Salmagundi? That’s the word for a seventeenth-century English dish made of an assortment of wildly varying ingredients. Typically, they include some cut-up hard-boiled egg, but then after that, anything goes: meat, seafood, fruits and veg, nuts and flowers and all manner of dressings and sauces. The term comes from the French “salmigondis”, which translates as “hodgepodge”.

In this case, I’m using “salmagundi” as a term for a mixed bag of new items that you might find interesting as a developer.

The Tangled Web: A Guide to Securing Modern Web Applications

I’m currently in the middle of reading Michal Zalewski’s new book, The Tangled Web: A Guide to Securing Modern Web Applications and it’s been a fascinating, enlightening and enjoyable read. At first glance, you might be tempted to simply sum it up as a “security book”; I think it’s more accurate to describe it as “a great review of how browsers, their protocols, programming languages and security features work, and how to write secure apps given this knowledge”. Given that web security is a rapidly moving target, especially with the browser vendors – even the formerly-pokey Microsoft – cranking out versions at a faster rate, Zalewski’s approach to the topic is the right one: make sure the reader is clear on the basic principles, and then derive the security maxims from them, giving the knowledge contained within the book a much longer “shelf life”.

The Tangled Web is divided into three parts:

1. Anatomy of the web. A tour of the web’s building blocks, from URL structure, HTTP and HTML to how it’s all rendered: CSS, client-side scripting languages, non-HTML documents and plug-ins.
2. Browser security features. All the mechanisms that keep the malware from 0wnz0ring your system – the same-origin policy, frames and cross-domain content, content recognition mechanisms, dealing with rogue scripts and extrinsic site privileges (that is, privileges that aren’t derived from the web content, but from settings within the browser).
3. A glimpse of things to come. A look at some of the proposed security mechanisms and approaches that may or not become standard parts of the web.

Each chapter except the last ends with a “Security Engineering Cheat Sheet”, which functions as both a summary of the material within the chapter and a security checklist. The last chapter is titled Common Web Vulnerabilities and lists vulnerabilities specific to web application, problems to keep in mind when designing web apps and common problems unique to server-side code.

I’m going to be showing The Tangled Web around the office (especially now, since I’m physically in Shopify’s headquarters this week). I’m sure the developers know a lot of this stuff, but they’re a bunch who are always eager to learn, review and “sharpen the saw”, so I think they’ll find it useful. If you develop web apps, whether for fun or to pay the rent, you’ll want to check out this book as well.

CUSEC 2012: Montreal, January 19 – 21

Ah, CUSEC: the Canadian University Software Engineering Conference. This for-students-by-students conference punches well above its weight class. I’ve been to tech conferences put on by so-called full-time “professionals” that can’t hold a candle to what the students behind CUSEC do every year in addition to their course loads.

Better yet is the caliber of speakers they’ve been able to bring in: Kent Back, Joel Spolsky, David Parnas, Greg Wilson, Chad Fowler, Kathy Sierra, Dave Thomas, Venkat Subramanian, Jeff Atwood, Tim Bray, John Udell, Avi Bryant, Dan Ingalls, Giles Bowkett, Leah Culver, Francis Hwang, Doug Crockford, Matt Knox, Jacqui Maher, Thomas Ptacek, Reg Braithwaite, Yehuda Katz, of course Richard M. Stallman, in whose auction I made the winning bid for a plush gnu, which I paid with my Microsoft credit card.

This year’s CUSEC theme is “Turing Complete” in honor of 2012 being the 100th anniversary of Alan Turing. He established his place in history as the father of computer science by formalizing concepts like “algorithm” and “computation” with the concept of the Turing Machine, proposing the Turing Test in an attempt to answer the question “Can machines think?”, working as a codebreaker at Bletchley Park (I like to say “He beat the Nazis…with math!”) and coming up with one of the first designs for a stored-program computer. He even found his way into pop culture by getting name-checked in Cryptonomicon and The Social Network.

Once again, Shopify will be there as a sponsor and once again, I will be hosting the DemoCamp at CUSEC. If you’re a university student studying computer science or computer engineering, you should come to Montreal from January 19th through 21st and catch one of the best conferences you’ll ever attend. Bring your resume: we’re looking for talented programmers who want to work us!

