cat slave diary

We took Mackenzie to the pediatricians today. She did real well - even the vaccinations she only screamed for a few minutes. 

Here’s a few very recent photos for you!

• The first image is her sitting. By herself. At 3 and 3/4 months.
• The second image is her out on the porch wearing her snazzy new sunnies from Rebecca.
• The third image is her holding her own full bottle and drinking away without that much help. She’s been able to do this for a while, but we’ve not always had the camera to prove it

In other news, all my talks for OSCON were rejected again. Why did I bother? I should have paid attention my last year’s rant. Most likely, I will have to give up on submitting papers to certain open source developer’s conferences as honestly, why bother doing the work of doing the research, creating the paper and slides only to be rejected? Luckily, two of my submissions were from colleagues, so I didn’t squander a lot of resources on those talks, even though for example, I’m working on porting ESAPI to PHP, which is the subject of one of the rejected talks.

I’ve identified the following security talks for those security folks still considering going to OSCON (although I’d recommend saving your money for OWASP USA as we already have a schedule of 45 web app sec talks in three tracks, and two full days of tutorials, including several two day courses where you’ve got an actual chance of learning something. Just saying.)

• Securing the PHP environment with phpsecinfo, by Ed Finkler. This should be good - I’ve used it before and it’s a pretty cool way to tie down PHP properly. And Ed has contributed Inspekt to OWASP, and therefore he’s cool by me.
• PHP: Architecture, Scalability and Security, by Rasmus. Rasmus knows what he is talking about, but I don’t know how deep the security aspect will be. Hopefully, enough as it’s a three hour talk.
• PHP Taint Tool: It ain’t a parser, by Luke Wellings, a friend of mine from Australia who now lives with his lovely wife in Columbia MD. I’d love to see this tool in action.
• Hack this App! PHP security workshop, the usual sort of scare the punters talk common in talks at conferences I attended about 5-10 years ago. I really hope there’s some solutions in this one. There’s no point in saying you have a problem unless you have a solution, which is what all three of my submitted talks were. Especially the one on securing PHP apps and ESAPI for Java (although we have a completed .NET and soon a PHP port now)
• Perl Security, three hour talk by Paul Fenwick, also an Australian of my acquaintance
• How to improve quality and security automatically in your open source projects with static analysis, by David Maxwell (Coverity). Hopefully, this is just not a vendor plug, but even if it is … it is about solutions, and I like that.
• Security 2.0: Emerging Trends in Web Application Security, by Chris Shiflett. Also a friend, but sadly, not Australian.

So five talks and two three hour longer talks. Here it is in graphical format for you:

A couple of the talks are likely to not offer that much in the way of solutions. Sadly, no Ruby, Python, administration, database, emerging topics, or people security talks. Worse, there are no Java security talks, which for an semi-incomplete track, I found sort of astounding, especially as I submitted two Java security talks and one PHP talk. The official “security” track has two three hour talks, both detailed above. Even if you look at it from the point of view of OSCON having 16 tracks, hopefully with equal time for all of the tracks assuming there was a lot of competition for speaking slots, there should be 215/16 = ~ 13.4 security talks, not 7.

Although I am glad my friends are accepted whilst talking about security, I think OSCON needs a new program committee. This one is broken.

I’m currently in Colorado Springs doing some training for a customer.

The flight in was long - nearly 12 hours all up from the east coast, all told including delays and running to make my little rubber band plane connection. It takes only another 15 hours to make it to Australia. The puddle jumper was funny - as soon as we had finished climbing out of Denver, the hostie announced we had commenced our descent into Colorado Springs.

It was surprisingly cold. I suppose the wind and snow should have alerted me, but the last time I was here in late August / early September, it was over 30C every day.

I love coming here. Not only do we have a family friend (Hi Michelle! Hi Justine!) who lives here, the scenery includes Pike’s Peak dusted in snow outside my bedroom window every morning. You just can’t beat that.

I don’t think I could live here, though. I’m used to fast paced life, and things move at a leisurely pace, commensurate with Colorado Springs’ diminutive size.

Jim asked a great question - what is the current state of the nation for HttpOnly? I’m glad he asked!

