Are you unknowingly violating the Computer Fraud and Abuse Act?
In this episode, we talk about Amazon Sidewalk, and SaleForce’s acquisition of Slack. Then we speak with Jerry Gamblin, Manager of Security and Compliance at Kenna Security, about the U.S. Supreme Court hearing arguments this week about the Computer Fraud and Abuse Act, which has major implications for ethical hackers. Finally, we chat with Sara Golemon, Core Developer and Release Manager on the PHP team, about the new release of PHP 8.0.
Saron Yitbarek is the founder of Disco, host of the CodeNewbie podcast, and co-host of the base.cs podcast.
Josh Puetz is Principal Software Engineer at Forem.
Jerry Gamblin is a security and compliance manager at Kenna Security. He is an influential security researcher and analyst, focusing on the enterprise network and application security with over 15 years of experience. His research has been presented on numerous blogs, podcasts, and security conferences. When not at work, his personal research focuses on IoT & embedded automotive systems.
Sara is a long-time contributor to the PHP language and is currently serving as the veteran release manager for PHP 8.0.
[00:00:10] SY: Welcome to DevNews, the news show for developers by developers, where we cover the latest in the world of tech. I’m Saron Yitbarek, Founder of Disco.
[00:00:19] JP: And I’m Josh Puetz, Principal Engineer at Forem.
[00:00:22] SY: So this week, we’re talking about Amazon Sidewalk and Salesforce acquisition of Slack.
[00:00:27] JP: Then we speak with Jerry Gamblin, Manager of Security and Compliance at Kenna Security about the US Supreme Court hearing arguments this week about the Computer Fraud and Abuse Act, which has major implications for ethical hackers.
[00:00:38] JG: But it needs to be narrowed. And right now, the law is so widely written that nearly anything you do on the internet could be considered a CFAA violation.
[00:00:48] SY: Then we chat with Sara Golemon, Core Developer and Release Manager on the PHP team about the new release of PHP 8.0.
[00:00:56] SG: 8.0 has actually been pretty good release in terms of feature sets because where it’s a major version, we have this opportunity to do some backwards compatibility breaks that we wouldn’t do in a minor. And we also have the opportunity to just say, “Hey, we’re going to rethink a bunch of things.”
[00:01:11] SY: So Salesforce acquired Slack on Tuesday of this week for a whopping $27.7 billion. Yeah, that’s a lot of money. It’s mind-blowing sale rivals IBM’s $34 billion acquisition of Red Hat that happened I think it was a couple of years back, and Microsoft’s $27 billion acquisition of LinkedIn a couple years before that. And even the mention of the potential deal, which was first reported by the Wall Street Journal, Slack shares shot up 32%. So investors were hungrily awaiting this deal to happen. Salesforce co-founder and CEO, Marc Benioff, said that the acquisition, “This is a match made in heaven. Together, Salesforce and Slack will shape the future of enterprise software and transform the way everyone works in the all-digital, work-from-anywhere world.” So what did you think of that acquisition? What was your reaction to that?
[00:02:07] JP: Twenty-seven billion dollars! I feel like a super villain should be saving that amount.
[00:02:15] SY: A Super villain.
[00:02:16] JP: That is so much money.
[00:02:18] SY: It’s a lot of money.
[00:02:19] JP: I read somebody on Twitter said, “It’s 28 Instagrams.” That is a mind-boggling amount of money. The other thing that I found really interesting was, of course, Salesforce owns Heroku.
[00:02:31] SY: Right. I always forget that.
[00:02:34] JP: Yeah. This is a huge chunk of the internet and remote work and cloud computing concentrated in one company now.
[00:02:42] SY: Yeah. There were a couple of things that this brought to mind. The first is just, I don’t know how much you know about the origins, actually you know very well, the origin story of Slack.
[00:02:48] JP: Oh, Saron! Do I ever?
[00:02:51] SY: You do.
[00:02:52] JP: So a little bit of history for our listeners, Stewart Butterfield, the Founder of Slack, was originally involved with Flickr, which was purchased by Yahoo a long time ago. After that, he started a company called Tiny Speck and made a little web game called “Glitch”. And I was an early alpha tester of Glitch. It was beloved by many people, complete commercial failure. And after they shut down, they took the chat infrastructure that they made for this game and created Slack and went from there.
