I'm a Google Orphan – Epiphany

Sigh... I'm a Google orphan, that's the sad epiphany I had the other day.

• Google Reader is closing and no online application seemingly reaches the level. If you cross one, please let me know.
• With the fall of Google Reader, I'm really worried for the future of RSS feeds, which were a founding pillar of free communication on the internet.
• The need to share and sync files from anywhere made me try Google Drive. I clearly find that Drive is made to satisfy an all-Google user's need but not that of someone else. If all you want to use is Google applications and phones, then it's fine. But I'm not buying into that. Dropbox is far superior and even easier to use.
• Google Search isn't anymore a powerful tool. It finds the same results as other engines and I sometimes miss the old days of Altavista, where you could simply type the precise words you wanted and there was no kind of "intelligent" understanding of requests. Between the multiplying intrusions of states, copyright holders and commercial customers of Google services, the Google Search engine is really going into garbage and the user is the looser. And the "intelligent" handling of requests is frustrating me: I know what I want better than machines, stop correcting my orthograph, using synonyms, etc.!
• I'm satisfied with my Android phone as a tool for mobility. E-mail, SMS, web have never been so easy. But I'm appalled when I see the new ads they broadcast on every major TV channel: they show it as something funky, graphical, fashionable... it's not! and I don't want it to be.

So I'm a Google orphan.
Google – as I saw it – is dead. Or, at least, an era is over... and Google now resembles Microsoft 10 years ago.

Is Android the New IBM PC Compatible?

(translated from the French article) 

Above is a map giving the date when, for the first time, country by country, web searches related to Android have exceeded those related to iPhones and iPads. The color key is on the left.
Grey means that it hasn't happened yet. White means there was not enough data (approx. 2% of world population).

For information, I made this map with The GIMP, based on graphs from Google Trends comparing the number of web searches containing the names of the various Android smartphones and tablets, iPhones and iPads. The map background is from www.histgeo.ac-aix-marseille.fr. All demographic data used below is from the CIA Fact Book.

First, some facts:

1. The trend is worldwide. It's not yet over but actually present everywhere: searches about Android do exceed those about Apple smartphones, showing a greater interest in the products based on the Google environment.
2. The date when the Google trend exceeds the Apple trend is an interesting criterion to be put on a world map, because it's highlighting clear patterns.
3. In terms of compared populations, thus in terms of potential markets, this is a major trend, as is showing the demographic count below.

Census :

• early adopters of Android (yellow and red) : 22.4%
• happy followers (green) : 11.1%
• followers (blue) : 27.2%
• laggards (grey) : 37.2%
• no data (white) : 2.1%

I can identify the following patterns:

• Mid-developed countries are the first to adopt. Look on the map: Central Europe, India, Indonesia, South America.
• Then come the other developing countries, especially Africa and former USSR.
• Developed countries are the laggards. West Europe, United States, South Africa, Japan, Australia.

With notable exceptions:

• Why is Germany among early adopters ? I think that the current actual economic success of Germany resides in its industrial relations with Central Europe. Such relations make that the interests are common and web searches follow.
• Same for France, dragging Morocco, Algeria and Tunisia towards Apple.
• Same for South America dragging Spain and Portugal towards Android.
• The following countries would need further explanations that I cannot provide: China, Myanmar, Thailand, Cambodia, Laos, Vietnam. I don't have the necessary knowledge about this region to make assumptions. I think that the reasons why China is late and the impacts of it would merit a whole article by themselves.

Starting from the following hypotheses about Android's most attractive features:

• The relative freedom of its environment.
• The low cost of tablets.
• The diversity of makers and vendors, thanks to Google's policy about it.

