I did a little bit more searching, I could probably find the English version of it. Or
Vinícius Campitelli 10:27
I don’t think there’s an English word for this one. Okay, that’s fine.
Eric Van Johnson 10:32
I was fine with the translation. I would go miss little bits and pieces, but I got it.
Vinícius Campitelli 10:37
That’s why your your pronunciation is great, right? It’s about listening to me speaking Portuguese. So
Eric Van Johnson 10:44
I watch I watch a lot of it. Yeah. So how you make your San Pablo?
Vinícius Campitelli 10:50
Actually, I live here for seven years right now just moved from an apartment is actually a whole nother place of the city. And I just moved with my girlfriend to this new neighborhood. Yeah, we live living here because my folks are from a small town here. It’s like 200 250 miles from San Paulo. So it’s a very small town like 40,000 people, and we don’t have anything there. So when I came to Sao Paulo to work for that other company, everything changed, right? I was not used to to come here. Because we Navy on smaller towns, you just see these big cities, huge and violent. And all this traffic and it was okay. I don’t want to leave some in some Paulo ever. Right? And here I am almost eight years later. I’m still here. And I don’t want to go back.
Eric Van Johnson 11:41
I don’t I don’t have a concept of how big it is. But like Do you ever get to go to like, what is the thing called with organic says Aqua Park or something? Is that right? Aqua? Franca?
Vinícius Campitelli 11:53
Yeah, there’s a part here goes above Branca. That means like Whitewater. It’s a neighborhood or some follow. It’s a good Park actually. Yes, it’s something simple is huge, man.
Eric Van Johnson 12:04
suppose suppose they have like some major like organic food market there. It’s not it’s not a market. It’s I guess they have like a farmers market. It was what we call them here where? Yeah, all these local farmers bring their stuff.
Vinícius Campitelli 12:16
Yeah, we have a lot of these things right here. Actually, all these neighborhoods, they had they their dad associations, right. So they just tried to to improve the local business. And everyone that has their own store their own shops, they they managed to do this kind of stuff. But support is huge. We have like, think the city alone has 12 million people. But the great sambar greater San Paulo has 20 million people. So yeah, it’s a mess. But I love it. It’s a good mess.
Eric Van Johnson 12:49
And I assume you’re still working remote. So you just get the dial and everywhere you’re working.
Vinícius Campitelli 12:55
Yeah. Because when I quit my job to go to my startup, we were already working from home. We hired place house here. And me and my ex business associate, we hired this house, and we were already working from home when the pandemic came. So we didn’t, we didn’t. At first, we didn’t realize what’s good what was going on, because we were already working 24/7. So yeah, but right now did the company that work is it’s based on usually, we do have some other people around the world. But I’m doing developer from Brazil, we have some guys from Argentina too. And even though the company that I give this workshops, they are based in San Paulo, it’s so remote in it was strange at first giving, giving the remote workshops because, man, one thing is talking one other thing is having everyone else to to ask questions and to interact with me during the workshop, right? It’s not a lecture. It’s a workshop. So I need them to ask questions. And I need them to tell me what’s going on with their code and everything else. So at first was was terrible. But hey, I’m almost done now. So
John 14:13
I’ve seen that a lot with online conferences like yeah, you have people that do really good presentations live, but they just fall apart when it comes to a video presentation. Because you don’t get that feedback. You’re talking to your screen. People often get a lot more flat and just don’t know how to be made. Yes,
Eric Van Johnson 14:32
that’s how I am I like feed off the energy of other people. I don’t do well by myself.
Vinícius Campitelli 14:37
Yeah, totally. And like I told Eric, before we we began, I need to turn on my webcam. Of course we are recording a podcast here and you guys don’t see us but we are seeing each other. So every time I see say something, I see their reactions. I see our reactions right here. So it’s different, you know, I need to see this. I need to be able to see this too. You know, maybe someone won’t ask a question, but by looking at their face, realize they didn’t understand it, or they had they’re not really paying attention. And I’m not there to, to call out for them. But I was, hey, do you want me to explain this in a different way? So tell me, what do you need? So it’s very important to have this this feedback, like you said,
John 15:22
so going back to these presentations you’re doing for the companies? How many people at a time are you doing a workshop for?
