Saturday, June 27, 2009

Microsoft fallacious IE8 campaign

Is the market of browsers so opaque, obscure, for non-technical people, that Microsoft think they can fool them with a simple table?

To summarize the history of facts, Microsoft once had a monopoly in web browsers because the software shipped with their operating system, Windows, which is ubiquitous. They then sat on their laurels for a while (roughly from the end of the nineties to 2006) and lost a part of their market shares to more secure, faster, more flexible browsers, such as Mozilla's Firefox. They finally reacted and released Internet Explorer 7 and Internet Explorer 8, fixing a lot, but, to many eyes, not climbing to the level of quality of their rivals.

And now, they try to get their market shares back by a marketing campaign, with an awfully simplified and fallacious comparison table.

Now, let's return to normal. Below is their table, with my remarks or modifications in orange.

I do not comment on Chrome, because I have used it too little.

Internet Explorer 8

Firefox 3.0

Google Chrome 2.0

Comments

Security


Internet Explorer 8 takes the cake with better phishing and malware protection, as well as protection from emerging threats.

And so can say anyone. But with intimate relations between the operating system and the browser, Internet Explorer puts the system at a greater risk against malware.

Vulnerabilities



The time to fix vulnerabilities once they are public is the shortest in Firefox. Internet Explorer has got the worst record of critical vulnerabilities, sometimes not patched long after they are public.

Privacy



InPrivate Browsing and InPrivate Filtering help Internet Explorer 8 claim privacy victory.

Ease of Use


Features like Accelerators, Web Slices and Visual Search Suggestions make Internet Explorer 8 easiest to use.

Some might say it's a question of taste. I feel like Internet Explorer is rigid while Firefox is flexible.

Web Standards

Firefox and Chrome have more support for emerging standards like HTML5 and CSS3, but Internet Explorer 8 invested heavily in having world-class, consistent support for the entire CSS2.1 specification.

I don't deny Microsoft made big improvements, but almost any web developer still frowns the eye at the very name of Internet Explorer. Yet, they did improve.

Developer Tools

Internet Explorer 8 has the most comprehensive developer tools built in, including HTML, CSS and JavaScript editing, but also JavaScript profiling; other browsers have developer tools available, but either require you to download them separately, or aren't as complete.

You could also argue that the simplicity of XUL, Firefox's development language, is one reason it's been such a success.

Reliability


Only Internet Explorer 8 has both tab isolation and crash recovery features; Firefox and Chrome have one or the other.

Only Internet Explorer crashes when too many pages are open at the same time.

Customizability

Sure, Firefox may win in sheer number of add-ons, but many of the customizations you'd want to download for Firefox are already a part of Internet Explorer 8 – right out of the box.

I have never found for Internet Explorer precisely the equivalent of what I use in Firefox.

Compatibility


Internet Explorer 8 is more compatible with more sites on the Internet than any other browser.

That's certainly true because of Microsoft long record of purposeful incompatibility which, in the past, encouraged developers to not develop for other browsers. However, I do not know one of the sites that I use today that is not compatible with Firefox.

Manageability


Neither Firefox nor Chrome provide guidance or enterprise tools.

That's not true. With the tools provided by Frontmotion, you can achieve a similar manageability (for instance, centrally from an Active Directory server) and I would say you get a more precise customizability of what's managed.

Performance

Knowing the top speed of a car doesn't tell you how fast you can drive in rush hour. To actually see the difference in page loads between all three browsers, you need slow-motion video. This one’s also a tie.

Whatever recent benchmark shows Internet Explorer as the last of the last browsers in matters of speed.



I was not the only one to notice that :-)
Some comments are worth reading.

EDIT 06/29/2009:
They're going to some extremities for their marketing... in my natal region, they advertise on pizza boxes, and also have a look at this one in the US:
http://www.browserforthebetter.com/index-htm.html#getie8:6qmoqjtZ9pH

EDIT 07/28/2009:
I have found some pictures of those IE pizza boxes here and here.

Friday, June 26, 2009

Raw unrefined suggestion about firewall rules

Since now we see attacks from inside intranets, using zombie networks, I think it could be a good idea to turn on the firewalls on each machine in the network (including on Windows stations, which I know is sometimes a problem) and to set up a detailed set of rules for them.