Pass - read/write cookie protection

• IE 7.0
• Firefox >= 2.0.0.5
• Firefox 3.0 beta
• Camino 1.5.4

Barely Pass - read only cookie protection

• IE 6.0
• Opera 9.50 beta

Fail - no cookie protection

• Safari 3.1
• Firefox < 2.0.0.5
• Opera 9.2.6 (currently shipping stable version)

Coverage of HttpOnly Support

According to my Google Analytics account, 93.6% of browsers support HttpOnly for preventing being read. The worst offender is Apple, with a marketshare of 5.3% on my heavily trafficked site. They have no support whatsoever. In fact, they’ve had a bug outstanding for some time that no one is assigned. BAD APPLE!

Conclusion

Most sites do not use cookies for anything other than the session ID. This is best practice. In these instances, there is NO REASON for them to read or write the cookie using JavaScript. Although there are ways around HttpOnly (some work better than others, depending on your browser), it is worthwhile for frameworks and app server vendors to send this tag automatically. Those very few folks who really need to be pwned should have the ability to turn this protection off.

I’m working (slowly) on porting ESAPI to PHP. This will be great!

So just in case I keep on having a life after hours, Jeff kindly created an ESAPI for PHP project. If you care about PHP security, come help us finish the port. It’s only 3900 lines of code, and I’ve ported like a 1000 of them already.  

Why ESAPI? 

Well, it’s a ready to use secure coding package. The ESAPI library is not about avoiding attacks, it’s about software engineering for web app security. ESAPI deliberately targets around 80% of security features of the average application (whatever your application is!) with the reference implementation, and for that 80% it does security 100% right so you don’t have to.

ESAPI covers nearly the entire OWASP Top 10, and some other issues besides:

• User object*
• Authentication* membership management classes - we have coded createUser, and friends, login, logout (with safe session and cookie termination), disable account, generateStrongPassword, automatic password hashing including salts, etc. 
• Access control*
• Access Reference Maps* - direct to indirect object reference maps. No longer do you need to jump through hoops to protect primary keys, files and other things that people can trivially tamper. Instead of filename=report.pdf, you can now trivially turn this into filename=4fd8Xz
• Encrypted configuration*. No more clear text passwords in config.php
• Encrypted and integrity protected cookies*
• Encrypted and integrity protected hidden fields*
• Hard core encoding utilities*, such as HTML, JSON, XML and LDAP encodings that only do whitelisting
• Easy to use Encryption support … with only access to SHA256 and AES other quality algorithms. No MD5 or DES here.
• Easy to use strong random number support … no more weak random values
• Executor* - safely call the operating system
• Integrated intrusion detection* - security events are automatically generated and logged
• Integrated Logging* - using log4php by default
• CSRF token management* 
• Thresholds* - automatically set rates for certain actions to help prevent brute forcing
• Validation libraries* that help you do white listing by default 
• Test suite to prove coverage and test all functionality 

Things with a star (*) are simply missing from PHP today, which is surprising considering EVERY SINGLE web application MUST have them. This is despite 5698 functions being defined in PHP today.  

If the PHP core folks want to talk about adopting these in PHP by default, OWASP would be more than happy to donate the code and re-license as appropriate. All PHP applications deserve this level of security.

So, please feel free to join us.

I am a bit of a science freak. I play experiments with myself to see which things work, and get rid of things that don’t. For example, since becoming diabetic I’ve tested the following things:

• The effect on my favorite breakfasts on my post meal blood sugar level. It turns out that I can only have minute quantities of any form of sugar, whether fructose from a slice of banana (!) to heaped tablespoons of white sugar on lemon pancakes (not good!). So I’m essentially stuck eating unrefined oat meal for breakfast, with no added sugar or salt.
• The effect of my favorite drinks. I can’t have OJ any more - it puts me in near-hospitalization blood sugar levels. I’ve settled on drinking essentially nothing but plain old filtered water, mineral (sparkling spring) water, and black coffee. Alcohol was already somewhat denied to me, so I am currently having a dry spell. Pretty bland, but good blood sugar control
• The effect of my previous day’s food on my fasting blood sugar level. No noticeable effect, so that value comes from my liver’s overnight excess production of blood sugars from probably a decade or more of excess insulin production
• The effect of exercise on my blood sugars. Excellent results - generally pulls me under 100 in the first hour of exercise, and stays that way for some time.
• In an on-going experiment, I am currently working on how to avoid my personal hypoglycemia in the late afternoon. For those of you who don’t have diabetes, anything under around 50-60 will give you the shakes. I get that when I’m under about 90-95 as my body is sugar tolerant. The effects of low blood sugar are terrible, and I need to fix it. I am settling on a low GI pick-me-up of a serve of oatmeal with some fruit as chocolate and sugars give me temporary (and fast) relief but a worse low, yoghurt and nuts seem to do nothing, and not doing anything just makes it worse.