[00:03:25] SY: And what I found so interesting about this Slack story is I listened to the How I Built This episode of Stewart Butterfield being interviewed and it was something that they had to like convince people to use in the early days. Like Slack wasn’t this thing that was sticky right away. It was this thing that the team was like, “No, you have to try this. You have to use it. It’s really great.” And they had to like sell it before it kind of became this thing that felt so ubiquitous. So it’s interesting, going from those humble beginnings of, I won’t say begging people to use it, but definitely something they had to work at to something that was acquired for 27 billion. That’s remarkable.
[00:04:02] JP: That’s pretty amazing. Of course, Slack has come out with a statement saying that, “For our customers, nothing’s going to change. We’re still the same company we’re going to be.” And I’m always really suspicious after an acquisition when I read that coming from the company.
[00:04:15] SY: Yeah. That’s what they all say.
[00:04:17] JP: It is.
[00:04:18] SY: What are they going to say actually, “We’re going to shut down a bunch of things and you’re going to be unhappy.” What else are they going to say? You know?
[00:04:24] JP: On the other hand, Salesforce has by and large kept Heroku operating on its own.
[00:04:28] SY: That’s true. That’s true.
[00:04:30] JP: So I’m hopeful that tomorrow it won’t look like a Salesforce portal and we’ll just all be at the CRM information.
[00:04:37] SY: Right. That would not be a great way to message people on Slack as having CRMs. Yeah, I hope so too. It’s a really great product and I really hope that they continue, people that do things on their own. So that’d be great.
[00:04:50] JP: Yeah. I wonder what this will mean product wise for them. I know it’s been really widely publicized that Slack has kind of been in a low-key cold war against Microsoft. Microsoft has a product called Microsoft Teams, which is trying to kind of corner the same remote work, communication, email, replacement as space. And I can’t imagine that’s going to cool down anytime soon.
[00:05:11] SY: Yeah. We’ll see what the future holds.
[00:05:13] JP: Well, next up, this bit of news is more of a heads up to listeners that use Amazon devices such as Echoes or Ring Doorbells. Amazon is in the process of releasing a feature called “Sidewalk”, which connects their smart home devices, the name of which I will not say right now, with nearby other smart home devices, even your neighbors to create a large shared network that operates at low bandwidth over Bluetooth and 900 megahertz radio signals.
[00:05:40] SY: Whoa!
[00:05:40] JP: Yeah. So the aim of this is to allow these devices to have a greater range of functionality and connect over longer distances than traditional Wi-Fi allows. This function unsurprisingly has drawn a lot of criticism from security experts over privacy concerns. So right now, when you set up a new Echo device, it’ll ask you if you want to turn on the Sidewalk function. However, for any existing Amazon devices you own, it’s automatically being turned on and you’ll need to go into the app to opt out of it. And that’s a big bummer because I’m sure there’s a ton of people that have these devices and they don’t know, realize that they’re sharing their Wi-Fi and their bandwidth with potentially strangers’ devices.
[00:06:23] SY: Yeah. This, I mean, maybe I just don’t have a lot of imagination, but I’m just kind of like, “Why? Why do we need this large shared network that operates on Bluetooth and 900?” What’s their plan? It makes me very suspicious and I don’t have enough tech creativity to kind of put it together myself and go like, “Oh, this is where they’re headed with this.” But I just can’t tell where they’re going, but either way, I feel like I’m not going to like it.
[00:06:49] JP: Yeah. So I can kind of understand a little bit. I used to own a house that was, say, geographically large. There was like a very large floor plan. It wasn’t like fancy or anything, but things were located quite far apart and router was on one side of the house and we had some smart light bulbs all the way on the other side of the house and we were constantly dealing with them dropping out because they were too far away from the Wi-Fi router. And I guess our options would have been to like install some sort of a mesh Wi-Fi system. Or if these devices had supported Amazon Sidewalk, the idea is that if like say we had an Echo in one room and maybe a Ring Doorbell in another room, they could kind of repeat a signal over to the smart light bulbs. And if you think about the bandwidth that smart home devices need, it’s not a lot. So you wouldn’t need necessarily a whole 5G Wi-Fi signal over there. Just a little trickle would make it so I could turn on and off my light bulb without having to go over there.
[00:07:49] SY: Okay. I like that.
[00:07:51] JP: But here’s the part I lack the tech creativity for. Why do my neighbors need it and why do I need to use my neighbors?
[00:07:58] SY: Yeah. Yeah.
[00:07:59] JP: The only use case I could see that that I’ve read about on Amazon’s page was they talked about the idea of some sort of a smart tracker. And I know there’s a company called “Tile” that sell these smart trackers.
[00:08:08] SY: Yes. Yes.
