Security

My Afternoon at MeshU

by Joey deVilla on April 11, 2009

This article also appears in Canadian Developer Connection.

I caught the afternoon sessions of MeshU, the day of workshops that precedes the Mesh Conference. MeshU had three tracks – Design, Development and Management – and I chose to attend the sessions in the Development track.

Leigh Honeywell at her presentation at MeshU

Leigh Honeywell on Writing Secure Software

First up was HackLabTO cofounder Leigh Honeywell, (pictured on the right) whose presentation was titled Break It to Make It: Writing (More) Secure Software. She works at the MessageLabs subsidiary of Symantec, which makes security products for email systems, and before that, she worked as an independent security consultant. Simply put, security is both her job and her hobby.

Leigh provided an informative and entertaining summary of the most common security vulnerabilities in applications and the recommended best practices for writing secure apps. Here’s a photo of her slide showing OWASP’s ten principles that you should follow in order to write secure applications:

"10 Principles" slide from Leigh Honeywell's security presentation at MeshU 2009

The ten principles are:

    1. Minimize attack surface area
    2. Establish secure defaults
    3. Least privilege
    4. Defense in depth
    5. Fail securely
    6. Don’t trust services
    7. Separation of duties
    8. Avoid security through obscurity
    9. Keep security simple
    10. Fix security issues correctly

She also covered what OWASP considers to be the current top ten vulnerabilities:

    1. Cross-site scripting
    2. Injection flaws
    3. Malicious file execution
    4. Insecure direct object references
    5. Cross-site request forgeries
    6. Information leakage / improper error handling
    7. Broken authentication and improper error handling
    8. Insecure cryptographic storage
    9. Insecure communciations
    10. Failure to restrict URL access

writing_secure_code

At the end of her presentation, Leigh listed a couple of books that she considered to be valuable security references. One of them was Writing Secure Code, Second Edition, written by Michael Howard and Steve Lipner and published by Microsoft Press.

This was a surprise to many people in the audience, the majority of whom were not building apps on Microsoft technologies and generally (and often mistakenly) think of the term “Microsoft” being synonymous with “insecure”. A number of people chatted with me after the presentation and it seemed like this was one of many things from Microsoft that caught them by surprise, along with other unexpected things including the MS-PL license, CodePlex and the Open Source Lab, the new emphasis on standards and interoperability…and hey, even taking on “unlikely” evangelists such as David Crow and me.

Here’s her slide deck:

Pete Forde Does the iPhone Dance

Next was Pete Forde, one of people behind the development shop Unspace and the RubyFringe and FutureRuby conferences. He started his presentation, Is That an iPhone in Your Pocket, or are You Just Happy to See Me?, with a Napoleon Dynamite-esque dance number set to the tune of Start the Riot by Atari Teenage Riot. Here’s the video of the dance that Leigh Honeywell shot:

And here’s the video that I shot:

Pete’s presentation covered the options that developers have when building iPhone apps. For the curious, here’s the deck he used:

The one thing that he wanted you to take away from his presentation is, in his own words:

Consider iPhone web applications and side-stepping the iTunes Application Store (and their 30% gross cut) completely.

The one thing that I took away from the presentation (in addition to the one above) was that it’s not all smiles and sunshine in iPhone development land. Yes, the iPhone provides an excellent user experience and the App Store has been a hit with the customers and many developers. However, a good chunk of Pete’s presentation was about how some of the biggest obstacles for iPhone developers come from Apple itself; I’ve heard that there were similar grumblings at an iPhone developer meetup that took place later in the week. I think that there are some things that Windows Mobile developers (and the Windows Mobile team at Microsoft) can learn from these obstacles, and I’m going to write about them in a later article.

Chris Wanstrath and the Story of GitHub

Chris Wanstrath The final presentation of the afternoon, Building a Business with Open Source, was given by Chris Wanstrath of GitHub, a hosting service for software repositories created with the Git distributed version control system. There are a number of open source projects hosted on GitHub, including one you might not expect: Microsoft’s very own IronRuby.

Chris explained that GitHub was an answer to a problem that he and his friends had: they were working on a number of open source projects, so many that managing them was “beginning to wear them down”. GitHub was created as a solution to that problem: it took care of the tedious parts of source code management so that they could focus on their code.