I deduce the following:

• There is a real mass market to be taken by Google in new developing countries.
• It's developing countries best interest to push a company that allows reuse, adaptation, competition and enhancement, rather than conforming to closed Apple platforms (thinks about the markets created by the IBM compatible PC in 1981).
• The diversity of actors and thinking heads in developing countries will ensure that Android soon becomes a more diverse and useful ecosystem than that of iOS or even that of Windows on PC or even than anything we have known so far (here again, think about the growth of the PC).
• The direct earnings from making and selling this ecosystem, added to the indirect gains related to just using a better ecosystem, will broadly influence the economies of those early adopters countries and the best among them will probably overtake West countries in terms of technological progress (think of how the US profited from the PC boom).
• Central Europe is certainly the best place to invest industrially right now. early adopters + relatively low costs + stable democracies + known and mastered history and management culture + availability of experienced West Europe managers if needed + European infrastructures + neighbourhood of West European markets + proximity of Turkey for even lower cost of manufacture if required.

Android est-il le nouveau PC compatible IBM ?

Ci-dessus une carte donnant la date à laquelle, pour la première fois, pays par pays, les recherches web concernant Android ont dépassé celles concernant iPad et iPhones. Se reporter à la colonne de gauche pour la légende. En gris les pays pour lesquels ce n'est pas encore arrivé.
En blanc ceux pour lesquels je ne disposais pas de données suffisantes (environ 2% de la population mondiale).

Pour info, j'ai fabriqué cette carte avec The GIMP à partir de graphes Google Trends comparant le nombre des recherches web contenant les noms des différents téléphones Android, iPhone et iPad. Le fond de carte vient de www.histgeo.ac-aix-marseille.fr. Les démographies que je compare ci-dessous sont issues du CIA Fact Book.

En premier lieu, quelques faits :

1. La tendance est mondiale. Elle n'est pas encore achevée mais bel et bien présente partout : les recherches concernant Android dépassent celles concernant les smartphones Apple, montrant un intérêt supérieur pour les produits à base d'OS Google.
2. La date à laquelle la "tendance Google" dépasse la "tendance Apple" est un critère intéressant à positionner sur une carte mondiale. En effet, elle met en valeur des motifs clairement identifiables.
3. En termes de masses de populations et donc en termes de marchés potentiels, cela n'a rien d'insignifiant, comme le prouve le compte démographique ci-dessous.

Compte démographique :

• early adopters d'Android (jaunes et rouges) : 22.4%
• happy followers (verts) : 11.1%
• followers (bleus) : 27.2%
• laggards (gris) : 37.2%
• no data (blanc) : 2.1%

 J'identifie les tendances suivantes :

• Les pays en bonne voie de développement sont les premiers à adopter. Voyez : Europe Centrale, Inde et Indonésie, Amérique du Sud.
• Puis viennent les autres pays en voie de développement, notamment Afrique et pays d'ancienne URSS.
• Les pays développés sont les retardataires. Voyez : Europe de l'Ouest, États-Unis, Afrique du Sud, Japon, Australie.

Avec toutefois des exceptions notables :

• Pourquoi l'Allemagne et l'Autriche sont-elles parmi les early adopters ? Je propose la véritable réussite allemande actuelle qui consiste à utiliser à plein profit la proximité avec l'Europe Centrale. Ainsi, les échanges sont tels que les préoccupations sont communes.
• Même chose pour la France et ses partenaires commerciaux majeurs, anciennes colonies, que sont le Maroc, l'Algérie et la Tunisie.
• Même chose pour l'Espagne et le Portugal, qui ont des préoccupations communes avec leurs rejetons géants d'Amérique du Sud.
• Reste à comprendre la zone Chine, Birmanie, Thaïlande, Cambodge, Laos, Vietnam. Je n'ai pas les connaissances nécessaires pour faire des hypothèses sur cette zone. Les tenants et les aboutissants de cet étonnant retard de la Chine mériteraient un article à eux seuls.

En partant du principe que trois des atouts d'Android sont :

• La relative liberté de son environnement.
• Le prix bas des tablettes.
• La diversité des fabricants et revendeurs, grâce à la politique Google sur ce sujet.