[00:08:10] JP: The problem with Tile is let’s say this actually happened to a friend of mine. She dropped her keys. She had Tile on her house keys. She dropped them in a stairwell in a building. Well, there was no Wi-Fi signal there that she belonged to. There was no Bluetooth signal. And so her keys sat there with Tile tracker until somebody came and found them, old school, and found them. And Amazon says with Sidewalk, they envision a situation where if you were to drop your keys on literally the sidewalk, if it was near one of these people that had opened up their home network or was participating in the Sidewalk Program, that tracker might be able to get a little dribble of Wi-Fi data to report its location. Seems like a reach though.
[00:08:51] SY: So it seems like a reach. It also seems like the world’s most specific use case.
[00:08:55] JP: Yeah, exactly.
[00:08:56] SY: You know what I mean?
[00:08:56] JP: Like Jeff Bezos lost his keys and that’s why we have this.
[00:08:59] SY: Yeah. Yeah. Yeah. I really feel there’s probably more to it than that. I just don’t know what the thing is.
[00:09:05] JP: One other thing I want to say about this. I know you’ve been a huge proponent of companies doing opt in versus opt out. What do you think about that?
[00:09:12] SY: Yeah. I don’t like it, more so because I’m just wondering how many people know about it at all. When we discovered this, it was definitely new to me. I think it was new to you too.
[00:09:22] JP: Absolutely.
[00:09:23] SY: And I’m just wondering, it doesn’t feel like this has been very well publicized when it comes to sharing data and information, things that don’t ask for explicit consent make me very uncomfortable. So yeah, not a fan of how it’s being rolled out.
[00:09:39] JP: I totally agree.
[00:09:40] SY: Yeah. So coming up next, we are joined by Jerry Gamblin, Manager of Security and Compliance at Kenna Security to discuss the US Supreme Court hearing arguments about the Computer Fraud and Abuse Act, a super controversial law that was first created in 1986, a pretty long time ago in the internet history, and critics say it is outdated and in desperate need of a revision. So we’ll hear his thoughts on that after this.
[00:10:26] JL: Triplebyte is a job search platform that allows you to take a coding quiz for a variety of tracks to identify your strengths, improve your skills, and help you find your dream job. The service is free for engineers and Triplebyte will even cover your flights and hotels for final interviews.
[00:10:40] SY: Vonage is a cloud communications platform that allows developers to integrate voice, video, and messaging into their applications using their communication APIs. Whether you’re wanting to build video calls into your app, create a Facebook bot or build applications on top of programmable phone numbers, you’ll have all the tools you need. Formally known as Nexmo, Vonage has you covered for all API communications projects. Sign up for an account at nexmo.dev/devnews2 and use promo code DEVNEWS2 for 10 euros of free credit. That’s D-E-V-N-E-W-S, in all caps, and the number 2, for 10 euros of free credit.
[00:11:26] SY: Here with us is Jerry Gamblin, Manager of Security and Compliance at Kenna Security. Thank you so much for joining us.
[00:11:33] JG: Hey, it’s great to be here.
[00:11:35] SY: So tell us a bit about your developer background.
[00:11:37] JG: So I am not a developer. That might come as a shock to some of your audience. I am a hacker. I’ve been a hacker since high school. I spent 10 years working for the federal government, state governments too, and then five years working for a large data company in the world called IHS CARFAX, who, if you’ve watched TV, you’ve seen their little CARFAX ads. The truth is I write a lot of code, but it’s mostly hacker code. So I’ve never been a professional developer. I’ve never written code for money.
[00:12:13] SY: What does it mean to be a professional hacker and do hacker code? What does that look like?
[00:12:18] JG: Hacker code is stuff you would never put into production.
[00:12:22] JP: I do hacker code then, too.
[00:12:26] JG: It works on my machine always. Right? So like if you go to my GitHub profile, you’ll see a lot of Python scripts, a lot of shell scripts, a lot of MVP type code that just works enough to do a POC, a Proof of Concept, so that I can prove out a point. And then I’ve always had really successful development teams and developers with me who worked with me that I could say, “Hey, here’s some code I’ve written to do something. Can you please make this worthy of being supported by other developers?” And they’ll do it and then they’ll ask me why I wrote it like that, use 40 lines and I did it in four. And I’m like, “That’s because you’re still awesome and I’m not.” So that’s kind of my developer background. I spent a lot of time looking at cryptography. I have a car hacking startup called RoGoLabs that we do embedded car research. I also spend quite a bit of time just looking at vulnerabilities in Docker containers and other cloud-based services.