From these ongoing experiments, I now have a relatively stable set of things that work, that don’t suck too much, and I have a bit of wiggle room when I must have something like a carrot cake or ice cream.

I am starting to get this thing under control - my fasting blood sugars are starting to get closer to the high end of “normal”, and my post-breakfast reading is usually not too bad. For my efforts, I am losing weight even though I am not doing anything in particular but constraining my carbohydrate intake to low GI type foods (salads, meat and other proteins, wheat (brown) breads, oatmeal, and wraps).

This brings me to my main point - the uselessness of well advised but crap advice. Being seriously overweight (nearly 75 kg - equivalent to the weight of a healthy man of my height) means following a diabetic path along with weight loss is actually incredibly hard. I look at all the things that work for others, and try them out. But I need to find my own special thing that will work for me, for I am in a race with my body to get rid of diabetic symptoms before I get insulin dependent and the host of bad things that can happen, like kidney failure, body parts amputated, and permanent eye damage.

I expect evidence based medicine to have sorted out what is necessary by now. However, the same old, same old mantra of “eat less, exercise more” is given. And as recently as this last Saturday when the nutritionist balanced a neurotic path telling us to not eat high GI foods, and then said don’t eat things heavy in protein or fat. Folks sticking to this same old same old adage of “eat less and exercise more, you fat lazy b…” have a less than 10% success rate. Placebo is better than that. Everyone loses a little bit and then they gain it all back and then some in no time. I certainly did and no less than 20 times.

Last week’s New Scientist had a nice little commentary on this exact thing. The author argues that the above mantra to “eat less, exercise more” alone has failed, and was the given received wisdom during a time of massive obesity growth. He calls for more research into things which will do better than placebo and to discard the current approach unless it is part of something that actually works for the majority of folks. I don’t think that is unreasonable at all, especially as I have a 100% failure rate at losing weight. 

Eat less and exercise more works - if you’re a machine. The folks on Biggest Loser do exactly this, and you know what, they really do lose the weight. But under the relentless eye of sadistic personal trainers, doctors, and nutritionists with gobs of daily exercise and essentially no outside food challenges. You and I can’t do “Biggest Loser” style weight loss without entering full time medical care. The human factor must be included in any solution as well as better nutrition advice beyond “eat less”. Exercise will always be a part of losing weight - there is no escaping it.

I am surprised that given all the research, the sheer profits that big pharma could make if they had a wonder drug, and that every weight loss program, even Weight Watchers, has “Results Not Typical“ disclaimers, that science has yet to come up with answers for folks like me who need to lose more than the average bear. It turns they have, but they don’t enjoy widespread support:

• Bariatric surgery. This forces you to eat less. It works, but you can still undermine it. There’s no “Results Not Typical” disclaimers with this path. Often seen as the easy way out as you have no choice but to eat less or you’ll throw up. The author beings up “lack of fortitude” in dieters, and obviously this is a failing of more than 90% of us. Bariatric surgery gives you fortitude - you have no choice. 
• Low fat, high protein carb diets, such as CSIRO Total Well Being Diet are looked down upon by nutritionists. The nutritionist I showed the actual scientific research to essentially dismissed the diet with saying that I should investigate the American Diabetes Organization’s website. Sure enough, they’re still in low fat, low carb land, recommending against the satiety that protein can bring. 
• High fat, high protein diets, like Atkins. Atkins is the only diet I’ve done where I lost more than 15 kg, essentially through not eating any carbs. I hated the diet as it was a bit monotonous and difficult to do. Worse, it made me feel weird. I now know that this was most likely due to hypoglycemia and if I had been able to measure my blood sugars at that time, I think I would have succeeded.

As I am not keen on undergoing surgery, I have to keep going on the CSIRO diet. So far, I’ve lost seven kilograms on it since November, and despite really hurting my foot to the extent that I could not go to the gym. This weight loss is approaching the half way point that I lost using Atkins. Unlike Atkins, it’s keeping my blood sugars okay as I’ve been able to work out through experimentation what works and what doesn’t. But I know in my heart of hearts than unless I lose enough to keep diabetes’ ravages at bay, I probably will have no alternative than to go for option number one. I’d rather have a little bit of surgery than to lose my kidneys, eyes or parts of my body. It’s incredibly motivating to keep on going either way.