My problem was: how to figure out which rules for such a complex problem, so many machines?
My suggestion: why not propose a standard for a single file giving the positive rules necessary for a software to operate?

One file per application, that would come shipped with the application, and would describe all the things that need be open, for the application to work. The file would not describe what set of rules to put on which firewall, but simply what needs to be open.

If we have a look at the TCP/IP layers
TCP/IP layersThis picture from Wikipedia under the GFDL license.
we see that simple firewalls operate on the Internet and Transport layers. Modern firewalls and proxies also operate on the Application layer.
I guess a simple XML dialect could be created to describe which things need be let in and out, on which layer. If this gets standardized or at least RFC'ed, there is a good chance to see opensource software adopt it, both on the application and on the firewall sides. On which case, since opensource is biggest marketshare on infrastructure, others should follow.
(All that raw and unrefined.)

SEO game - Jeu référencement SEO

This article relates to a website only available in French. If you can't read French, sorry this time, I will not translate the many pages into English. All that follows herebelow is in French.

Un jeu en français sur le référencement (l'optimisation de la position d'un site dans les résultats de recherche d'un moteur de recherche, typiquement Google) vient de commencer à l'adresse www.jeu-referencement.com. Il s'agit de 15 petites épreuves à franchir, chacune utilisant une technique liée au référencement. Je ne vous donnerai que deux indices :
  • Si vous tombez sur une erreur 404, c'est que vous devez continuer à chercher, pas abandonner.
  • L'épreuve 14 bugge avec certaines configurations logicielles, n'hésitez donc pas à la forcer de toutes les manières possibles, c'est le résultat qui compte.
Il m'a fallu à peu près une journée pour terminer les 15 épreuves (pas 24h de suite collé contre l'écran ! juste quelques heures en fait). Et je suis assez content, j'ai appris quelques trucs que je ne connaissais pas.

Tribute to Fravia

I learnt yesterday that Fravia has died. He was a talented hacker and a jack-of-all-trades in IT, almost a master-of-all-trades I should say. He administered a site referencing a lot of resources for people to learn about computers, software and information systems. There you could find learning material from the beginner's tutorial to the master's last discovery.

I learnt a lot thanks to Fravia. I was studying on resources from his site when I first disassembled a binary piece of software to shift its behaviour, almost thirteen years ago. I found my way through WinDASM or SoftICE by following tutorials from his site.

I owe Fravia a lot and, though I never met him in person, I will not forget him. His site is still up, alas I can only hope for it to be continued, there is no certainty.

Fravia's logo

Monday, June 22, 2009

Geekonomics - Incentives for the States NOT to invest in opensource

Third of the series of articles inspired by David Rice's Geekonomics. This article is not directly related with matters from the book, yet I got the idea while reading the book.

FLOSS = Free/Libre Open Source Software (as abbreviated by the European Union)

If you're like me and enjoy, use and promote FLOSS, you might be wondering why some States do not favour FLOSS in the public infrastructure.

Well, they do use FLOSS, as a matter of fact, because you can't build a whole infrastructure made only of proprietary software and if you tried, it would be extremely expensive [and potentially disastrous for compatibility issues]. So, you might be wondering why some States do not favour FLOSS more than they do, in the public infrastructure.

So far as I can understand it, most States are running a race to be in the first positions of wealth, military strength and fame. Things can be different for the top one, which would only want not to lose its rank. And things can be different for the bottom ones, who simply have too many matters to address before they will concentrate on a worldwide competition.

So, let's assume we speak about the countries in the top thirty of this world, except the very first ones. This group is made of countries like France, Italy, Germany, Russia, Brazil, India, South Africa... Why do these countries not publicly favour FLOSS more than they do?

To favour it more, they could:
  • Ask for documented, free to implement, data formats. This way, wars fought by software makers on purposeful incompatibility would be avoided.
  • Ask for more FLOSS inside all public agencies.
  • Ask for more education in FLOSS in the public education system.
  • Invest directly into FLOSS development, or make a policy that some public developments will be made FLOSS after some time.
All this would favour FLOSS, but all this would not necessarily favour the race of the State to wealth, military strength and fame. It would, of course, improve wealth, military strength and fame. But my point is: FLOSS does not improve the rank of a State in the international competition, because every improvement is available to all competitors as well.