[00:13:26] SY: Very cool.
[00:13:27] JP: So switching gears a little bit. The Supreme Court is going to be hearing a case coming up that involves something called the Computer Fraud and Abuse Act, which was created in 1986. Can you tell us a little bit about that act and what it does?
[00:13:41] JG: Well, as you can suppose, anything written in 1986 about the internet thought of it at 1986 terms. Most of the listeners of this podcast probably weren’t born in 1986. So it is pretty well one of the worst laws, I think, in the world, because anything can be a Federal Computer Crime Act, right? Because it says, “If you access a web system unauthorized, that could be tried as a federal felony,” except there’s not a good definition of what authorized is. So it really comes to the FBI and the US attorney’s office to what they’re going to charge as a CFAA violation. Everybody thinks hacking into a bank and stealing money is a CFAA violation, which is probably 100% true, but the law is so broad for a long time running a tool called Nmap and scanning a network was considered unauthorized access. And just in the last couple of years, somebody said, “Oh, no, internet wide scanning is okay. It might be against the spirit of the CFAA, but we’re not going to charge anybody with that.”
[00:14:51] SY: Interesting.
[00:14:52] JG: When I talk to students who are getting into computer hacking or computer security, what I like to tell them is it’s not illegal for me to put JerryGamblin.com/passwords.text and have every password for my website in that file. Right? I can do that. It’s illegal for you to access that. It would be a federal felony for you to go and access that and use that data in any way. So what it does is it puts all the burden for security on the researcher to make sure that they’re acting in good faith and understanding what they’re doing and no burden on the person who is running the website are running any of the internet facing material.
[00:15:39] SY: Oh, that’s very interesting.
[00:15:40] JG: I like to explain it to kind of non-technical people. It’s not a crime for me to leave the keys in my car and my car started and my car parked in a high crime area. Right? I can do that. It’s totally within my rights. It’s a crime if somebody gets into my car and steals it, but there’s nothing in the law that says that I can’t be totally dumb and leave my running car at a high crime area with the doors unlocked.
[00:16:07] SY: So in this example, are we trying to put some of that responsibility on you, the car owner, to say that, “If you leave your car on a particular area and you leave the door wide open and the keys in the car, you have to kind of bear some responsibility for that”? Is that what we’re trying to get to?
[00:16:25] JG: Yeah. It’s trying to figure out what authorized usage is and what that means. In the particular case that’s in front of the Supreme Court, police officer was looking up DMV records for a third party for cash, right? He was taking kickbacks to help out someone. I’m not exactly sure if it was a private eye or a divorce investigator or something. So they tried to charge him with fraud that fell through. And now they’re trying to say that he had unauthorized access to the DMV database by doing these searches that were not directly related to his job. So they’re trying to say that he violated the Computer Fraud Abuse Act because he looked up stuff that he wasn’t supposed to, and that constituted unauthorized access.
[00:17:11] JP: And just to clarify this person, Nathan van Buren, he had access to the system as a course of his day-to-day job, right?
[00:17:20] JG: Correct. Illegally. Yeah. So he had legal access to that and then just used more access to find other information. This isn’t the first kind of case like this we’ve seen. We see this sometimes in California quite a bit with celebrities are in hospitals, right? You’ll see somebody at a hospital who is a nurse who has access to look up patient records and then some celebrity comes to the hospital and they look up the celebrity’s health records and sells it to TMZ. They’re authorized to use the system, but are they doing something unauthorized by accessing data that they don’t need to is kind of what’s at the heart of this lawsuit.
[00:18:06] SY: So there’s been a lot of criticism about this law and the fact that as you mentioned, it’s outdated, it’s vague, and that it actually does more harm than it does good, especially when it comes to stopping ethical hackers from finding security vulnerabilities at companies, which is obviously a very good thing. Do you think that’s true? Do you think that it is more harmful than it is helpful?
[00:18:27] JG: It is a big weight on security hackers. I personally have a lawyer that I pay a retainer to every year because even the nicest companies are known to start with legal threats, if you send them something that they don’t like to hear. I’ve had many run-ins with companies with, “Hey, I found this open database on the internet. It was open as three bucket on the internet.” And their first thing is that, “Thank you,” or, “Okay, we’ll get that fixed right away.” It’s, “What are you doing? You’re hacking us.” Direct information from the lawyers, even if you go to them and try to be really nice and even start like, “I’m an ethical hacker. Here’s exactly how I stumbled across this. I just wanted to let you know, can you please fix it?” They come with legal threats right out of the gate and not everyone who wants to do security research can afford to have a lawyer on retainer. But for most of us, it’s just a cost of doing business these days because we don’t want to get in trouble. Nobody wants to go into prison. I would not be a great federal inmate, I’m sure.
