[Mithaldu]

Are they doing quality control on submitted talks this year, or are they still fine with talks that spread outright and clear lies to people who come there to learn and don't know any better?

Edit: They still let Rubin talk, so probably no quality control.

[lawl]

The exploits he presented in high profile perl software are very real, irregardless of if you agree with his reasoning on what is broken or not.

So he gave a talk on exploits he found but you call the talk "outright and clear lies", because you disagree with his conclusion that perl is broken?

[Mithaldu]

He found vulnerabilities in (very old) third-party software written in Perl (that's the 1%) then did nothing but lie and attribute them to the language while demonstrating his (accidental or willful) lack of understanding of the language. His code slides often aren't even valid Perl, which is an achievement in itself.

[fnord123]

Are you talking about CGI.pm? That was removed from core modules in 5.22 (in 2015) which was only the year before his talk. Debian Jesse even has Perl 5.20 as the stable version[1]. Centos 7 ships with 5.16. Of course you can have your sysadmin install an up to date version, but CGI.pm is still in play as part of Perl.

Maybe this year he'll talk about Perl 6 since 5.x is all old hat. ;)

[1] https://packages.debian.org/jessie/perl-base

[Mithaldu]

No, the vulns were in software that used CGI.pm and used it naive ways. CGI.pm had a design decision in its API, that can lead to, but does not constitute a vulnerability, and is a feature to those using it appropiately.

[berdario]

I watched both of his talks, but I've never heard before about this "code on the slide was not valid Perl" complaint.

You're not talking about a small typo, are you?

Can you point to the wrong examples/slides?

[Mithaldu]

Examples, with explanation of wrong in comment. First talk:

  print $hash;   # he accompanied this by a dump of the hash, when in reality it would print the reference id
  print ($a, $b, $c);   # same thing as above, pretends it does a dump, when the reality is wildly different

He does these repeatedly in his second talk:

  $arg1, $arg2 = @_;   # assigns the length of @_ to $arg2, instead of unpacking args. only the newest of newbies would get this wrong
  if(ref $arg1 eq 'HASH') print $arg1{'key'};   # perl does not have block-less pre-fixed ifs
  else print $arg1;   # same with this, entirely nonsense

The entire style of his code (paren-usage, quoted hash keys) also smells of code copied from bad (w3schools) perl tutorials.

[berdario]

Yeah, quite damning and sloppy on his behalf...

Thanks for pointing this stuff out!

[fnord123]

http://blogs.perl.org/users/joel_berger/2015/12/response-to-...

[Mithaldu]

Problems that make it look like he has never written working Perl code without accidents intervening on his behalf. I'll get examples later.

[k__]

Care to elaborate?

[Mithaldu]

For two years in a row Rubin has given talks about Perl, "exposing issues", in talks that are 99% straight lies or at the very least gross misrepresentations. They cannot in any good conscience be characterized as anything other than intentional trolling and spreading of FUD.

He has been thanked by CCC orga directly for his contributions as well, thus making it clear that they support such shenanigans.

As far as i am concerned, every talk at CCC is highly suspect, since they either don't give a damn as to whether it is correct, or they actively support talks being given in bad faith to an unsuspecting audience.

[thewavelength]

Or you just simply have to accept the fact that congress is more than 100%-always-correct-scientific-talks but rather is about entertainment too. And that is a thing Rubin can bring to congress.

[Mithaldu]

His talks were in the Security track, not the entertainment track. At no point in the talks did he acknowledge that it wasn't meant to be factual either. Additionally, there's a wide gulf between 1% correct and 100% correct he could've aimed for.

I would be understanding if the CCC orga put him in the entertainment track, but they did not do that for two years in a row despite having received feedback.

He was intentionally spreading misinformation and the CCC orga supported him in that. These are simple facts.

[minxomat]

I remember a talk of his about Perl sec issues in bugzilla (I think - correct me if I'm wrong here). Even though it was a problem that was a result of clearly bad code, he still blamed Perl for it.

At first, I thought he was going for a darker Brooker-ish humor, but in the end, the lack of research showed. I got the impression that he tried to shoehorn some corner-case examples into the general "Perl is a security nightmare" narrative.

It could have been someone else, but it sure sounds like him. It's a bad thing to do in a talk either way.

Edit 1: I've found a rather angry response[1] to the talk I was thinking of (Perl Jam 2). This is just for reference, I don't necessarily share the blog post's opinions.

Edit 2: Here's the Bugzilla[2] "bug".

[1] - http://blogs.perl.org/users/joel_berger/2015/12/response-to-...

[2] - https://bugzilla.mozilla.org/show_bug.cgi?id=1230932

[xxyxx]

He really seemed strange to me when I saw him at first, I have no clue about perl, but even to me he made some kind of impression, that he has not really done his research.

His character and presenting seemed really strange to me. I was honestly totally confused by his presentation and couldn't make out if this was supposed to be funny or if he is serious.

And if it was supposed to be funny, I didn't find it funny at all.

All in all, I was really irritated by his talk and avoided all his talks ever since.

reading your comments, it seems that was the right choice