Although GitHub hosts a number of open source projects and uses Git, which is open source, it is not open source. Chris explained that managing an open source project takes up more time that he or the others on the team have. “Ironically,” he said, “starting GitHub has given me less time to work on open source.” After hinting at his dissatisfaction with the GNU General Public License, an audience member asked "Does the GPL cause you nightmares?"

“Yes,” he replied, after which he endorsed his preferred open source license. “MIT license all the way,” he said.

Octocat, GitHub's mascot To promote GitHub, they took an approach that was closer in spirit to evangelism than standard marketing. “Companies still believe in old-school advertising, and they also think that what works offline works online,” he said. So they rely on the standard offline methods of promoting their wares: advertisements and marketing campaigns. In the online world, people trust their peers, so they opted for an approach that he called “guerilla marketing”: instead of spending money on ads, they spent money to hang out with developers, buy them beer and pizza and provide “a human face” to GitHub. He summed up the approach with a good one-liner: “Who knew that actually spending time with your customers would be good for business?" A great point, especially in today’s word-of-mouth-y, interconnected world.

{ 1 comment }

Windows Exploits Come from Third-Party Apps

by Joey deVilla on November 3, 2008

According to Microsoft’s Security Intelligence Report (SIR), malware writers aren’t targeting Vista directly; they’re using holes in third-party apps to attack people’s systems instead. Microsoft’s data agrees with that of independent anti-malware company Kapersky Lab: while direct attacks on XP account for almost half of its vulnerabilities, nearly all attacks on Vista are done by way of exploiting third-party software.

ZDNet’s article on the report includes these graphs comparing the top 10 browser-based vulnerabilities on Windows XP and Windows Vista:

Graph: Top 10 browser-based vulnerabilities in Windows XP -- half are Microsoft's fault.

Graph: Top ten browser-based vulnerabilities in Windows Vista -- all are third-party apps' fault.

One question that comes to mind: is it because Vista is more secure, or because attacking XP is a better approach because it represents a larger base of targets? I certainly don’t know the answer.

Another question that naturally arises from this is: How do you solve the problem of vulnerabilities through third-party apps? I’m a firm believer in Bruce Schneier’s maxim, “security is a process, not a product,” and think that the best approach is a multi-pronged one. The prong for which I’m responsible is educating developers about application security, and as I find out more about the Windows platform and security, I’ll write about it here on Global Nerdy as well as in some of Microsoft’s developer-focused sites.

Recommended Reading

{ 2 comments }

Sign of the Day

by Joey deVilla on October 18, 2008

Yes, you could simply secure your wireless access point, but the truly paranoid like to back it up with a sign:

"No parking near my house - Get your own wireless network"
Photo courtesy of ImagePoop.com

{ 1 comment }

The IE8 USB key in my computer

Last night, I attended a special sneak preview for Internet Explorer 8 Beta 2 organized by the folks at High Road Communications, who do the PR for Microsoft here in Toronto. Pete LePage, Product Manager of Internet Explorer Developer Division, did the presentation, and also present were Elliot Katz, Senior Product Manager for Microsoft Canada, Daniel Shapiro, Microsoft Canada’s Audience Manager, and my friend and fellow DemoCamp steward David Crow, Tech Evangelist for Microsoft Canada.

Let me get the disclosure part out of the way. Attending this event got me:

  • Free drinks and snacks during the presentation and a free dinner afterwards,
  • One Internet Explorer 8 gym water bottle with a tag inside it saying “BPA Free”,
  • and one 1GB USB key containing installers for IE8 (pictured in my laptop above) and the IE8 Evaluators’ Guide (a Word document that walks you through IE8’s features).

I’ve been to a couple of these Microsoft events before. The one about their “Windows Live” sites didn’t interest me at all, and the Vista one I attended was largely for people who did IT at companies with 1000 or more employees, which really isn’t my area of interest either (and the Vista preview installer they gave me resulted in disaster). This one was a considerably more interesting, as Pete put on a good presentation and it appears that Microsoft is making an effort to match the competing browsers.

Over the next little while, I’ll post articles covering my experiences as I take IE8 for a spin. In this article, I’ll mostly be talking about InPrivate Browsing, which is colloquially known as “Porn Mode”.

