cat slave diary

Well, I’m back from another year at Black Hat. This time, I taught one of my company’s 2D Web Application Security courses.

I think I may have been one of the very few courses that concentrated on defense, which is Black Hat’s tongue in cheek slogan (”Digital Self Defense”). I taught the folks in there (about a 50/50 mix of devs and PMs/architects/designers etc) not only “this is a SQL injection” but hey, we have a complete solution for this, and this is how it works.

The class was originally 15 - 20 in size, but ended up being more than double that. I’m pleased with the outcome and how many folks really liked the course. Hopefully, it will lead BH into more actual digital self defense rather than just claiming that territory whilst promoting offense, offense, offense.

I met up with a fair number of folks, including Dinis, and all too briefly Jeremiah, RSnake, Arian Evans, the blokes from the NAB (Justin et al), my mate Justin Derry who is now at Fortify, and a bunch of others.

I took in almost all of the appsec 1.0 / webappsec 2.0, except for the last session of the last day. It was a good conference and well worth the visit this year. There are always a couple of weak talks, including the one from the network pen testers who have cottoned on to 0days involving web apps which I found very amusing because they thought they were so hard core and l33t. Here’s a hint guys: if you can’t get 8-20 0days out of any web app, you’re not doing it right. It’s like whack a mole or stealing candy from a sleeping baby. And authorization attacks are automatable if you have the right tools. The only interesting thing from that talk was an extension of the old file format jumble, where some file formats have headers and some have trailers, and thus you can make a valid file that is both one thing and another. They had a GIF and a JAR. Past precedents include both ELF and Win32 binaries (from back in 2001) in the one binary, the 1×1 pixel image that is also a PHP exploit (my favorite). I’m sure there’s others prior to 2001.

Anyway, enough ranting for me. I had a good time, and I can hardly complain as I was sponsored there by my employer and thus bore nothing of the real costs of this trip.

Well, I’ve had the snip, which apparently is surprising to most of the folks who know us.

Both Tanya and I are pretty darn clucky. We want more kids. But there’s this huge issue we can’t get past - Tanya’s health is just not going to get any better any time soon. Her arthritis is looking like it is staying, and her meds to maintain a moderate level of activity are simply incompatible with a pregnancy. We were very lucky with Mackenzie that she wasn’t deformed or brain damaged or dependant. We can’t knowingly do that again to another child as it’s not our life we would be affecting.

After a couple of close calls recently, where there were two terrible choices - either Tanya going back to Australia with baby girl for nine months of bed rest at her parents and 10-15 hurls a day with the associated forced weight loss, or aborting, which both Tanya and I are against. We had to make a tough decision.

So here I am.

It’s not as bad a pain as I thought it would be, but it certainly wasn’t without it’s scary moments.

I’m not good with needles, and I’m sort of glad I was put under as I don’t think I could have coped with the normal process, which involves a needle to the each site to numb the skin, and then a big needle full of local to each of the testes so you can go home in some comfort before the real pain sets in. I don’t care if you’re brave or not, that’s just one big needle I could not face.

The biggest problem so far is getting up. You can’t lift more than 15 lbs, which is about 7 kg. Baby girl currently weighs about 10 or so kg, so basically I can’t lift her. I can’t easily lift me either. So getting up and down is a painful experience.

I’m resting comfortably. After 24 hours, the pain is manageable, and most likely I’ll be completely okay by Monday or Tuesday.

I’ve been busy over the weekend.

I met with Blake Turrentine at a diner near where I live. We had a good long discussion over breakfast on the future of the Guide 3.0.

The Guide 3.0 will be about how to design apps and code securely. That’s it. Only positive controls will be discussed unless the negative controls rule right now. For example, the Services “Databases” section will contain only the following sub-sections: Best practices (use an extremely low privilege account unique to your app, use an encrypted connection, store the connection credential securely, etc), Active Record / ORM, prepared statements, stored procedures.

The pattern in each sub-section will most likely be:

• What to do right
• Risk level of this control (All, Low, Medium or High risk apps)
• Why this works (using ESAPI if it’s got something to say about this control)
• Code snippets doing it right
• What this prevents (links to the testing or code review guide and any publicly known attacks using this mechanism)

There will be a “Worst Practices” sub-section containing Dynamic queries, and Stored Procedures Gotchas (discussing string concatenation, calling out to native features, and the use of exec, etc). The idea is that if there’s zero noise on bad controls, you’re more likely to do the right things, particularly if there’s supporting code.