  • By asking for documented, open, data formats, or by asking for FLOSS inside public agencies, the State would agree to spend money on a shift, that would probably be beneficial, yes, but the economic developments involved (more developers, maintenance contracts, etc) could be beneficial to people or companies located anywhere on Earth, because of the very nature of FLOSS. On the contrary, when a State signs with a precise, well-known, software maker, it knows where the profits will go.
  • By asking for more education geared toward FLOSS, a State agrees to turn its youth to an uncertain future. While the future is obviously uncertain, there is more certainty in teaching the youth how to use what's majority and paying than in teaching them what's still minority and looks like not-so-well rewarding. So, short-sighted politicians might see education in FLOSS as a bad investment for youth.
  • By investing into FLOSS developments, the State agrees to spend money on its own, while the fruit of this investment can be eaten by all. In a competition, it's bad invested money. It is more interesting, as a State, to invest in a proprietary development by a local company and see the licenses be paid by other countries.
All of these seem good reasons for a politician not to favour FLOSS when they seemingly can. Of course, on the long run, that's detrimental to us all :-(

Geekonomics - Criticism of Chapter 6 on opensource software

Second of the series of articles inspired by David Rice's Geekonomics.

I am not totally satisfied with David Rice's take on opensource software in his Chapter 6: Open Source Software: Free, But at What Cost?

While he definitely has good points as a whole, and while I see his description of some of the hidden defects of opensource projects as accurate, I am sad that he forgets to mention about real big companies taking a part in opensource developments. Companies like IBM, Sun (now Oracle) or Apple all make some opensource developments, and you cannot tell that they act as beginners or non-professionals in their development methodologies.

And I am also a little surprised to see that the author compares opensource development projects to an "idealized" proprietary development project. For instance, he says it is possible that a part of an opensource software will go unmaintained because of a lack of interested people and forgets to say that even in big proprietary developments, such things also happen, because of mediocre management or because of periods of deep stress.

I would say that Chapter 6 holds some good points but my conclusion be:
  • Opensource software is not a radical change from proprietary software in the methodologies.
  • Opensource software is not radically more secure or of better quality than proprietary software by essence.
  • The "given enough eyeballs, all bugs are shallow" argument is valid, and those opensource software which have a high number of both users and developers actually get an improvement of their quality and security.

Geekonomics - Incentives for the States NOT to fix software quality problems

First of the series of articles inspired by David Rice's Geekonomics.

As an introduction I would like to give two figures from the first chapters of the book.
  • An estimate of the US losses coming from software failures (both quality or security) at the scale of the whole country: $180 bn a year. (yes billion, not million)
  • Deaths occur from software failures. Multiple times per year, if they are not numerous enough to make statistics [yet].

David Rice's point
In the beginning of the book, David Rice argues that software developers have no incentives to make a better work. In chapter 5, Absolute Immunity: You Couldn't Sue Us Even If You Wanted To, David Rice shows that the US government is not making anything against software failures. On the contrary, the US gov gives developers the free hands and no responsibilities of any kind if they should get sued over damages resulting from the use of their software.

And he goes for a short explanation that the US system waits for citizens to become plaintiffs and sue software developers before any public authority will react. He quotes the typical reaction that you would get if you tried to make a law about software quality, through Ronald Reagan's words:
Government is not the solution, government is the problem.

My point
I quite agree with the author on the observation. The US gov does nothing, or goes against any initiative geared towards better software. But I don't agree with the far too simple explanation he gives. I guess a $180 bn issue would get a law if there were no incentives for not making a law. And I can see three reasons a country like the US wouldn't want to improve software quality.