[00:19:36] SY: So then for someone like you, getting all these legal threats and to the point where you have to get a retainer, a lawyer on retainer, why do you keep doing it?
[00:19:46] JG: Because it’s important, because if I am telling them about it, chances are someone else has found it and I’m not telling them about it and it’s being exploited by someone. Not every interaction is that way. It might be 10%, but then it’s 10% really staying you right. The other 90% would be like, “Oh, we didn’t know that. Thank you. Let us fix it.” Or, “Oh, you found that bug in our autonomous driving system. Thank you so much. Here’s a little bit of money. Here’s some swag. Thank you.”
[00:20:18] SY: That’s great.
[00:20:19] JG: Yeah. It’s normally there are no good interactions, but there are also interactions of people who just freak out for reputation-wise or just because that’s their personality. They don’t take well to being told that they have vulnerabilities in their system.
[00:20:35] JP: Has this act been used against ethical hackers in the past?
[00:20:40] JG: We would have to define ethical. So there are always threats. Every time around DEF CON, you’ll see a lot of these threats come up. A person I know and I consider a friend, Jack Barnaby, who sadly passed away recently, was threatened quite a few times. He jackpotted an ATM machine onstage at DEF CON, right? And it made the ATM machine with the vulnerability spit out all the money in it. He was legally threatened before he went up there and said, “Hey, we’re going to prosecute you if you go up and do the talk.” And he went up and did the talk. But you see a lot of instances like that where somebody wants to release some public information and the biggest hammer that a company has is threatening a researcher with a Computer Fraud and Abuse Act violation or lawsuit.
[00:21:32] SY: So the Electronic Frontier Foundation, the EFF, has called this law the worst law. And even when we started this interview, you said it’s probably one of the worst laws in the world. And they even believe that something like the Equifax Breach, which was a huge, huge breach could have been averted if this law wasn’t in place, which is kind of a huge thing to say about this law. What are your thoughts on that?
[00:21:54] JG: I love the EFF. I think that that’s a little bit of hyperbole. I think that they’re saying, “Hey, if this law wasn’t in place, Equifax would have had to have more robust security systems and then they wouldn’t have been able to be hacked.” All indicators indicate that Equifax was hacked by a nation state that was highly trained and highly sophisticated. So I’m not willing to go that far. I am willing to say that if the CFAA comes more in line, it will help out the next generation and make it easier for kids to get involved and help loosen or soften up some the state level laws that a lot of people get charged with that isn’t a federal crime. If you watch the news very often, you’ll see something about a local kid hacking in a local school district and getting arrested and charged on state charges. And those state charges are based off of this very broad federal law. So I don’t know if you remember what movie it is. It’s one of those ’80 movies. I think every ’80 movies about high school kids had this where the kid hacks into their school’s computer and changes their grades or how many days they were missing or whatever. Like that’s a federal felony, right? That could be charged under the CFAA. And states are doing that on a state level to kids who are doing kind of that same kind of thing at their schools, changing their grades, knocking their testing systems offline, being kids, and charge them with really serious felonies because the federal law says it is.
[00:23:32] JP: One of the things the Supreme Court will be trying to determine is defining what unauthorized access means. As a security expert, how would you define unauthorized to better revamp this law?
[00:23:44] JG: I still think that the line between authorized and unauthorized access is so hard to define. I run into this all the time. I’ll find a bug in some software that a developer wrote and I’ll go do It. I’ll show them how I executed it. And they’ll be like, “Why’d you do that? Nobody was going to do that. That wasn’t in our use case. Why would anybody put that string in that field?” And I’m like, “I’m weird. I don’t know. I was just playing around. That’s why I did that.” Right? So to the developer who wrote the software, doing something like that would be unauthorized access, right? It wasn’t used as the developer designed and built the system is probably the best way to define that. I think a lawyer is going to tell you that unauthorized access is anything that’s against the 7,000-page EULA everybody clicks accept to without reading. it’ll be a really, really interesting case to see where they come down on this at. And I’m not sure at this point where the Supreme Court will rule on this.
[00:24:50] SY: So we spent a lot of this interview talking about how bad this law is. And so I’m wondering, is there any good that’s come out of this law? Is there a silver lining here or anything positive we can speak to when it comes to this law existing?