It should be nice and short, especially in comparison with the 2.0 version as there will be only links to testing or code review material. There’s no point in repeating that material.

Although pen testing is considered sexy and a little bit naughty by the meejya (and thus “newsworthy” when plainly it is not), coupled those folks who consider themselves hard core l33t haxors get to go to all the nice parties with ladies of negotiable value, I think pen testing is not the best way to deal with crappy paradigms. If you’re still using dynamic queries, you have soooo much work to prove that you’re “safe”, and every few years when a new technique that exploits the root cause comes along, you’re hosed.

However, if you had spent far less time and money to use one of the three “safe” methods above, you’ll be “safe” for most values of “safe”. We have seen zero mechanisms to attack prepared statements in the last eight years. That’s a very successful control. Therefore, testing for SQL injection is sort of pointless and we can move onto the real golden apples, like direct object references and business logic flaws.

The Coding Top 10 will be a distilled version of the same material, but by necessity, it will concentrate only on ten items, instead of may be 200-300 items. Neil Smithline has agreed to take a shot at it, so I need to touch base with him this week.

In both cases, I’m looking for a healthy dose of contributors as there’s no way I could do the amount of out of hours work I put into the OWASP Guide 2.0 again. Tanya would kill me for a start! If you think you can help out, please join the OWASP Guide and Top 10 mail lists, and shout out!

Please don’t do it because you want to be invited to all the sexy parties and have ze ladies fall at your feet, or to get wealthy on the residuals. I will make this prediction right now: neither document will be feted by the press, and neither document will get much traction at the trendy conferences. Even though they will be the best things to help developers and businesses code properly ever written. Let’s make a start and see how things go.

We took Mackenzie to the pediatricians today. She did real well - even the vaccinations she only screamed for a few minutes. 

Here’s a few very recent photos for you!

• The first image is her sitting. By herself. At 3 and 3/4 months.
• The second image is her out on the porch wearing her snazzy new sunnies from Rebecca.
• The third image is her holding her own full bottle and drinking away without that much help. She’s been able to do this for a while, but we’ve not always had the camera to prove it

In other news, all my talks for OSCON were rejected again. Why did I bother? I should have paid attention my last year’s rant. Most likely, I will have to give up on submitting papers to certain open source developer’s conferences as honestly, why bother doing the work of doing the research, creating the paper and slides only to be rejected? Luckily, two of my submissions were from colleagues, so I didn’t squander a lot of resources on those talks, even though for example, I’m working on porting ESAPI to PHP, which is the subject of one of the rejected talks.

I’ve identified the following security talks for those security folks still considering going to OSCON (although I’d recommend saving your money for OWASP USA as we already have a schedule of 45 web app sec talks in three tracks, and two full days of tutorials, including several two day courses where you’ve got an actual chance of learning something. Just saying.)

• Securing the PHP environment with phpsecinfo, by Ed Finkler. This should be good - I’ve used it before and it’s a pretty cool way to tie down PHP properly. And Ed has contributed Inspekt to OWASP, and therefore he’s cool by me.
• PHP: Architecture, Scalability and Security, by Rasmus. Rasmus knows what he is talking about, but I don’t know how deep the security aspect will be. Hopefully, enough as it’s a three hour talk.
• PHP Taint Tool: It ain’t a parser, by Luke Wellings, a friend of mine from Australia who now lives with his lovely wife in Columbia MD. I’d love to see this tool in action.
• Hack this App! PHP security workshop, the usual sort of scare the punters talk common in talks at conferences I attended about 5-10 years ago. I really hope there’s some solutions in this one. There’s no point in saying you have a problem unless you have a solution, which is what all three of my submitted talks were. Especially the one on securing PHP apps and ESAPI for Java (although we have a completed .NET and soon a PHP port now)
• Perl Security, three hour talk by Paul Fenwick, also an Australian of my acquaintance
• How to improve quality and security automatically in your open source projects with static analysis, by David Maxwell (Coverity). Hopefully, this is just not a vendor plug, but even if it is … it is about solutions, and I like that.
• Security 2.0: Emerging Trends in Web Application Security, by Chris Shiflett. Also a friend, but sadly, not Australian.