HTTPcats

Cat pictures meet motivational posters meet HTTP status codes! It’s the Perfect Storm!

This article also appears in the Shopify Technology Blog.

The ASP.NET Security Vulnerability

Chances are that you’ve seen the Microsoft Security Advisory, but in case you haven’t here’s the "tl;dr" version:

• There’s a vulnerability in ASP.NET that was publically disclosed late on Friday at a security conference.
• An attacker using this vulnerability can:
  • Request and download files within an ASP.NET application like the web.config file (which often contains sensitive data).
  • Decrypt data sent to the client in an encrypted state (like ViewState data within a page).

How Does the Vulnerability Work?

The vulnerability is based on a cryptographic oracle. When talking amongst the crypto crowd, an “oracle” refers to a system that gives away hints if you ask it the right questions.

Within ASP.NET, there’s a vulnerability that acts like a “padding oracle”. An attacker can send ciphertext to the web server and learn if it was decrypted properly by looking at the error code returned by the server. Make lots of requests like that while keeping track of the error codes returned, and you can learn enough to decrypt the ciphertext.

How Do You Work Around the Vulnerability (the high-level version)?

The vulnerability works because of the different error codes returned by the server. The workaround is to change the error handling withing ASP.NET so that it always sends the same error each time, regardless of the error, thereby cancelling the “oracular” behaviour.

More specifically, this involves enabling the <customErrors> feature of ASP.NET and mapping all errors to return the same error page.

How Do You Work Around the Vulnerability (the step-by-step version)?

Scott Guthrie’s blog has the step-by-step instructions for:

• Working around the vulnerability
• Making sure that the workaround has been enabled
• Finding vulnerable ASP.NET applications on your server
• Finding out more about the vulnerability

If you’ve got an ASP.NET-based application, make sure you’ve set up the workaround!

This article also appears in Canadian Developer Connection.

You’ve heard the stories about people choosing terribly obvious passwords for their various computer accounts, such as “password” and “12345”, but what are the other ones? In his book, Perfect Passwords: Selection, Protection, Authentication, Mark Burnett compiled the most common easy-to-crack passwords, most of which are ordinary words or key sequences that are easy to type on a QWERTY keyboard. I’m amused by some of the pop culture-based passwords, such as “Rush2112”, “8675309” and the X-Files inspired “TrustNo1”.

Someone else — I don’t who who did it — decided to turn that list into the hand-lettered poster shown above. You can click it to see it at a larger size.

In addition to being a good list showing the sort of password you shouldn’t use, it’s also a great name generator. You could take two random items from the list to create new character names for a Metal Gear game (“Tomcat Eagle1” makes just about as much sense as “Solid Snake” or “Sniper Wolf”) or any three to come up with the name of your band or prison softball team (“Bigdick Magnum Juice”).

This article also appears in The Adventures of Accordion Guy in the 21st Century.

Click the photo to see it at full size.

“Flintstones/Jetsons” is a term that Mark Mothersbaugh from Devo uses to describe technology solutions that are a combination of low- and high-tech. It’s probably an apt term for what the driver of the Renault in the photo above is doing to foil licence plate cameras. If the “Jetsons” part – the SQL injection attack comprising the text on the banner on the bumper – doesn’t work, the “Flintstones” approach of physically covering up the licence plate will.

SQL Injection-a-Rama

No quick tour of SQL injection is complete without mentioning this classic XKCD comic, Exploits of a Mom. If you’ve ever heard someone use the phrase “Little Bobby Tables” when talking about databases and security, here’s where it comes from:

Want a good introduction to SQL injection attacks? Start with SQL Injection Attacks by Example at Steve Friedl’s Unixwiz.net Tech Tips. It walks you through the steps of an SQL injection attack, where a cracker (note that I said “cracker” – there are hackers and crackers, and there’s a difference) uses a combination of deductive reasoning and unexpected, unsanitized input to get unintended results from the database.

Also worth checking out:

• OWASP’s wiki entry on SQL injection
• OWASP’s SQL injection prevention cheat sheet
• MSDN’s entry on SQL injection
• SecuriTeam’s article on SQL injection

Here’s an enjoyable presentation by Joe McCray on Advanced SQL Injection, which he gave at the 2009 LayerOne conference. He likes to drop the “f-bomb” and “s-bomb” every now and again while presenting, but if you don’t mind a little salty language, it’s a good security talk:

(You can download the slides from Joe’s presentation in PDF format here.)