Vinícius Campitelli 15:28
Yeah, it depends on the company. The last one has, I think, 10 people on their Tech Squad. So it’s me more 10 people, it’s good. I don’t think having too much people going to work. You know, it’s going to be
John 15:42
nice and intimate, where you can have that feedback with everybody. When once you start getting up to many more than that, you got the people that just sit back. And they’re doing it because they have to. Yeah, totally. I see that in meetings all the time. They just like you want that feedback. We have all the developers here, you know, to have some discussions or get different viewpoints, because you don’t want just a couple of people kind of running it all. You want different points on things. I just wish people understood that more than just sit back.
Vinícius Campitelli 16:10
Yeah. And like I said, they’re not lectures, they are this training. So I need them to tell me what’s going on. I need them to tell me how that how that matches with their current work. If they they’ve, if they’re thinking of something that they did that week, that matches what I just told them. So it has to do it has to be both ways. You know, this shouldn’t be a hashing function. Oh, here’s Yeah, if you guys didn’t didn’t understand the joke, please read the last article. Yeah.
John 16:49
So with the new company in in LA, are you going to be coming up this year, anytime are just going to be all remote?
Vinícius Campitelli 16:55
No, man, I want to go there. ASAP. I just think the US just started allowing us Brazilians to go their feet was just November that you guys started allowing us. So maybe next year, I can go there and meet the rest of the people. I just met with two of the the CEO and the CEO haven’t met with anyone else. So it’s gonna be a good thing. To really know them. The first finger I told my CEO when I met him was man, I’m so glad that you exist. It’s not a deep fake or something like that. So it’s good.
John 17:32
Yeah, LA is only a couple hours North American I so it’s, it’s really close. Yeah. For a beer say thank you for all your all the writing you’ve done for us over the years. Yeah, man,
Vinícius Campitelli 17:41
that that’s yeah, let’s do that.
Eric Van Johnson 17:45
As we’re recording this, we’re recording this on the 22nd. November, some big news got released today. One of the bigger stories is that PHP has established a foundation now, I think the goal is to help kind of with the organization of PHP internals, help with some funding with PHP internals, just make sure that that that group or that organization stays strong, and PHP continues to evolve. Just curious if you have any thoughts on that.
Vinícius Campitelli 18:15
Yeah, it’s a great story. Actually, PHP is a community language. browser was created by himself. Of course, we had some major companies backing to support like sans did for for some time. And there are a lot of companies that support the development, but it’s a community based language. And the frameworks are almost community basis as well. So it’s a great, great, great day for us. I hope it really goes well, because we had a lot of other attempts at creating these foundations in the past, right. So I really hope this one goes forward. I already made my contribution there. So I’m a recurrent subscriber. Beckett controversial, I saw that PHP arch also made a contribution there. So if you guys are listening to this right now, please go ahead and help the PHP foundation help us support and maintain our beloved language actually,
John 19:12
was started and back this time by JetBrains was I think the impetus was Nikita bade hired Nikita pop of Yeah, amazing individual. So happy with everything he’s done for the PHP language over the years. But last year, that article was written about the bus factor by somebody that works at JetBrains. Realizing that, you know, if something happened to Nikita, where would we be at and I think it was just the people’s eyes open. And here we are less than a year later. And Nikita I guess, decided to step away. He has some other things to go work on other interests at this point. And so JetBrains stepped up and said, okay, the money we were paying, Nikita, we are now going to start backing this foundation and I guess they got a bunch of other organizations to do the same and because it’s kind of an open foundation Like I said, PHP architect Diego Dev, you yourself and really anybody can contribute, you know, as little as $5 a month just to say, I make a living off of PHP, I should contribute something, you know, obviously, there’s no requirement, but it’s just a nice thing. And hopefully we’ll get more people to start contributing to step up and kind of take the reins.
Vinícius Campitelli 20:19
Yeah, totally. Like you said, No one asked me to, to donate, I was just feeling that I had to because I’ve been a developer with PHP professionally for 10 years. But the first time that I wrote PHP was 15 years ago. So everything that I own today, they have today’s because of PHP, it has been my main language for last 10 years, of course, go to other languages, I used to, to work with JavaScript with PI tone, everything else, but PHP was the main one for so many years. So I felt that I needed to be back. Some, let’s say like, way, I like to
John 20:58
put that everything I have today, like just personally, my house, my business, my my cars is because of the PHP language, given me a living for the past.