So five talks and two three hour longer talks. Here it is in graphical format for you:

A couple of the talks are likely to not offer that much in the way of solutions. Sadly, no Ruby, Python, administration, database, emerging topics, or people security talks. Worse, there are no Java security talks, which for an semi-incomplete track, I found sort of astounding, especially as I submitted two Java security talks and one PHP talk. The official “security” track has two three hour talks, both detailed above. Even if you look at it from the point of view of OSCON having 16 tracks, hopefully with equal time for all of the tracks assuming there was a lot of competition for speaking slots, there should be 215/16 = ~ 13.4 security talks, not 7.

Although I am glad my friends are accepted whilst talking about security, I think OSCON needs a new program committee. This one is broken.

I’m currently in Colorado Springs doing some training for a customer.

The flight in was long - nearly 12 hours all up from the east coast, all told including delays and running to make my little rubber band plane connection. It takes only another 15 hours to make it to Australia. The puddle jumper was funny - as soon as we had finished climbing out of Denver, the hostie announced we had commenced our descent into Colorado Springs.

It was surprisingly cold. I suppose the wind and snow should have alerted me, but the last time I was here in late August / early September, it was over 30C every day.

I love coming here. Not only do we have a family friend (Hi Michelle! Hi Justine!) who lives here, the scenery includes Pike’s Peak dusted in snow outside my bedroom window every morning. You just can’t beat that.

I don’t think I could live here, though. I’m used to fast paced life, and things move at a leisurely pace, commensurate with Colorado Springs’ diminutive size.

Jim asked a great question - what is the current state of the nation for HttpOnly? I’m glad he asked!

Pass - read/write cookie protection

• IE 7.0
• Firefox >= 2.0.0.5
• Firefox 3.0 beta
• Camino 1.5.4

Barely Pass - read only cookie protection

• IE 6.0
• Opera 9.50 beta

Fail - no cookie protection

• Safari 3.1
• Firefox < 2.0.0.5
• Opera 9.2.6 (currently shipping stable version)

Coverage of HttpOnly Support

According to my Google Analytics account, 93.6% of browsers support HttpOnly for preventing being read. The worst offender is Apple, with a marketshare of 5.3% on my heavily trafficked site. They have no support whatsoever. In fact, they’ve had a bug outstanding for some time that no one is assigned. BAD APPLE!

Conclusion

Most sites do not use cookies for anything other than the session ID. This is best practice. In these instances, there is NO REASON for them to read or write the cookie using JavaScript. Although there are ways around HttpOnly (some work better than others, depending on your browser), it is worthwhile for frameworks and app server vendors to send this tag automatically. Those very few folks who really need to be pwned should have the ability to turn this protection off.

I’m working (slowly) on porting ESAPI to PHP. This will be great!

So just in case I keep on having a life after hours, Jeff kindly created an ESAPI for PHP project. If you care about PHP security, come help us finish the port. It’s only 3900 lines of code, and I’ve ported like a 1000 of them already.  

Why ESAPI? 

Well, it’s a ready to use secure coding package. The ESAPI library is not about avoiding attacks, it’s about software engineering for web app security. ESAPI deliberately targets around 80% of security features of the average application (whatever your application is!) with the reference implementation, and for that 80% it does security 100% right so you don’t have to.

ESAPI covers nearly the entire OWASP Top 10, and some other issues besides:

• User object*
• Authentication* membership management classes - we have coded createUser, and friends, login, logout (with safe session and cookie termination), disable account, generateStrongPassword, automatic password hashing including salts, etc. 
• Access control*
• Access Reference Maps* - direct to indirect object reference maps. No longer do you need to jump through hoops to protect primary keys, files and other things that people can trivially tamper. Instead of filename=report.pdf, you can now trivially turn this into filename=4fd8Xz
• Encrypted configuration*. No more clear text passwords in config.php
• Encrypted and integrity protected cookies*
• Encrypted and integrity protected hidden fields*
• Hard core encoding utilities*, such as HTML, JSON, XML and LDAP encodings that only do whitelisting
• Easy to use Encryption support … with only access to SHA256 and AES other quality algorithms. No MD5 or DES here.
• Easy to use strong random number support … no more weak random values
• Executor* - safely call the operating system
• Integrated intrusion detection* - security events are automatically generated and logged
• Integrated Logging* - using log4php by default
• CSRF token management* 
• Thresholds* - automatically set rates for certain actions to help prevent brute forcing
• Validation libraries* that help you do white listing by default 
• Test suite to prove coverage and test all functionality 

Things with a star (*) are simply missing from PHP today, which is surprising considering EVERY SINGLE web application MUST have them. This is despite 5698 functions being defined in PHP today.  