  1. "Don't worry, be crappy". This maxim by Guy Kawasaki summarizes well the way software companies get into the subject. They try to output something they can sell, whatever the quality. But this reasoning also goes for countries. Software is a global trade good, and a big software maker as the US doesn't want to slow down the sales by making quality restrictions. If a law were passed, it would probably impact the economy of the country. Same goes for other developed countries.
    In the same train of thoughts, if a law were passed, maybe some development companies would offshore developments.
  2. We are still in an early phase of software deployment. Though it is recognized that a big company now has to do better IT rather than more IT, it is still important for many countries, including the US, to do more IT, even at the cost of not doing it better. I mean, a country like the US gets a competitive advantage from doing more IT, getting more automated stuff in its services, agencies, its companies, etc. and would "competitively speaking" lose time by concentrating on the improvement of quality and security.
  3. As is long argued in the book, there is an underground market for security vulnerabilities. This market is the fact of underground hackers, but if the underground does it, there are good reasons to believe that the "official" intelligence services do the same. If so, it is rather possible that intelligence services from the typical countries such as the US, France, Israel, Russia or China (which are coincidentally the biggest software developers) have good interest in keeping a high level of not public, unpatched vulnerabilities. They want to know the vulnerabilities themselves, be able to penetrate a lot of places, especially for industrial eavesdropping, and they absolutely do not want software makers to patch the vulnerabilities.
All of these seem better explanations to me for the lack of reaction of developed countries against bad software quality and security.

Sunday, June 21, 2009

Articles about Geekonomics to come

Following the return of my copy of Geekonomics: The Real Cost of Insecure Software, by David Rice, I am in the process of writing a few articles about the ideas from the book.

Go read the book if you're interested in understanding the phenomena around and beneath software insecurity and bad quality.

Since I do not want to plunder the author's content by making a detailed summary or quoting the most interesting excerpts, I am selecting a few subjects and trying to explore them a little further than the book. Which will be very hard since I do not have all the investigation sources that Rice may have had, nor patience, skills and experience. For short: I will give some opinions from my understanding of matters in or around the book.

Friday, June 19, 2009

Friday liberty blogging - Assaults on the neutrality of the network

The Internet as we know it: a place almost free of control, with sites rewarded by audience proportional to their qualities, with a good anonymity protecting political dissidents, this place is under high fire from governments and ISPs.
While we might have thought this kind of attacks would come from very liberty killing countries such as China or Iran, they are now in the headlines even in most liberal countries such as France or Germany. To give just a few examples:
  • In France, giving as a pretext the fight against illegal downloaders of music and movies, the government is trying to install spywares on all citizens' computers.
  • In Germany, giving as a pretext the fight against child pornography, the government gets a law voted for a censorship policy, and stars building an architecture able to filtrate the web's content.
  • In England, judges rule that there should be no anonymity for authors of texts made public on the Internet.
  • In England, an ISP starts using bandwidth modulation to discriminate against sites helping its competitors' businesses.
As far as I know, most of my readers are probably aware of some of these problems. So, instead of commenting on each of these assaults separately, I decided that from now on I would keep a list up-to-date gathering all articles that I would read about this matter. Most should be in English, yet there could be articles in any of the languages I can speak (French, German, Romanian and variants).
The web page of the list is at this address.
You can also find an RSS feed at that address.
I support individual rights

Wednesday, June 10, 2009

Small yet eternal lesson from a successful SQL injection attack

I just conduced a penetration attempt on behalf of a site's owner. The site is the kind you use for home-grown, not critical matters. I wanted to try SQL injections first, because since I read Security Warrior, by Cyrus Peikari and Anton Chuvakin, I felt a kind of inner vacuum for never having done that. Here is how I proceeded:


My goal was to change an existing data of the site to add the mention "hacked". The site was a typical interface to a database, with the notions of "new item", "update item" and "view item" clearly visible.
  • From that, I deduced it worked with a database.
Looking at a targetable data, one that I would want to target and mark as "hacked", I saw that the URL contained a GET parameter ?id=20
  • From that, I made the assumption that there would be a database table with the field id equal to 20 for the element I wanted to mark as "hacked".
Looking at the main connection page to the site, I saw another GET parameter in which I tried to input a single quote. The server answered me with an error message including the path to a library file, with the extension .php, with an identifiable name. I typed that name into a Google box and found it was a fairly well known free software underlying library.
  • From the fact that this library was free software, and that the files were named .php, I made the assumption that the database would be a MySQL one, as is most often the case.
I used the normal way to create an element inside the software of the same kind as that of the element I wanted to change. Then I went to the modification page for this element and gave a single quote in one of the text field values of the element. The server returned me an error message with the faulty SQL request.
  • From this I learnt the names of the table and some of its fields inside the database.
  • From this, I validated that id was actually a field inside the same table, which I only assumed earlier.
  • From there, I guessed it would be piece of cake :-)
I crafted a request, using id='20', value of the targeted element instead of that of my legally owned element. I looked on the Internet to find that the comment marker for MySQL was hyphen-hyphen-space and not hyphen-hyphen. And I changed the name field of the attacked element from "dummy title" to "dummy title hacked". And I pressed the button and everything went well. I then used the normal way to visualize data and found the victim element to be called "dummy title hacked".