Je déduis les éléments suivants :

• qu'il y a un réel marché de masse à prendre par Google,
• que les pays en développement ont tout intérêt à appuyer un fabricant qui autorise la réutilisation, l'adaptation, la compétition et l'amélioration, plutôt que d'adopter les plateformes fermées d'Apple (pensez à la libération du compatible IBM en 1981),
• que la diversité des acteurs et le nombre de têtes pensantes dans ces pays vont bientôt faire d'Android un écosystème plus varié et plus utile qu'iOS, que Windows sur PC, voire que tout ce que nous avons connu jusque-là (là aussi, pensez essor du PC),
• que le gain direct lié à la fabrication et la commercialisation de cet écosystème, ajouté au gain indirect lié à l'utilisation de ce meilleur écosystème, vont largement influer sur l'économie des pays early adopters et que les meilleurs de ceux-ci vont rattraper ou dépasser les pays occidentaux en termes d'avance technologique (là encore, pensez essor du PC),
• que l'Europe Centrale est certainement le meilleur endroit pour investir à l'heure actuelle. early adopters + coûts assez bas + démocraties stables + historique et culture managériale connue + disponibilité de nombreux managers de l'ouest expérimentés à l'est + infrastructures européennes + proximité des marchés ouest-européens + proximité de la Turquie pour des coûts de main-d'œuvre plus bas si nécessaire.

Back on my 2010 security predictions

For an ITsec worker, every year comes with some pieces of satisfaction and a lot of frustration. For instance, you'll hear about rocket-science ITsec techniques and observe that your neighbour's techniques are more snail-like, ostrich-like or dodo-like :-(

I did a few predictions at the beginning of the year of what would happen in the ITsec field, let's see if they actually happened.
What I wrote back then is given in yellow and today's comment is in white.

1. Linux systems will become an interesting target for hackers because of Google's OS.
   The free software community will react fast to vulnerabilities. If Google is up to the task, they will integrate the changes very fast and it will result in Linux systems being the most secure. Competitors will finally be forced to take vulnerabilities more seriously. That's the optimist hypothesis. The pessimist one is Google not being interested in building better security and not reacting faster than the others.
   Did not happen. There are traces of some attacks on Google's OS but nothing the depth of what happens on Windows. (so far)
   
2. Microsoft will (finally!) propose a centralized software installation and update manager, quickly adopted by the big software companies, reducing the number of heterogeneous installation modes, late updates and so on. Something apt-like, in a Microsoft-way, of course.
   It's either this or Microsoft platforms will be progressively abandoned for integrated products such as iPhone or platforms with that functionality such as Linux (servers) or Mac OSX (clients).
   Did not happen. But I hear Symantec is on the subject and it's quite promising.
3. Viruses will spread to Mac and iPhones up to the same level as that under Windows.
   Clearly did not happen, though there are a few examples of such viruses.
   
4. Generalization of new authentication modes including smart cards with microchips, user/machine certificates, fingerprints on laptops, will happen.
   There will be a fashion for it and a lot of blunders will be made in the beginning.
   Happened. I saw many examples of considering fingerprints as a good means of authentication, which it often is not, and worst of all: some companies start relying on "private questions" to enable users self-resetting their passwords.
   
5. There will be reports about IT services clouding the wrong parts of themselves: critical infrastructure, already very profitable services, legally protected information...
   Certainly happened, though those companies will not make a failure report before they've withdrawn, which is no easy thing ^^ The funniest story I heard (nothing written, sorry) is that of a web development company whose managers decided to cloud infrastructure, thus turning Apache settings, PHP settings and so on into read-only, contractual, data.
   
6. There will be an overflow of non-browser software using SSL.
   Each of them has its own libraries and each blunder or vulnerability in the use of SSL will have to be addressed in each of these libraries. This is not addressable in a correct time. For this reason, there will be new products or services around gathering all this SSL traffic and forwarding it in an actually secure way.
   Happened, even Microsoft got into the market.
   