If the PHP core folks want to talk about adopting these in PHP by default, OWASP would be more than happy to donate the code and re-license as appropriate. All PHP applications deserve this level of security.

So, please feel free to join us.

I am a bit of a science freak. I play experiments with myself to see which things work, and get rid of things that don’t. For example, since becoming diabetic I’ve tested the following things:

• The effect on my favorite breakfasts on my post meal blood sugar level. It turns out that I can only have minute quantities of any form of sugar, whether fructose from a slice of banana (!) to heaped tablespoons of white sugar on lemon pancakes (not good!). So I’m essentially stuck eating unrefined oat meal for breakfast, with no added sugar or salt.
• The effect of my favorite drinks. I can’t have OJ any more - it puts me in near-hospitalization blood sugar levels. I’ve settled on drinking essentially nothing but plain old filtered water, mineral (sparkling spring) water, and black coffee. Alcohol was already somewhat denied to me, so I am currently having a dry spell. Pretty bland, but good blood sugar control
• The effect of my previous day’s food on my fasting blood sugar level. No noticeable effect, so that value comes from my liver’s overnight excess production of blood sugars from probably a decade or more of excess insulin production
• The effect of exercise on my blood sugars. Excellent results - generally pulls me under 100 in the first hour of exercise, and stays that way for some time.
• In an on-going experiment, I am currently working on how to avoid my personal hypoglycemia in the late afternoon. For those of you who don’t have diabetes, anything under around 50-60 will give you the shakes. I get that when I’m under about 90-95 as my body is sugar tolerant. The effects of low blood sugar are terrible, and I need to fix it. I am settling on a low GI pick-me-up of a serve of oatmeal with some fruit as chocolate and sugars give me temporary (and fast) relief but a worse low, yoghurt and nuts seem to do nothing, and not doing anything just makes it worse.

From these ongoing experiments, I now have a relatively stable set of things that work, that don’t suck too much, and I have a bit of wiggle room when I must have something like a carrot cake or ice cream.

I am starting to get this thing under control - my fasting blood sugars are starting to get closer to the high end of “normal”, and my post-breakfast reading is usually not too bad. For my efforts, I am losing weight even though I am not doing anything in particular but constraining my carbohydrate intake to low GI type foods (salads, meat and other proteins, wheat (brown) breads, oatmeal, and wraps).

This brings me to my main point - the uselessness of well advised but crap advice. Being seriously overweight (nearly 75 kg - equivalent to the weight of a healthy man of my height) means following a diabetic path along with weight loss is actually incredibly hard. I look at all the things that work for others, and try them out. But I need to find my own special thing that will work for me, for I am in a race with my body to get rid of diabetic symptoms before I get insulin dependent and the host of bad things that can happen, like kidney failure, body parts amputated, and permanent eye damage.

I expect evidence based medicine to have sorted out what is necessary by now. However, the same old, same old mantra of “eat less, exercise more” is given. And as recently as this last Saturday when the nutritionist balanced a neurotic path telling us to not eat high GI foods, and then said don’t eat things heavy in protein or fat. Folks sticking to this same old same old adage of “eat less and exercise more, you fat lazy b…” have a less than 10% success rate. Placebo is better than that. Everyone loses a little bit and then they gain it all back and then some in no time. I certainly did and no less than 20 times.

Last week’s New Scientist had a nice little commentary on this exact thing. The author argues that the above mantra to “eat less, exercise more” alone has failed, and was the given received wisdom during a time of massive obesity growth. He calls for more research into things which will do better than placebo and to discard the current approach unless it is part of something that actually works for the majority of folks. I don’t think that is unreasonable at all, especially as I have a 100% failure rate at losing weight. 

Eat less and exercise more works - if you’re a machine. The folks on Biggest Loser do exactly this, and you know what, they really do lose the weight. But under the relentless eye of sadistic personal trainers, doctors, and nutritionists with gobs of daily exercise and essentially no outside food challenges. You and I can’t do “Biggest Loser” style weight loss without entering full time medical care. The human factor must be included in any solution as well as better nutrition advice beyond “eat less”. Exercise will always be a part of losing weight - there is no escaping it.