Vinícius Campitelli 21:07
It’s not only PHP, right?
Eric Van Johnson 21:10
We’ve, we’ve been quick to pay for adjacent tools, like database tools and IDs and things like that. We’ve never had to pay a penny and and nor are they asking anybody to pay a penny towards the actual language. But it’s nice if I always wanted to. Still not sure people appreciate how much work these volunteers put into the development of this language in the fact that we have this. Not only do we have, but it continues to mature, every year, it gets exponentially better as a language and just it just feels good. It feels right that a foundation is built around it to help organize that to help you know, compensate, compensation as needed. I feel good about it. I’m really interested to see in the fact that they’re doing it and open, everything is open. It’s not nothing is being done behind closed doors. I’m very excited to see how how this is implemented and how to use
Vinícius Campitelli 22:13
Yeah, totally. So we had some bad news some time ago, right? A lot of bad news during PHP life, right. So PHP, five, we were almost feeling that wasn’t going anywhere. Then Facebook came and peck came and everything changed. And then PHP, seven came in, and we were like, Okay, we are back on track. Let’s do this. And then Zed support stopped supporting, and they had done their own own mind. Of course, I agree with them, they spend a lot of time with the language in they’re able, they’re free to do what else, whatever they think they can’t. So I think it’s all right. And then when then turn turns to Lemonis we were okay, at least we have those guys back to the team and everything is working. So PHP is just won’t die anytime soon. Because this is what we use to listen, right every month, every year, somebody would step up and say PHP is gonna die. Please learn anything else. And here we are some PHP 8.1. It’s going to be there. And now we have PHP foundation. So man, it’s a great time to be a PHP developer. It has always been actually
Eric Van Johnson 23:29
you mentioned them, when Zim basically kind of dropped their support for the framework. And they’re supportive of PHP, that to me was big, like, I was terrified when I heard that. In my previous life, I worked in a big enterprise. And the only way I got PHP into that enterprise was the fact that there was a big company like Zim, offering support for it. And when I heard that that was going away, I’m like, Man, these people want PHP in an enterprise. They have major uphill battle now because that is a big point for phase implementations is having a company behind the language. I’m hoping there are other companies out there who who are more than willing to support support php. But yeah, I’m hoping with this foundation that starts to kind of build those blocks, again, that these enterprise organizations need to say, Okay, this this, there’s a foundation here like this is not going away tomorrow, which is always the argument is there’s nothing to say that this won’t go away tomorrow, unless there’s a company behind it. And ideally, maybe that foundation becomes the foundation becomes the foundation.
Vinícius Campitelli 24:45
Yeah, totally. I took the Zen use the same way because I learned my first framework wasn’t the first time I got out of Brazil was to go to zendcon 2016 I guess so. So it was a, it was a big news man, I was, oh my god, what I’m gonna do so just told everyone that we should we could trust these guys. And I’m telling that we don’t because they are awesome. We are here because of them. But I told them, okay, we can go with Zend Framework. And when they they launched version two and we had to recreate our entire code base, because, yeah, they already looked for me my co workers. Hey, you told me this one was cool and he was man. And then Zen tree came off those components and everything else. My first talk actually was about Zend expressive my first stock ever was using Zend expressive to build education with J WT and everything else. So I took it personally. So it’s very good to have a foundation. And I really appreciate all the work that every company did. Nikita did and every other major contributor and every other minor contributor has done to the language.
Unknown Speaker 26:03
Yeah, that’s a good point. Very good point.
Eric Van Johnson 26:05
All right. Vinicius. I want to thank you, as always, for everything you’ve done for the community for the articles you’ve contributed for the articles you will be contributing Yeah. Thanks for taking the time. And thanks for for writing with us. Appreciate it.
Vinícius Campitelli 26:25
It’s always a pleasure guys. You can count on me. I have so much more to to give back to the community. Like you guys said.
Air date | November 26, 2021 |
---|---|
Hosted by | Eric Van Johnson and John Congdon |
Guest(s) | Vinícius Campitelli |
Leave a comment
Use the form below to leave a comment: