Monthly Archives: May 2010

Censorship – Bye bye Labor

Posted on by
8

The Labor party is doomed to be a single term government. They are killing their support base – social progressives and young folks alike are abandoning ship like never before. I have never hidden my dislike for the conservative side of politics, but to totally kick sand in the face of your true believers time and time again is simply not smart.

WIth 99% of the Australian public against mandatory filtering, I just don’t see how this is a vote getter. The filter will not protect my daughter from pr0n, predators using Skype or MSN, spyware, or preventing her viewing unsavory sites. It will not block the primary mechanism for distributing child and extreme pr0n – P2P networks. There is no point to mandatory filtering except to stifle political dissent.

So why implement such an opaque scheme that’s already been abused and is open to further abuse? Who are the winners from this? Politicians don’t stick their necks out unless there’s a valid reason, and public morality is simply not one of them, especially when the idea is so repulsive to nearly all Australians except for a few ratbags. I can only imagine so it’s to shore up the crazy vote (Senator Fielding), without which Labor can’t govern.

To give some perspective, is it acceptable for the Government to:

  • Discipline my child?
  • Determine what my child will read, watch, or do?
  • Decide on her schooling?
  • Decide on her religious beliefs, or lack of them?

Government has no role in these key parenting decisions and in determining what she (and us all) will or will not see on the Internet. That’s every parents’ responsibility, and I will do it in my way – with no censorware. Her computer will be in a shared area until she can be trusted with her own, and even then… trust but verify.

Labor – you must dump Conroy now. He is a liability to you retaining the 18-40 year old vote, and indeed the 99% of folks who don’t want the Internet censored. Without this core set of voters (about 45% of the eligible voters), you’re never going to win office in your own right again.

Welcome to iPad fraud

Posted on by
Reply

In the rush to release hundreds of publication specific apps as quickly as possible, every media dinosaur is desperately trying to claw money from the cashed up iPad owners with micropayments and pay walls. This is a recipe for disaster – and it’s going to be a gold mine for security consultancies, and nothing but tears for users.

Why?

All of these apps have to implement their own pay wall, subscription model, and store regulated financial data. Whereas before Apple did all the hard yards, now Flash web designers are going to be cutting code in Objective C for the first time to handle credit cards.

Are they going to get it right every time? Absolutely not. Will some of them get it right? Yes, those that get code reviews or have a skilled financial services development team. How many media outlets meet these requirements?

Mark my words, there’s going to be a lot of folks making money out of the poor decision to not create a secure micropayments service for iPhoneOS.

Securency and bribery

Posted on by
2

Australia developed polymer (plastic) bank notes from the 1970′s onwards, and they’ve been our currency since the 1990′s.

This bank note technology is essentially counterfeit proof – notes can have holograms, microprinting, a transparent window, “watermarks”, very colorful inks, metallic strips, and the notes are long lasting and machine washable. There’s a lot of positives.

The company that is formed by the Reserve Bank of Australia to print and market this technology is called Securency. They’ve been embroiled in a bribery scandal.

I just don’t understand how a company with a technological monopoly (it’s hard to figure out how to print on plastic) let itself be the conduit for bribes, particularly in the countries where the bribes are alleged to have occurred.

If I was a negotiator, and my opponent asked for a commission, structured deals, or outright bribe, I’d just report them to the head office, let them report to the other side’s local police, and then wait for the other side to appoint a new negotiator after justice has seen to be done. Their new negotiator would be so careful it would not be funny – you mean to do business, but the stench of corruption will not be tolerated.

We’re talking central banks here. Countries that have corrupt central banks are failed states – we cannot and should not be a part of these countries.

Like all financial institutions, the RBA and Securency employees and agents would have had to have undergone background checks, and yet many of their representatives and head office staff still committed a very serious crime – one punishable by jail time in Australia. Just remember background checks are an indicator of past criminal convictions, not future actions. Don’t waste money on them – just have strict anti-corruption policies in place, and walk everyone is tainted. The rest of the staff will get the picture more than a background check ever will.

Sticking your neck out

Posted on by
4

For as long as I can remember, the standard “security” talk is a negative and destructive talk, where the presenter presents their latest “research” as if it’s going to solve world hunger, totally end the Internet as we know it, cure herpes, or put the spooks out of business as anyone could spy on the whole Internet.

The reality is that a few hours, weeks, or if it’s someone like Oracle circa 2005, years later, the problem is solved and we go back to giving our identities away for free on Facebook as if nothing had happened.

Seriously, why do we put up with this?

I believe it is because negative Chicken Little (“the sky is falling”) talks are much easier to do:

  • Hand waving talks can be put together on the plane whilst going to the conference, or even later if you don’t hit the bar as soon as you get to the hotel. Talks of this type include “Why the IT Security industry sucks”, “This language is garbage”, “What you know is all wrong”, and my favorite, “PCI sucks”. These talks have zero merit because you can’t fix them. They’re opinion pieces barely better than a script kiddy blog entry, and are typically badly researched opinions rather than game changers.
  • The buffer overflow, CSRF, Ajax, RIA, XSS, SQL injection, or latest attack with a twist talks are easy to do. You might need to start working on these talks at the airport lounge, but you’ll still pump out a talk. Patches for these talks are sometimes delivered before the talk has finished. The world has not ended.
  • The fuzzing talk is is a bit harder. You have to run the fuzzer and let it find at least one badness. Probably a good idea to do it the night before you fly. Better yet, run it against a bunch of products in case someone did a good job.
  • Developing new devastating attacks that can be blocked by CS101-level controls, like the magic pixie dust of input validation. What a complete WAFTAM.
  • The pinnacle of negative talks has awesome demos, but realistically still demonstrates a paucity of ideas (such as how to detect if you’re in a VM – I mean really, who cares?). I have respect for these researchers, and really wish they’d apply their talents to good quality positive research instead of wasting their most productive research years on pointless baubles.