This article also appears in Canadian Developer Connection.

I met Peter “Mudge” Zatko at the Cult of the Dead Cow’s hotel bungalow at DefCon 8, the 2000 edition of the notorious hacker conference. My coworker at OpenCola, Oxblood Ruffin, was a member of the the “cDc” and introduced me and the other OpenColans to him and the other nicknames in the group: “Sir Dystic”, “Dildog”, “Deth Veggie”, “Night Stalker”, “Grandmaster Ratte” and many other black-clad, charmingly oddball characters far more interesting than the characters in the movie Hackers. I think I learned more about security in the hour-long group conversation with him than I’ve learned from countless corporate security training videos and training courses. Later at the conference, the cDc would hand out more copies of Back Orifice 2000, a tool that would cause much heartburn to many people at the company where I now work.

He’s now got a big gig: Program Manager at the Strategic Technologies Office at DARPA, the Defense Advanced Research Projects Agency, the R&D office for the Department of Defense. His area of focus? Security, naturally.

Mudge was responsible for the early research into buffer overflow attacks and published one of the first papers on the topic. In 1998, he and others from L0pht Heavy Industries (a.k.a. “The L0pht”, a hacker think tank) testified before a Senate committee, saying that they could take the internet down in 30 minutes. L0pht was acquired by the security company @stake in 1999, and in 2000, the company where I worked, OpenCola, hired them to do some security consulting. He’s met with President Clinton to talk about DOS attacks and worked at BBN as a division scientist.

I’m curious to see what Mudge can do with government gear and a big budget. In the cnet article, he talks about actively responding to threats. "I don’t want people to be putting out virus signatures after a virus has come out," he says. "I want an active defense. I want to be at the sharp pointy end of the stick."

Do not mess with his pointy end! Congrats, Mudge!

This article also appears in Canadian Developer Connection.

The 2009 edition of the RSA Conference, the biggest and best-known cryptography and information security conference, took place last month in San Francisco. Each year, the conference has a theme based on or relevant to crypto or infosec, and this year’s theme was Edgar Allen Poe (previous themes include the Navajo Code Talkers of World War II, the secrets of the Mayans, Mary Queen of Scots and Alan Turing).

The people behind the conference were kind enough to post video of the keynotes, which I found thanks to a pointer from TechNet’s Jeff Jones, author of the Jeff Jones Security Blog. You can click on the links below to watch the videos. Jeff strongly recommends that you do not miss the opening ceremony segment of the “Day 1 Keynotes” video, and I don’t have to tell you that you should catch the closing keynote, featuring Adam Savage and Jamie Hyneman of the popular nerd television series Mythbusters:

• Day 1 keynotes
• Day 2 keynotes
• Day 3 keynotes
• Day 4 keynote: The Hugh Thompson Show, featuring the music video  “The Security Rap”
• Day 4 keynote: The Mythbusters, Adam Savage and Jamie Hyneman

This article also appears in Canadian Developer Connection.

I caught the afternoon sessions of MeshU, the day of workshops that precedes the Mesh Conference. MeshU had three tracks – Design, Development and Management – and I chose to attend the sessions in the Development track.

Leigh Honeywell on Writing Secure Software

First up was HackLabTO cofounder Leigh Honeywell, (pictured on the right) whose presentation was titled Break It to Make It: Writing (More) Secure Software. She works at the MessageLabs subsidiary of Symantec, which makes security products for email systems, and before that, she worked as an independent security consultant. Simply put, security is both her job and her hobby.

Leigh provided an informative and entertaining summary of the most common security vulnerabilities in applications and the recommended best practices for writing secure apps. Here’s a photo of her slide showing OWASP’s ten principles that you should follow in order to write secure applications:

The ten principles are:

1. Minimize attack surface area
2. Establish secure defaults
3. Least privilege
4. Defense in depth
5. Fail securely
6. Don’t trust services
7. Separation of duties
8. Avoid security through obscurity
9. Keep security simple
10. Fix security issues correctly

She also covered what OWASP considers to be the current top ten vulnerabilities:

1. Cross-site scripting
2. Injection flaws
3. Malicious file execution
4. Insecure direct object references
5. Cross-site request forgeries
6. Information leakage / improper error handling
7. Broken authentication and improper error handling
8. Insecure cryptographic storage
9. Insecure communciations
10. Failure to restrict URL access

At the end of her presentation, Leigh listed a couple of books that she considered to be valuable security references. One of them was Writing Secure Code, Second Edition, written by Michael Howard and Steve Lipner and published by Microsoft Press.