7. Social harvesting will rise to unprecedented peaks. Because of poor legal harmonization (or even concern, for that matter!) in various countries, automated social harvesting services will be made available.
   Happened, see Day's comment on the original article: pleaserobme.com, a site that harvests Twitter to guess whose homes are empty and easy to rob. One could also quote personalized ads or so many articles on the web.
   
8. Governments from developed countries will try to censor, filter and/or index the web. They will fail for two major reasons:
   
   • The web is too huge for any current government to master it, or even understand it.
   • The free software community will sidestep any technical measure towards censorship.
   I don't know yet whether governments will fail, but the current wikileaks wars certainly are an example.
   
9. There will be stories, news, rumours, about Google having connections with the US intelligence agencies. Google's business is a source of information just too much important nowadays for intelligence agencies to neglect it. I won't tempt any prediction about Google's reactions.
   Did not happen, so far as I'm aware.
   
10. PCI DSS-like standards (simple checklist, minimalist, technical, yet very efficient) will be published about various matters of ITsec. Or maybe I just read too many people interested in that.
    Did not happen, I just read too many people interested in that.
    

And now a few wishes:

• That people stop thinking I work on viruses when I say I work on ITsec.
  There's certainly some change, but I can't identify it so far. People seem to start being aware of the "information-side", as opposed to the "technology-side"...
  
• That IT managers (non-security) stop thinking there is a fixed list of requirements for security and each of them requires purchasing a "security product" and each of these products works standalone.
  No change.
  
• That service managers start budgeting time for service reviews and corrections, not only service implementations.
  No particular change.
  
• That Adobe distinguishes between PDF designed for review and printing and PDF designed for automated administrative tasks in complex forms. This may prevent a lot of problems to come.
  They didn't, though they reacted by adding sandboxes to the software. Makes me think of old families that had many children to "avoid" child mortality...
  
• That my government stops being such a liberty killer about IT.
  Not happening before the next election...
  
• [...]
  
• That my readers consider the strange situation of using an Excel-controlled Visual Basic script to interact with an AS/400 terminal emulator, written in Java, inside a Citrix session running on a Windows Server "cluster" inside a VMware architecture. (You can have screenshots and photos of the AS/400 on IBM's website, for instance, there.) That was my only nightmare these last years. Does virtualization never end?
  I don't know whether my readers did consider this situation. Did you?
  

An interesting use of Google Trends

Google Trends is a nice tool that gives you statistics about the terms used in Google web searches, in the form of curves. For instance, you can compare the curves of iPod, iPhone and iPad:


But there's also another interesting part, on the right: it gives you links to articles that were published at the moment when a peak occurred. The moments are correctly chosen for buzzwords like in this example, not always as well chosen for less marketing-oriented products. Anyway, that's often a way to apprehend the history of a technology, idea or movement.

Have a look at these curves:

• ITIL,
• Cloud computing,
• Free licence,
• ExtJS,
• Facebook,
• Risk management,
• ISO 27000 series,
• Yahoo!, Google, MSN and Bing,
• Smartphone, BlackBerry, iPhone...

Fun fact: Google search ratios about problems, by OS

Search pattern	Number of results	Ratio of "problems"
"windows 98"	21,900,000
"windows 98" problem	6,770,000	30.91%
"windows millenium"	291,000
"windows millenium" problem	77,500	26.63%
"windows xp"	124,000,000
"windows xp" problem	61,400,000	49.52%
"windows vista"	80,900,000
"windows vista" problem	88,200,000	109.02%
"windows seven"	2,900,000
"windows seven" problem	551,000	19.00%

Security predictions for 2010 and a few wishes

As usual, nothing posted on this blog is related to my job at my employer. These are merely thoughts gathered from readings on the web and personal considerations.

(If you're wondering why I didn't post this in January, think that holidays spent in Sicily, Romania, Hungary and Serbia are worth being late. I really love the Carpathians.)