[00:25:05] JG: It sets some groundworks. I mean, I’m not sure who said it, but it says, “Democracy is the worst form of government besides all the other forms.” It’s kind of the same thing with this law, right? This is the worst security law ever, except all the other security laws because there hasn’t been any. There’s always going to be issues and technology is always going to move faster than the law can keep up. So there’s always going to be gray areas. And I agree that there always needs to be protection for the end user, for people who have systems on the internet, right? You have to have some kind of recourse to legally go against people who perform denial of service attacks or ransomware or steal your data, but it needs to be narrowed. And right now the law is so widely written that nearly anything you do on the internet could be considered a CFAA violation. And it’s only due to federal prosecutors and the US attorney deciding what to charge and what not to charge that everybody commits CFAAs nearly daily, even if they don’t know it. Right? Simply looking at someone else’s screen while I have an email up could be considered unauthorized access and could be a crime because you don’t have access, you’re not authorized to look at that email. That’s someone else’s account. So shoulder surfing could be a CFAA. The difference between committed, charged, and convicted of a CFAA violation is pretty wide and we want to keep it that way. We just need to make that committed area a little more clear so that people who are doing research have a little bit better of a leg to stand on and aren’t scared that they’re going to be threatened with lawsuits and federal convictions every time they try to do the right thing.
[00:27:01] SY: Yeah. Yeah.
[00:27:03] JP: How might this court case affect your work? I can imagine this could have a huge impact on the work you do.
[00:27:10] JG: I would hope it would. What I hope it does is it makes the US government rethink this law and kind of narrow it down and make it more understandable and more applicable to 2020. But to be completely honest, what I’m afraid will happen is that they’ll come up with very technical language about what was in the end user license agreement and what this person could and couldn’t access and rule on that and rule more on the technicalities of what access they were allowed and how they were allowed to use it versus the wider questions of what is and what is unauthorized access.
[00:27:47] JP: Is there anything else we didn’t talk about that you would like to add?
[00:27:51] JG: I just want to make it clear that I am not a lawyer.
[00:27:54] SY: Good point.
[00:27:55] JG: I don’t even want to play one on this podcast. I’ve spent a lot of times talking to my lawyer who I pay quite well to make sure I stay out of trouble and I would suggest that anyone else who is having any of these issues consult real legal counsel and just don’t take some guy on a podcast word for what is legal and what isn’t.
[00:28:17] SY: Fair enough. Well, thank you so much, Jerry, for being on the show.
[00:28:20] JG: Thank you guys very, very much. This has been a blast.
[00:28:31] SY: Coming up next, we talk to Sara Golemon, Core Developer and Release Manager on the PHP team, about PHP 8.0 after this.
[00:28:53] JL: Join over 200,000 top engineers who have used Triplebyte to find their dream job. Triplebyte shows your potential based on proven technical skills by having you take a coding quiz from a variety of tracks and helping you identify high growth opportunities and getting your foot in the door with their recommendation. It’s also free for engineers, since companies pay Triplebyte to make their hiring process more efficient.
[00:29:15] SY: Vonage is a cloud communications platform that allows developers to integrate voice, video, and messaging into their applications using their communication APIs. Whether you’re wanting to build video calls into your app, create a Facebook bot or build applications on top of programmable phone numbers, you’ll have all the tools you need. Formally known as Nexmo, Vonage has you covered for all API communications projects. Sign up for an account at nexmo.dev/devnews2 and use promo code DEVNEWS2 for 10 euros of free credit. That’s D-E-V-N-E-W-S, in all caps, and the number 2, for 10 euros of free credit.
[00:30:02] SY: Joining us is Sara Golemon, Core Developer and Release Manager on the PHP team. Thank you so much for being here.
[00:30:08] SG: Thank you for having me.
[00:30:09] SY: So before we get into PHP 8.0, tell us a little bit about your developer journey.
[00:30:14] SG: My development journey, well, I’m in my mid-40s, so it’s a long journey. So I have the weird distinction of having started in the public sector. I worked for the US government for a few years early on in the court systems. I eventually found my way into education working in UC Berkeley. And that was actually where I got into the PHP project because I needed to make some little web apps to stir up some database needs. I was working for the HR department at the time of all things and they need databases and they need them to be accessible. And the web was a new thing, so let’s do that. After six or seven years at Berkeley, I finally got into the private sector. I would say PHP actually launched my career into that because it was Rasmus who gave me the recommendation at Yahoo, working my job there, which turned into Facebook, which turned into MongoDB.