Why are positive talks harder? Because you have to work at them!

  • Firstly, it’s about research, and original research is hard to do properly.
  • Research takes time, and consistent application to an idea that may not even pan out. But if you don’t do it, you’ll never know.
  • You have to find an area that is not yet solved. There’s a reason it’s not solved yet. These issues have made talented brains hurt already.
  • You have to think of a new and novel solution to the issue, and the solution should be effective, simple and cheap. Most of the speakers on the party circuit simply don’t have this capacity, and haven’t had an original idea in years.
  • You have to develop your solution and test it out against lab and real world scenarios to make sure it doesn’t suck. It helps if your solution is repeatable, your solution and code is documented, and its useable by others without sacrificing chickens.
  • Many folks write papers and talks as if they succeeded at first go. That’s not science, that’s puffing up Brand Speaker. We learn from the paths not taken more than the eventual solution. Think about CSRF and session fixation for example – there’s heaps of folks who think CSRF is solved by a random nonce. But it’s not the entire story. Same deal with click jacking. Write up your failures as much you write up your successes.
  • You have to hand your research and methods around to trusted peers to see what they think and hope they don’t spill the beans or steal your thunder. Once you’ve published, you need to make sure others can repeat your experiments and results.
  • If you want to change the world, you have to give it away. You can’t patent it. You can’t tie it up in trade secrets. You can’t keep it to yourself. This is the hardest of all – think of the IT landscape today if AT&T had kept Unix to themselves. Exactly.

Lastly, and probably the most important – positive research and subsequent talks means sticking your neck out. Your peers evaluate what you’ve said and how your solutions work. If you’re not sure of self, this can be a huge risk to one’s ego. If you’re wrong, it’s real bad and you’ll be a virgin for another year. If you’re right, you will get {girls, boys, furries} and invites to all the sexy parties*

I will not claim that all of the hundreds of controls I documented in the OWASP Guide 2.0 are right. In fact, I know some of them are wrong. That’s how science works. At least I stuck my neck out and documented what I thought at the time. I’m happy to come back to the controls, do the research to find new controls that do work with minimal cost, and document those.

For those of you lucky to know me personally, you’ll know that I have no shortage of self, in fact probably enough self for two people, but you need it if you’re going to have a shot at this brave new world of repeatable, scientific progress in the web application security field.

I hope to see more conferences like OWASP’s AppSec Research conference, to be held in Sweden this year. Make sure you go to it. More importantly, stop wasting time on negative talks, and get moving on doing that research for next year’s conference.

* This is actually false advertising, as you’ll struggle to be invited to most conferences even though your research and talk will mean more long term than 100 negative talks. On the other hand, I’ve been told that Furries are easy to rub the right way.

OWASP ASVS – also good for architecture reviews

Posted on by
4

I’ve just finished a job where I used OWASP’s Application Security Verification Standard as a light weight security architecture template.

The good news is that it helped us decide a bunch of controls (using ESAPI of course) that will hopefully improve the security of the application. I’ll find out in a few months if any of it helped.

What worked: pretty much everything.

What didn’t work: Some controls are not relevant to some classes of application. Do your homework before you go into the meeting so you can skip over ASVS controls that simply can’t work.

We found that there are controls we discussed that aren’t in the ASVS. The ASVS is a 80%/20% (Pareto principle) standard as pretty much all apps come from such a low basis today, so any security improvement is a worthwhile improvement even if it’s not milspec. I wasn’t too fussed that we missed a few key items.

For those of you floundering around trying to figure out how to do Security Architecture reviews, ASVS can be your friend!

Going to OSCON 2010

Posted on by
1

I know I’ve ranted about this before, and this post is no different. OSCON still doesn’t have any security talks, which is like an engineering conference that doesn’t have any structural integrity talks.

A sample of non-functional requirements in the OSCON 2010 program:

  • Configuration Management – check*
  • Deployment – check
  • Documentation – check
  • Efficiency – check*
  • Legal issues – check
  • Performance – check*
  • Maintainability – check*
  • Quality – check*
  • Scalability – check*
  • Testability – check*

* I’m going to a few of these tutes and talks

And what they don’t cover:

  • Compliance – 0 talks
  • Privacy – 0 talks
  • Safety – 0 talks
  • Security – 0 talks, 1 three hour tutorial

And yet, security is the only NFR that can close your business, destroy shareholder value, get you sued, cost you dearly in compliance and remediation costs, limit your organization or project to irrelevance, and destroy privacy for millions of folks in one fell swoop of ineptitude and cluelessness.

One day, the papers committee will get a clue. It’s not 2010, though.

So all my open source chums – see you in Portland! :)

Upgrade to Ubuntu 10.04 LTS in VMWare Fusion – Keyboard issues

Posted on by
22

I upgraded my VMware Fusion image to Ubuntu 10.04 LTS over the weekend, and everything went well except for the keyboard. It wouldn’t work.

So here’s how I found out how to fix it:

  • Go to the Accessibility Preferences at the bottom of the screen, and tick on screen keyboard.
  • You have to reboot because for some unknown reason, it doesn’t start unless you do.
  • You can now type in your password on screen. Once logged in, your keyboard works
  • Go to terminal, and reconfigure your console:
sudo dpkg-reconfigure console-setup
  • Reboot, and you’re done.