1. Linux systems will become an interesting target for hackers because of Google's OS.
   The free software community will react fast to vulnerabilities. If Google is up to the task, they will integrate the changes very fast and it will result in Linux systems being the most secure. Competitors will finally be forced to take vulnerabilities more seriously. That's the optimist hypothesis. The pessimist one is Google not being interested in building better security and not reacting faster than the others.
   
2. Microsoft will (finally!) propose a centralized software installation and update manager, quickly adopted by the big software companies, reducing the number of heterogeneous installation modes, late updates and so on. Something apt-like, in a Microsoft-way, of course.
   It's either this or Microsoft platforms will be progressively abandoned for integrated products such as iPhone or platforms with that functionality such as Linux (servers) or Mac OSX (clients).
   
3. Viruses will spread to Mac and iPhones up to the same level as that under Windows.
4. Generalization of new authentication modes including smart cards with microchips, user/machine certificates, fingerprints on laptops, will happen.
   There will be a fashion for it and a lot of blunders will be made in the beginning.
5. There will be reports about IT services clouding the wrong parts of themselves: critical infrastructure, already very profitable services, legally protected information...
6. There will be an overflow of non-browser software using SSL.
   Each of them has its own libraries and each blunder or vulnerability in the use of SSL will have to be addressed in each of these libraries. This is not addressable in a correct time. For this reason, there will be new products or services around gathering all this SSL traffic and forwarding it in an actually secure way.
7. Social harvesting will rise to unprecedented peaks. Because of poor legal harmonization (or even concern, for that matter!) in various countries, automated social harvesting services will be made available.
8. Governments from developed countries will try to censor, filter and/or index the web. They will fail for two major reasons:
   
   • The web is too huge for any current government to master it, or even understand it.
   • The free software community will sidestep any technical measure towards censorship.
     
9. There will be stories, news, rumours, about Google having connections with the US intelligence agencies. Google's business is a source of information just too much important nowadays for intelligence agencies to neglect it. I won't tempt any prediction about Google's reactions.
10. PCI DSS-like standards (simple checklist, minimalist, technical, yet very efficient) will be published about various matters of ITsec. Or maybe I just read too many people interested in that.

And now a few wishes:

• That people stop thinking I work on viruses when I say I work on ITsec.
• That IT managers (non-security) stop thinking there is a fixed list of requirements for security and each of them requires purchasing a "security product" and each of these products works standalone.
• That service managers start budgeting time for service reviews and corrections, not only service implementations.
• That Adobe distinguishes between PDF designed for review and printing and PDF designed for automated administrative tasks in complex forms. This may prevent a lot of problems to come.
• That my government stops being such a liberty killer about IT.
• [...]
  
• That my readers consider the strange situation of using an Excel-controlled Visual Basic script to interact with an AS/400 terminal emulator, written in Java, inside a Citrix session running on a Windows Server "cluster" inside a VMware architecture. (You can have screenshots and photos of the AS/400 on IBM's website, for instance, there.) That was my only nightmare these last years. Does virtualization never end?
  

Virus free OSes and Google Chrome OS

It's been buzzing all around about Google Chrome OS. Google announced they would create a new Linux-based OS called Google Chrome OS and they said "[they would make it] so that users don't have to deal with viruses, malware and security updates".

A lot of articles have reacted to the news, and to the claim. Bruce Schneier was quoted saying that it was an idiotic claim to pretend it would be a virus free OS. And he explained later that it was an answer on the phone, to a journalist, and that he hadn't read the news in the original text by then.

Indeed, Google didn't claim they would produce a virus free OS, and they did well. If I am not mistaken, it is always possible to create a virus on a Turing machine or equivalent. And, as Schneier quotes from Fred Cohen (1986), it's never possible to create a perfect antivirus program.

Google's claim is much more subtle and quite interesting. They said that the user would not have to deal with viruses, malware and security updates. And that seems quite possible to me, or at least quite feasible to improve on, compared to the current situation.
In my imagination, Google wants to silently push all that's needed from the web directly onto their OS. OS patches, antivirus definition files, and why not also manual patches when needed?