This was a surprise to many people in the audience, the majority of whom were not building apps on Microsoft technologies and generally (and often mistakenly) think of the term “Microsoft” being synonymous with “insecure”. A number of people chatted with me after the presentation and it seemed like this was one of many things from Microsoft that caught them by surprise, along with other unexpected things including the MS-PL license, CodePlex and the Open Source Lab, the new emphasis on standards and interoperability…and hey, even taking on “unlikely” evangelists such as David Crow and me.

Here’s her slide deck:

Pete Forde Does the iPhone Dance

Next was Pete Forde, one of people behind the development shop Unspace and the RubyFringe and FutureRuby conferences. He started his presentation, Is That an iPhone in Your Pocket, or are You Just Happy to See Me?, with a Napoleon Dynamite-esque dance number set to the tune of Start the Riot by Atari Teenage Riot. Here’s the video of the dance that Leigh Honeywell shot:

And here’s the video that I shot:

Pete’s presentation covered the options that developers have when building iPhone apps. For the curious, here’s the deck he used:

The one thing that he wanted you to take away from his presentation is, in his own words:

Consider iPhone web applications and side-stepping the iTunes Application Store (and their 30% gross cut) completely.

The one thing that I took away from the presentation (in addition to the one above) was that it’s not all smiles and sunshine in iPhone development land. Yes, the iPhone provides an excellent user experience and the App Store has been a hit with the customers and many developers. However, a good chunk of Pete’s presentation was about how some of the biggest obstacles for iPhone developers come from Apple itself; I’ve heard that there were similar grumblings at an iPhone developer meetup that took place later in the week. I think that there are some things that Windows Mobile developers (and the Windows Mobile team at Microsoft) can learn from these obstacles, and I’m going to write about them in a later article.

Chris Wanstrath and the Story of GitHub

The final presentation of the afternoon, Building a Business with Open Source, was given by Chris Wanstrath of GitHub, a hosting service for software repositories created with the Git distributed version control system. There are a number of open source projects hosted on GitHub, including one you might not expect: Microsoft’s very own IronRuby.

Chris explained that GitHub was an answer to a problem that he and his friends had: they were working on a number of open source projects, so many that managing them was “beginning to wear them down”. GitHub was created as a solution to that problem: it took care of the tedious parts of source code management so that they could focus on their code.

Although GitHub hosts a number of open source projects and uses Git, which is open source, it is not open source. Chris explained that managing an open source project takes up more time that he or the others on the team have. “Ironically,” he said, “starting GitHub has given me less time to work on open source.” After hinting at his dissatisfaction with the GNU General Public License, an audience member asked "Does the GPL cause you nightmares?"

“Yes,” he replied, after which he endorsed his preferred open source license. “MIT license all the way,” he said.

To promote GitHub, they took an approach that was closer in spirit to evangelism than standard marketing. “Companies still believe in old-school advertising, and they also think that what works offline works online,” he said. So they rely on the standard offline methods of promoting their wares: advertisements and marketing campaigns. In the online world, people trust their peers, so they opted for an approach that he called “guerilla marketing”: instead of spending money on ads, they spent money to hang out with developers, buy them beer and pizza and provide “a human face” to GitHub. He summed up the approach with a good one-liner: “Who knew that actually spending time with your customers would be good for business?" A great point, especially in today’s word-of-mouth-y, interconnected world.

According to Microsoft’s Security Intelligence Report (SIR), malware writers aren’t targeting Vista directly; they’re using holes in third-party apps to attack people’s systems instead. Microsoft’s data agrees with that of independent anti-malware company Kapersky Lab: while direct attacks on XP account for almost half of its vulnerabilities, nearly all attacks on Vista are done by way of exploiting third-party software.

ZDNet’s article on the report includes these graphs comparing the top 10 browser-based vulnerabilities on Windows XP and Windows Vista:

One question that comes to mind: is it because Vista is more secure, or because attacking XP is a better approach because it represents a larger base of targets? I certainly don’t know the answer.