[00:31:03] JP: So PHP has been around for a while. This is the 8.0 release. What’s the current state of PHP? And where does it stand in the world of tech?
[00:31:10] SG: Yeah. Well, I mean, PHP is still, I would say dominates quite a bit of the web because PHP was built for the web. That was its entire purpose when Rasmus made the first version 25 years ago was to just put a counter on his website and handle some leaving messages and things like that. And it has stuck with that web mission through those 25 years. Occasionally, people will try some different things with it. There was the PHP-GTK project for building GUIs for a while. Some people have built in audio and video codecs that you can access through it. But essentially, PHP has always been about the web. And the biggest change in PHP is life came about 10 years ago or so, right around the 5.2 era, which I guess was more than 10 years ago. Wow! Where we decided, “Okay, we’ve been getting along really well so far with people just kind of scratching their own itches as they contribute to PHP.” It’s like, “Oh, I want PHP to do a new thing. Let me just make a patch and just commit it and let’s keep going.” Somebody suggests an idea. People say, “Great. Sounds good. Let’s commit that. Keep going.” These cowboy days of sort of just committing whatever and not really thinking too hard about it. What we came into were articles like fractal of bad design, and other complaints about the language being inconsistent or doing strange and surprising things. And in fairness, a lot of those articles were absolutely correct. PHP does some very strange and unintuitive things, when you look at it from the perspective of a well-designed language. So we sort of sat down with each other. We had a come-to-Jesus moment. We said, “All right, we need to put some process in place so that we actually think about what we’re doing and apply some good, best principles into new things that we add into language and how we can fix some of the things that we hadn’t thought through correctly before.” And since that period, we’ve had a much more structured RFC process where we write down what we intend to do, how we intend to do it, what are the downsides, what do we get from it. And I know a lot of people heading into that would be a little concerned that, “Oh my gosh, this is going to slow down development of language.” But the reality is I think it’s actually sped things up. And so you’ve seen particularly in the past five to six years since 7.0 was released in particular, but also before that PHP has been on a rollercoaster of picking up new features and new modern programming language paradigms. And at the same time, these have actually been designed in a way that have been very well received and very useful for people actually using language on a daily basis. So I think we’re in a great spot right now in terms of maturing as more of an adult language than we were initially.
[00:33:53] JP: What are some of the biggest new features and updates in version 8.0?
[00:33:56] SG: Well, 8.0 was actually been a pretty good release in terms of feature sets because where it’s a major version, we have this opportunity to do some backwards compatibility breaks that we wouldn’t do in a minor. And we also have the opportunity to just say, “Hey, we’re going to rethink a bunch of things.” So Union Types is my favorite. PHP 7.0 has had the ability to apply type information to arguments or return values. A little bit later, it got the ability to apply those to properties as well. So now you can define a union set of possible property types. So I can say this class contains the property named foo, and this foo can be either a int to float, but not anything else. So you can throw any kind of number you want in there. The engine is fine. You try to throw anything else in and it’s an error. And we’ll probably do intersection types at some later time as well, but we’re going in slowly seeing how the community responds and making sure that the features are what we want them to be. Definitely the biggest hype feature of 8.0 is the JITs. So we have added a just-in-time compilation engine to the language. In theory, that should make some workloads significantly faster. And I put a big asterisk on that because we are specifically talking about computationally heavy workloads. Most of us are not producing the [INAUDIBLE 00:35:12] set for our average web apps. So you’re probably not going to see it go massively faster on typical workloads, but people do use PHP for things other than the web. So this will definitely help out those cases quite well.
[00:35:25] SY: Very nice.
[00:35:25] SG: I can go through the whole laundry list, but Wikipedia has actually got a great view of the PHP project. You can go to wikipedia.org/wiki/PHP, and it’ll go branch by branch all the new features that are coming out and there’s a bunch.
[00:35:39] JP: How does this release differ from past releases of PHP?