Take the example of the handling of spam by Gmail. They have a set of rules, which they can modify very quickly, and even modify "by hand" for a singular point. In comparison, at the workstation level:

• in a typical open source environment, you would need an update command. Even if that's quick, that would require something like:

  # apt-get update; apt-get install last-spam-filter

• in a typical closed source environment, it would require an update by hand.

Here, the rules, updates, patches, and even new versions of the soft immediately come through the browser. Even if the system makes no breakthrough in terms of fundamental security, you will get an excellent increase in overall security from the regular update of software. No more unpatched OS, unpatched browser, unpatched AV...

So far as I can tell, that would save companies big heaps of money on exploitation.

PS: That uncovers a lot of questions for me, such as: How will MS react? Why didn't MS try to do the same? How can competitors get a foot into the same market? Won't Google become a new empire of evil? Will Google's business survive to DoS attacks? How can any evil competitor prevent Google from getting into that market? How will the Google Chrome OS get onto the PCs in the first place, will it be shipped with PCs, or will users need to install it? Where do you set the limit between what Google remotely do and what they don't do? How will governments react? What about privacy of information? What about national spying issues?

SEO game - Jeu référencement SEO

This article relates to a website only available in French. If you can't read French, sorry this time, I will not translate the many pages into English. All that follows herebelow is in French.

Un jeu en français sur le référencement (l'optimisation de la position d'un site dans les résultats de recherche d'un moteur de recherche, typiquement Google) vient de commencer à l'adresse www.jeu-referencement.com. Il s'agit de 15 petites épreuves à franchir, chacune utilisant une technique liée au référencement. Je ne vous donnerai que deux indices :

• Si vous tombez sur une erreur 404, c'est que vous devez continuer à chercher, pas abandonner.
• L'épreuve 14 bugge avec certaines configurations logicielles, n'hésitez donc pas à la forcer de toutes les manières possibles, c'est le résultat qui compte.

Il m'a fallu à peu près une journée pour terminer les 15 épreuves (pas 24h de suite collé contre l'écran ! juste quelques heures en fait). Et je suis assez content, j'ai appris quelques trucs que je ne connaissais pas.

Small yet eternal lesson from a successful SQL injection attack

I just conduced a penetration attempt on behalf of a site's owner. The site is the kind you use for home-grown, not critical matters. I wanted to try SQL injections first, because since I read Security Warrior, by Cyrus Peikari and Anton Chuvakin, I felt a kind of inner vacuum for never having done that. Here is how I proceeded:


My goal was to change an existing data of the site to add the mention "hacked". The site was a typical interface to a database, with the notions of "new item", "update item" and "view item" clearly visible.

• From that, I deduced it worked with a database.

Looking at a targetable data, one that I would want to target and mark as "hacked", I saw that the URL contained a GET parameter ?id=20

• From that, I made the assumption that there would be a database table with the field id equal to 20 for the element I wanted to mark as "hacked".

Looking at the main connection page to the site, I saw another GET parameter in which I tried to input a single quote. The server answered me with an error message including the path to a library file, with the extension .php, with an identifiable name. I typed that name into a Google box and found it was a fairly well known free software underlying library.

• From the fact that this library was free software, and that the files were named .php, I made the assumption that the database would be a MySQL one, as is most often the case.

I used the normal way to create an element inside the software of the same kind as that of the element I wanted to change. Then I went to the modification page for this element and gave a single quote in one of the text field values of the element. The server returned me an error message with the faulty SQL request.

• From this I learnt the names of the table and some of its fields inside the database.
• From this, I validated that id was actually a field inside the same table, which I only assumed earlier.
  
• From there, I guessed it would be piece of cake :-)

I crafted a request, using id='20', value of the targeted element instead of that of my legally owned element. I looked on the Internet to find that the comment marker for MySQL was hyphen-hyphen-space and not hyphen-hyphen. And I changed the name field of the attacked element from "dummy title" to "dummy title hacked". And I pressed the button and everything went well. I then used the normal way to visualize data and found the victim element to be called "dummy title hacked".