I am surprised that given all the research, the sheer profits that big pharma could make if they had a wonder drug, and that every weight loss program, even Weight Watchers, has “Results Not Typical“ disclaimers, that science has yet to come up with answers for folks like me who need to lose more than the average bear. It turns they have, but they don’t enjoy widespread support:

• Bariatric surgery. This forces you to eat less. It works, but you can still undermine it. There’s no “Results Not Typical” disclaimers with this path. Often seen as the easy way out as you have no choice but to eat less or you’ll throw up. The author beings up “lack of fortitude” in dieters, and obviously this is a failing of more than 90% of us. Bariatric surgery gives you fortitude - you have no choice. 
• Low fat, high protein carb diets, such as CSIRO Total Well Being Diet are looked down upon by nutritionists. The nutritionist I showed the actual scientific research to essentially dismissed the diet with saying that I should investigate the American Diabetes Organization’s website. Sure enough, they’re still in low fat, low carb land, recommending against the satiety that protein can bring. 
• High fat, high protein diets, like Atkins. Atkins is the only diet I’ve done where I lost more than 15 kg, essentially through not eating any carbs. I hated the diet as it was a bit monotonous and difficult to do. Worse, it made me feel weird. I now know that this was most likely due to hypoglycemia and if I had been able to measure my blood sugars at that time, I think I would have succeeded.

As I am not keen on undergoing surgery, I have to keep going on the CSIRO diet. So far, I’ve lost seven kilograms on it since November, and despite really hurting my foot to the extent that I could not go to the gym. This weight loss is approaching the half way point that I lost using Atkins. Unlike Atkins, it’s keeping my blood sugars okay as I’ve been able to work out through experimentation what works and what doesn’t. But I know in my heart of hearts than unless I lose enough to keep diabetes’ ravages at bay, I probably will have no alternative than to go for option number one. I’d rather have a little bit of surgery than to lose my kidneys, eyes or parts of my body. It’s incredibly motivating to keep on going either way.

I just wish that scientists researching in the field would really get their fingers out of their rectums and work out a way to get better than the placebo effect. Giving advice that provably does not work and will not work for the overwhelming majority of folks, whilst squishing and dismissing alternatives which may work better is simply not evidence based medicine. Nutrition is not pseudo science, like homeopathy - it’s actual science. Nutritionists should have figured out what needed to be done and stopped giving advice that clearly has failed. We deserve better, and before everyone becomes fat and ends up dying of preventable diseases all the while following their stupid and useless advice. 

In 2007, I realized I am not particularly good at prioritizing what time I have available. In true geek style, over the Christmas break I looked at all the recent time management fads to ensure I picked the laziest/easiest/geekiest (pick two), and found 43 Folders, which is based upon a slightly older - and dead tree form fad - Getting Things Done (GTD). The only downside to this particular fad is the fan boys are positively frothing at the mouth, which is what scared me off Python and Ruby on Rails. Rabid adherence is never a good sign. However, the things they want you to do are pretty simple, which is what attracts me to it.

43 Folders is a bit structured for this unstructured procrastinator. With procrastination, it’s not about “doing X now, but sometime in the future”. As any true procrastinator knows, there is an infinite range of substitute activities instead of “doing X now”. So don’t think I’m lazy, for I’m not. I just don’t achieve as much of the things I actually care about as I want. And with married life and a new daughter in a new country, the time I have available is dramatically reduced to when I was a bachelor cat slave back in Melbourne.

So far, I’ve:

• Cancel Something I’m no longer on the OWASP Board. I have totally given up the idea of writing another book for a while. I’m seriously thinking about giving up updating the next edition of the OWASP Guide as it’s just as much work (if not more) than writing a 300+ page book from scratch
• Replace a Project. I’ve picked a few things I love doing, and I’m going to find ways to do these first instead of things which interest me less. Obviously, family time comes first, but in what time I have remaining, my life should be fun and enjoyable. There’s no point in busting a gut to do something I don’t really enjoy. I’ve still yet to really do the maths to work out what makes me happiest, but once I do it, there will be a few more departures
• Time to declare DMZ E-mail Day (again)

So today, it’s DMZ E-mail Day on my renewed quest for Inbox Zero. I’ve archived all my work and personal e-mail for 2007. If you haven’t got a response from me for something, it’s time to re-send.