“Porn Mode”, a.k.a. “InPrivate Browsing”

The implementation of a browser session in which history, cache and other “trails of breadcrumbs” are deleted as soon as the session is over isn’t new: Apple’s Safari has a “Private Browsing” feature and there’s a Firefox extension that provides the same utility. However, for those not using Macs and especially those who aren’t the type to download and install Firefox and then install a plugin — and there are lots of these people out there — IE8 may be their first opportunity to try out such a feature.

Banking, Not Wanking

In his presentation, Pete was careful to take the “Banking, not wanking” approach when covering InPrivate Browsing, suggesting all sorts of non-saucy uses for the feature, including doing online banking, shopping for surprise presents for your spouse, surfing from a public terminal and so on. The Microsoft people present took my constant referring to it as “Porn Mode” in great stride, and I thank them for having a sense of humor about it.

The Problem

Convenience features like history, cache, automatic username and password field-filling are handy, but they sometimes have unintended consequences. For instance, suppose you, as a healthy, open-minded adult, like to look at videos featuring ladies without pants sitting on cakes at YouPorn.com. Let’s also suppose that a friend asks to borrow your computer for a moment to see a funny cat video at YouTube.com. As your friend types in the letters for “YouTube.com” in the address bar, this happens:

Screen capture: A user starts to type in "YouTube.com" and as "you" is formed, my "YouPorn.com" history appears.

This sort of browser-assisted embarrassment takes place more often than you might think. I’ve seen it happen firsthand, and it’s done everything from causing a little red-facedness to actually thwarting romantic possibilities. And you thought computers were supposed to make our lives easier!

The IE8 solution, InPrivate Browsing, is accessible through the Safety menu (shown below) or through the control-shift-P key combo:

Screen Shot: IE8's "Safety" menu, with "InPrivate Browsing" selected

This opens up a new, separate browser window for InPrivate Browsing, which does not keep “breadcrumbs” like history, cache data, cookies and so on. The address bar for InPrivate Browsing windows has the InPrivate logo as a visual cue that this particular session won’t leave a trail that will embarrass you or give away your secrets:

Screen Shot: A new "InPrivate Browsing" window appears

Maybe it’s me, but I think the “InPrivate” graphic in the address bar is a bit too subtle. Then again, a more obvious visual indicator (say, giving the InPrivate browser window a different color) might be an invitation to shoulder-surf.


Hey man, I had to see if it works, right?

Screen Shot: YouPorn's title page

I swear, I had to poke about the site a little bit in order to test if my History was being saved. It’s all in the name of application testing!

Screen Shot: Blurred-out YouPorn video page

After a little “research”, I closed not just the InPrivate Browsing window, but the whole browser, then started it up again. Then I proceeded to type “You” into the address bar. Under normal circumstances, my YouPorn.com history would be there for all to see. But it wasn’t!

Screen shot: None of my InPrivate browsing history shows up

For those of you who need to clear the cache, cookies, history or other data for any reason, there’s also the Delete Browsing History item in the Safety menu:

"Safety" menu with "Delete Browsing History" item selected

And it provides a number of deletion options:

The "Delete Browsing History" dialog box


And there you have it: a quick tour of IE8’s much-snickered-about “Porn Mode”.

Keep watching the blog for more posts about IE8 as I use it more and cover its features. Perhaps I’ll cover the development tools next.

{ 5 comments }

An Illustrated Guide to the Kaminsky DNS Vulnerability

by Joey deVilla on August 8, 2008

Diagram of Dan Kaminsky\'s explanation of how DNS can be \"poisoned\"

Steve Friedl has a number of excellent technical explanations on his site, and his latest one, An Illustrated Guide to the Kaminsky DNS Vulnerability, is a masterpiece that does a fine job of explaining the DNS vulnerability that Dan Kaminsky found.

{ 0 comments }

Casual Cryptography for Web Developers

by Joey deVilla on February 27, 2008

The article Casual Cryptography for Web Developers is probably the nicest, most concise explanation of some of the important crypto principles and practices that web developers will need. Whether you are new to web development, need a refresher or are just curious about the fundamentals, this is one of the best starter articles I’ve seen.

{ 0 comments }

Top 10 Secure Coding Practices

by Joey deVilla on January 4, 2008

Here’s a list of CERT’s Top 10 Secure Coding Practices. It comes with two bonus secure coding practices (making it an even dozen) and better still, a funny photo that shows that it’s often easier to circumvent rather than defeat security measures.

{ 0 comments }