Another question that naturally arises from this is: How do you solve the problem of vulnerabilities through third-party apps? I’m a firm believer in Bruce Schneier’s maxim, “security is a process, not a product,” and think that the best approach is a multi-pronged one. The prong for which I’m responsible is educating developers about application security, and as I find out more about the Windows platform and security, I’ll write about it here on Global Nerdy as well as in some of Microsoft’s developer-focused sites.

Recommended Reading

• ZDNet: Microsoft: Third party apps killing our security.
• Microsoft Malware Protection Center: The Latest Security Inteliigence Report.
• New York Times: On Security, Microsoft Reports Progress and Alarm

Yes, you could simply secure your wireless access point, but the truly paranoid like to back it up with a sign:

Photo courtesy of ImagePoop.com

Last night, I attended a special sneak preview for Internet Explorer 8 Beta 2 organized by the folks at High Road Communications, who do the PR for Microsoft here in Toronto. Pete LePage, Product Manager of Internet Explorer Developer Division, did the presentation, and also present were Elliot Katz, Senior Product Manager for Microsoft Canada, Daniel Shapiro, Microsoft Canada’s Audience Manager, and my friend and fellow DemoCamp steward David Crow, Tech Evangelist for Microsoft Canada.

Let me get the disclosure part out of the way. Attending this event got me:

• Free drinks and snacks during the presentation and a free dinner afterwards,
• One Internet Explorer 8 gym water bottle with a tag inside it saying “BPA Free”,
• and one 1GB USB key containing installers for IE8 (pictured in my laptop above) and the IE8 Evaluators’ Guide (a Word document that walks you through IE8′s features).

I’ve been to a couple of these Microsoft events before. The one about their “Windows Live” sites didn’t interest me at all, and the Vista one I attended was largely for people who did IT at companies with 1000 or more employees, which really isn’t my area of interest either (and the Vista preview installer they gave me resulted in disaster). This one was a considerably more interesting, as Pete put on a good presentation and it appears that Microsoft is making an effort to match the competing browsers.

Over the next little while, I’ll post articles covering my experiences as I take IE8 for a spin. In this article, I’ll mostly be talking about InPrivate Browsing, which is colloquially known as “Porn Mode”.

“Porn Mode”, a.k.a. “InPrivate Browsing”

The implementation of a browser session in which history, cache and other “trails of breadcrumbs” are deleted as soon as the session is over isn’t new: Apple’s Safari has a “Private Browsing” feature and there’s a Firefox extension that provides the same utility. However, for those not using Macs and especially those who aren’t the type to download and install Firefox and then install a plugin — and there are lots of these people out there — IE8 may be their first opportunity to try out such a feature.

Banking, Not Wanking

In his presentation, Pete was careful to take the “Banking, not wanking” approach when covering InPrivate Browsing, suggesting all sorts of non-saucy uses for the feature, including doing online banking, shopping for surprise presents for your spouse, surfing from a public terminal and so on. The Microsoft people present took my constant referring to it as “Porn Mode” in great stride, and I thank them for having a sense of humor about it.

The Problem

Convenience features like history, cache, automatic username and password field-filling are handy, but they sometimes have unintended consequences. For instance, suppose you, as a healthy, open-minded adult, like to look at videos featuring ladies without pants sitting on cakes at YouPorn.com. Let’s also suppose that a friend asks to borrow your computer for a moment to see a funny cat video at YouTube.com. As your friend types in the letters for “YouTube.com” in the address bar, this happens:

This sort of browser-assisted embarrassment takes place more often than you might think. I’ve seen it happen firsthand, and it’s done everything from causing a little red-facedness to actually thwarting romantic possibilities. And you thought computers were supposed to make our lives easier!

The IE8 solution, InPrivate Browsing, is accessible through the Safety menu (shown below) or through the control-shift-P key combo:

This opens up a new, separate browser window for InPrivate Browsing, which does not keep “breadcrumbs” like history, cache data, cookies and so on. The address bar for InPrivate Browsing windows has the InPrivate logo as a visual cue that this particular session won’t leave a trail that will embarrass you or give away your secrets:

Maybe it’s me, but I think the “InPrivate” graphic in the address bar is a bit too subtle. Then again, a more obvious visual indicator (say, giving the InPrivate browser window a different color) might be an invitation to shoulder-surf.