So, from all that, I conclude that it's important to hide programmer's data from the eye of the user. Especially, GET parameters should not be used unthoughtfully and the error messages from server or middleware should not be displayed to the user. A good polite "We encountered an internal error." is fair enough.

So, next time the webservers' admin or the web dev tells you such small details are not important, just kick him in the balls. I take complaints at cpradier _at_ gmail.com

Tuesday, June 9, 2009

Larry Page's law also for mobile phones and gaming consoles?

Larry Page once said his thought that "software is going twice slower every 18 months". This became known as Page's law, and I suddenly wondered if the same was not true of mobile phones content and gaming consoles when I had to change my cellphone.

I asked a cousin working in the field of mobile phones and he gave me a spare good old Nokia 1600, saying it's one of the you-cant-find-them-anymore-nor-nothing-as-good.


When I first turned it on, I was overwhelmed by a feeling of quiet efficiency. It's not doing MMS, doesn't take pictures, doesn't allow you to surf the web, but damnit! it's fast. Well, indeed, I just don't notice that I am using a cellphone at all. It's just become plain transparent. Take your directory entry, push the button and that's all. A plain good old feeling of Fire-and-Forget.

And it reminded me how frustrated I got when friends invited me to play the new Street Fighter game on a Xbox 360. It's beautiful, it's respecting the design principles of the series, yet it's no way the same fun as in the old ones on the SNES.

I'd seem bitter if I concluded on a law like "every software or platform evolves to the point where usability suffers a lot from the number of functions, then evolves to the point where it's not usable at all anymore" or another Zawinsky-like law, yet I see no other conclusion.

PS: thx, couz'

ITsec in healthcare - ISO 27799

I recently ordered a copy of the ISO 27799 "Information security management in health using ISO/IEC 27002" because I was curious of the content and I applied to some positions in health organisms. I am fully happy with it and I'll tell you why: it's going further than the ISO 27001 and 27002 norms, but it's also giving examples and diagrams around these norms. So, I think it would be a good read even for someone outside the field of healthcare.

Let me summarize it my own way. The big parts I would make:
  1. Introduction on healthcare
  2. Lexicon of concepts around ITsec and around healthcare
  3. What's specific in the ITsec of healthcare?
  4. An action plan for an ISMS "How to be concrete [and successful] in ISO 27001?"
  5. A review of ISO 27002 control points and what's specific for them in healthcare.
Once that little summary done, here are my reading notes on what's so specific about healthcare:
  • Because hospitals and clinics are open places, because of mobility constraints, and because medical hardware is expensive, there is a high risk in threats related to physical security of the IS.
  • There is a very low level of homogeneity both in hardware and in practices for using the hardware.
  • There is a devoted and experienced staff, both in IT and in medics, making insider threats lower and making cooperation easier between IT and non-IT people.
  • As a good health diagnosis includes various types of data about the patient, the databases about patients are huge and thus, an extremely valuable target.
  • Because of the broad interdependency of functions, necessary for the good handling of health issues and making the IS and IT processes extremely complex, it's almost impossible to consider a security initiative on the whole of the IS at once. Or at least it's impossible to have it succeed.
  • Thus, definition of good domains of application for a security initiative are needed. Examples are given of adequate sizes for domains of application:
    • 2 or 3 remote sites
    • 50 employees
    • 10 processes
  • Because of the importance of health itself and that of the public's opinion, cost in money of a project is rarely the first decision factor.
(I can't wait to get started.)