I just wish that scientists researching in the field would really get their fingers out of their rectums and work out a way to get better than the placebo effect. Giving advice that provably does not work and will not work for the overwhelming majority of folks, whilst squishing and dismissing alternatives which may work better is simply not evidence based medicine. Nutrition is not pseudo science, like homeopathy - it’s actual science. Nutritionists should have figured out what needed to be done and stopped giving advice that clearly has failed. We deserve better, and before everyone becomes fat and ends up dying of preventable diseases all the while following their stupid and useless advice. 

In 2007, I realized I am not particularly good at prioritizing what time I have available. In true geek style, over the Christmas break I looked at all the recent time management fads to ensure I picked the laziest/easiest/geekiest (pick two), and found 43 Folders, which is based upon a slightly older - and dead tree form fad - Getting Things Done (GTD). The only downside to this particular fad is the fan boys are positively frothing at the mouth, which is what scared me off Python and Ruby on Rails. Rabid adherence is never a good sign. However, the things they want you to do are pretty simple, which is what attracts me to it.

43 Folders is a bit structured for this unstructured procrastinator. With procrastination, it’s not about “doing X now, but sometime in the future”. As any true procrastinator knows, there is an infinite range of substitute activities instead of “doing X now”. So don’t think I’m lazy, for I’m not. I just don’t achieve as much of the things I actually care about as I want. And with married life and a new daughter in a new country, the time I have available is dramatically reduced to when I was a bachelor cat slave back in Melbourne.

So far, I’ve:

• Cancel Something I’m no longer on the OWASP Board. I have totally given up the idea of writing another book for a while. I’m seriously thinking about giving up updating the next edition of the OWASP Guide as it’s just as much work (if not more) than writing a 300+ page book from scratch
• Replace a Project. I’ve picked a few things I love doing, and I’m going to find ways to do these first instead of things which interest me less. Obviously, family time comes first, but in what time I have remaining, my life should be fun and enjoyable. There’s no point in busting a gut to do something I don’t really enjoy. I’ve still yet to really do the maths to work out what makes me happiest, but once I do it, there will be a few more departures
• Time to declare DMZ E-mail Day (again)

So today, it’s DMZ E-mail Day on my renewed quest for Inbox Zero. I’ve archived all my work and personal e-mail for 2007. If you haven’t got a response from me for something, it’s time to re-send. 

It’s that time of the year again. In my previous list, it turned out I did some of the things I said I would, and a lot more besides.

In 2008, my desires are:

• Be a good dad to Mackenzie my gorgeous daughter, and a wonderful (hopefully less chubby) hubby to Tanya, my beautiful wife
• Lose some weight and mean it this time. What New Year’s Resolution is complete without this one?
• Finish at least one piece of first class research in the web app sec field

Although my time will now necessarily be limited out of hours, I think it’s better to complete one or two really good ground breaking ideas than to spurt the same old, same old things over and over again. I think many of you know what I’m currently researching, and I hope to finish that by the end of the year.

Enjoy!

My current research is mainframe security as it applies to web applications. This is where the high hanging fruit (the golden apples) lie. If you can

a) fake or bypass authentication
b) fake or bypass authorization
c) spoof logging or otherwise destroy accountability
d) interact directly or indirectly with a deeply nested service of value
e) manipulate data to violate integrity (creation, update or delete)
f) view data (read)

you are most likely to pwn the high hanging fruit. It’s actually amazing to me how LITTLE information is available on securing this stuff, and how often products which are marketed as “enterprise ready” and “secure” are actually not worth running a faulty bidet let alone left in charge of multi-trillion dollar a day roles.

Then there’s the dumb architectures which often use clear text protocols, unauthenticated transfers (often using ftp or worse), batches with no integrity and no accountability controls, and so on. This field is amazing that no one has taken the time to really learn how to do it properly. It is not 1969 any more. The days when the data center was guarded and that’s how the punch cards arrived and the tapes left no longer apply.

However, there’s a few protocols and common transports which need some help first. I’m going to blog on those in the near term future.