[00:35:44] SG: I mean, essentially, I would say that the 8.0 release doesn’t significantly differ from other minor releases. Or to turn that question on its head, I would say this very much differs for most major releases because when you go from one to two, two to three, three to four, four to five, five to seven, you see big internal changes in the engine and how it deals with the language. Some of these come in the form of syntax changes. Some of these come in the form of extensions, having to be rewritten to actually work with the new version. Some of these just come in massive performance changes. 8.0, compared to 7 with 4, feels a lot more like just a regular minor release. We could have called this 7.5 and just called it a day. The reason we made it an 8.0 is because of the JIT, which is actually an extension feature. It’s not even core to the language. So I would say it definitely differs from other major releases in the fact that it’s not really much of a major release. It’s just a big feature packed minor release. A bit more like 5.3 in a lot of ways. 5.3 had a whole bunch of features that we were saving up for the 6.0 release and 6.0 was going to be the big Unicode release. We were going to have Unicode as our native string type backed by UTF-16 on the inside and it was going to be great. And we were going to be all modern and international. One of the things we discovered along the way of trying to get 6.0 out the door is, A, that added a whole bunch of inefficiency to our processing using two-byte strings all over the place. And two, end developers were actually solving this problem already without help from the language. Everybody at that point, which was 2009-ish, was using UTF-8 as their internal and coding already because it had taken over. It was the right way to move data around most applications, especially applications that were English centric. And so we realized, “Hey, let’s do more to support that idea of using UTF-8 as the internal encoding, instead of trying to solve this for every possible edge case so that a website presenting in Klingon has the right tools available to it. Let’s deal with the practical applications. A friend of mine says that PHP is like a ball of nails. You just throw something and it sticks. That’s how it should behave. It should be ready to just be thrown at something like a ball of nails rather than being tied to a lead weight.
[00:38:14] SY: So what were some of the biggest challenges your team came across when building this version?
[00:38:19] SG: So the JIT is definitely a difficult thing to write. We’re talking about taking a language that already has its own compiler for just taking PHP script code and turning that into a VM style runtime. But now we’re actually taking that all the way down to the CPU, Intel specifically. We’re not targeting other platforms yet, but that is still a massive hurdle to get over and a massive amount of work to do. And essentially there was really only one person doing the main bit of work on that. And so there was a lot put on his shoulders, Dmitry Stogov. I give him credit where credit is due. And he’s done a fantastic job, but that was probably the thing that we had the most sort of lingering little bugs as we’re approaching the 8.0 release and making me nervous because I want to make sure release comes out that it’s not going to crash people’s computers. We did of course set it up so that the JIT is not enabled by default. You do have to flip a few switches to turn it on. And I think honestly, you should consider 8.0 the beta release for the just-in-time compiler in PHP. But that is definitely the thing that scared me the most coming into the 8.0. Otherwise, everything was pretty well straightforward because we do have this very well-defined process that says, “Define what you want to do, how you’re going to do it, get consensus, get two-thirds of the internals community to agree that this is the thing to do and get it done.” So as a result, the actual nuts and bolts of most of the feature work was unstressful.
[00:39:52] JP: Was there anything that didn’t make it into this release that you were hoping would be there?
[00:39:57] SG: So we have a project going on right now where we’re trying to deprecate our resource type. Resource in PHP is basically just an opaque little wrapper. You get a variable that says, “Hi, I’m resource Number 12.” And whenever you need to pass that into some internal function somewhere, that internal function can unwrap that thing and get a real sort of C pointer struct of the actual data that it needs to work with. But it’s completely opaque to the end program. So we have a project underway to completely get rid of that type and replace it with named object classes that can potentially even have methods and other object properties on them later on at some point in the future. And we’ve converted a whole bunch of our resources, but we’re not done. There is a task tracking this. We have probably 10 more that we still need to do that did not make it into 8.0. And the advantage of the 8.0 is some versus, “Okay, we can make some BC breaks.” We can say the type of this variable is no longer resource. It’s now an object. It is of this class type. Now we’re going to have to introduce a few more into 8.1 that are technically the kind of BC breaks that you want to fit into a major version. But we also reckon that it’s worth it enough to get rid of this type to make the rest of the engine a lot more efficient and to make end user code more able to type their experience. I can now say as a userland implemented function, I expect to get a hash context here rather than just saying, “Oh, I need a resource and I hope it’s the right type.” So I wish we had gotten more of that done for 8.0, but it’s all right. We’ll finish it.
[00:41:40] SY: So can you hint at some things that might be coming down the pipeline with future PHP releases?
[00:43:22] SY: Thank you so much for being here.
[00:43:24] SG: Thank you for having me.
[00:43:36] SY: Thank you for listening to DevNews. This show is produced and mixed by Levi Sharpe. Editorial oversight by Peter Frank, Ben Halpern, and Jess Lee. Our theme music is by Dan Powell. If you have any questions or comments, dial into our Google Voice at +1 (929) 500-1513. Or email us at [email protected] Please rate and subscribe to this show on Apple Podcasts.