Hey man, I had to see if it works, right?

I swear, I had to poke about the site a little bit in order to test if my History was being saved. It’s all in the name of application testing!

After a little “research”, I closed not just the InPrivate Browsing window, but the whole browser, then started it up again. Then I proceeded to type “You” into the address bar. Under normal circumstances, my YouPorn.com history would be there for all to see. But it wasn’t!

For those of you who need to clear the cache, cookies, history or other data for any reason, there’s also the Delete Browsing History item in the Safety menu:

And it provides a number of deletion options:

And there you have it: a quick tour of IE8′s much-snickered-about “Porn Mode”.

Keep watching the blog for more posts about IE8 as I use it more and cover its features. Perhaps I’ll cover the development tools next.

Steve Friedl has a number of excellent technical explanations on his site, and his latest one, An Illustrated Guide to the Kaminsky DNS Vulnerability, is a masterpiece that does a fine job of explaining the DNS vulnerability that Dan Kaminsky found.

The article Casual Cryptography for Web Developers is probably the nicest, most concise explanation of some of the important crypto principles and practices that web developers will need. Whether you are new to web development, need a refresher or are just curious about the fundamentals, this is one of the best starter articles I’ve seen.

Here’s a list of CERT’s Top 10 Secure Coding Practices. It comes with two bonus secure coding practices (making it an even dozen) and better still, a funny photo that shows that it’s often easier to circumvent rather than defeat security measures.

If you’re interested in security and in the Toronto area on November 20 and 21st, the SecTor conference might be for you. Eldon Sprickerhoff tells me that it’s organized by TASK (Toronto Area Security Klatch). Although it’s a local grassroots effort, I’m told that they’ve corralled “a great group of speakers – basically, some of the best speakers from security conferences around the world” to speak at this event.

SecTor takes place on Tuesday, November 20th and Wednesday, November 21st and takes place at the Metro Toronto Convention Centre. Registration is CDN$950, and if you use the promo code “ESENTIRE”, you’ll get a 10% discount.

By now, you’ve probably heard that for a brief period, a server configuration error caused some Facebook users to see its PHP code rather than the familiar Facebook pages that the code was supposed to render.

How the Code Got Out There

Tony Hung at Deep Jive Interests asked the question “Could a server misconfiguration send out the whole source code in its entirety when you put in the Facebook URL?”

It seems strange that such a simple thing could give away your source, but as anyone who’s set up PHP on a server a number of times will tell you, it can happen.

When you visit a static HTML page — that’s a plain old HTML page that wasn’t generated by some server-side script written in PHP or any number of programming languages — the web server simply hands over the contents of the page (the HTML) over to your browser. Your browser renders the HTML as a web page:

The opposite of a static page is a dynamic one, in which the content is generated on the fly — the server isn’t just handing over the contents of a file. Instead, it calls on some program to cull data from one or more sources and then use that data to assemble some HTML which is then sent to your computer:

What happens when the server is configured incorrectly in such a way that the code for a dynamic page never gets sent through the code interpreter? One common result is that the code gets sent directly to the user. Instead of seeing the result of running the code, the user ends up seeing the code itself. That’s what seems to have happened with Facebook.

Based on a ten-page (!) confession by a former Geek Squad member in which he wrote that Geek Squad agents scour your computer for those porn and personal pictures and videos and copy them onto their thumb drives, Consumerist set up a string operation in which they rigged a computer to record all user activity and brought it in to a number of Best Buy stores to have Geek Squad install iTunes on it.

They report:

We took it to around a dozen Best Buy Geek Squads and asked them to perform simple tasks, like installing iTunes. Most places were fine, sometimes doing the job right on the counter, sometimes even for free.

Then we caught one well-seasoned Geek Squad Agent copying personal and pornographic images and video from our computer to his company-issued thumb drive.

Click here to see their blog entry and (work-safe) video, and be sure to read these follow-up articles:

• Why We’re Not Telling Geek Squad CEO Which Agent Stole The Porn
• How To Make Your Computer Catch People Stealing Your Porn

There remains one question that I’m sure a lot of guys are asking: Where’d they get that desktop wallpaper image, and could they please share it?