So, from all that, I conclude that it's important to hide programmer's data from the eye of the user. Especially, GET parameters should not be used unthoughtfully and the error messages from server or middleware should not be displayed to the user. A good polite "We encountered an internal error." is fair enough.

So, next time the webservers' admin or the web dev tells you such small details are not important, just kick him in the balls. I take complaints at cpradier _at_ gmail.com

Javascript and PDF

Have a look at Google's answer when both "PDF" and "Javascript" are in the search box. When I did, I got 4 results out of 10 concerned with security faults.
So, here is my initial question: Why should Javascript be put inside PDF files?
Answer: it's in the ISO norm defining PDF 1.7, with no precise details, but at least references to more detailed documents.

It's long known to web developers that Javascript is a nest for problems, especially when it's not correctly documented. Yet Adobe looks to develop forward the possibilities of its software, its file formats and that's normal. However I would wish they did it differently. First, that they did not melt innovations under a unique "PDF" name, which refers to a format that users choose primarily because it's supposed to be portable, simple and solid like rock. Then, that they did not activate Javascript by default. Few users really require it and even they recommend to deactivate it.

Can new MS Office format replace correctly old MS Office format?

A few friends of mine are concerned that the new MS Office format OOXML (discutably standardized as ISO/IEC 29500) might not replace correctly the previous one. Should they change their organizations' practices to the new OOXML or stay put with the old .doc, .xls, .ppt and so forth?

One assumption was that Microsoft would write the file format to allow for a correct representation of all the previous content. This was in their interest because they then could say to their customers that the transition would be seamless.

However they were criticized for including say "direct representation of old formats" rather than "complete representation" of the same data. Or more simply, they made OOXML represent the mechanisms of the old .doc and .xls, rather than provide something to represent the same information in a unique, coherent new architecture. This means that the OOXML format inherits a lot of the complexity and some bugz and patchz of the previous formats. But it's not my point today.

My point is that when doing this, they forgot things (due to the high complexity of the previous formats I suppose), which made a subcomitee of the ISO say that it is "impossible to fully represent some of the corpus of existing documents in [OOXML] ISO/IEC 29500". So to the questions of my friends about switching to OOXML, my answer is: wait and see.

If there is one thing I am sure about, it's that we have a lot to see from MS competitors: IBM has its own branch of office suite linked to OpenOffice.org, Oracle has just bought Sun's OpenOffice.org and Google will not let go of online edition.

If there is one thing I am convinced about, it's that OOXML is not a mandatory shift so far.

Acrobat Reader blocks my audio system, WTF?

I wanted to play a song (yes I have a legally bought copy from which I made the mp3) in mplayer and got the following result:

$ mplayer "01 - Adiemus - Karl Jenkins.mp3"



[...]

open /dev/dsp: Device or resource busy

After a few researches, I found:

# lsof /dev



[...]

acroread 32723 christophe 61r CHR 116,33 11606 /dev/snd/timer

acroread 32723 christophe 62u CHR 116,16 12023 /dev/snd/pcmC0D0p

An open document in Acrobat Reader was blocking my sound system. Why? No idea. I closed Acrobat Reader and opened it anew: no problem anymore.

For reference, it's a Ubuntu 8.04 on a PC, with a typical AC97 integrated chip. Package alsa-base is 1.0.16-0ubuntu4 and Acrobat Reader itself is 7.0.

EDIT1 30/04: I should say Adobe Reader, not Acrobat Reader, the former name.
EDIT2 30/04: The package acroread is version 7.0.9-0.0.ubuntu0.7.04+medibuntu2

Acrobat Reader dangerous target

Acrobat Reader, the most common PDF viewer, is a lot targeted by attackers, in the form of specifically crafted PDF files. Through such attacks, access can be gained into the infected system and other threats such as botnets can occur. The security company F-Secure recommends to replace it with an alternative viewer. (the news from slashdot)

I remember foretelling this to colleagues six months ago.

Shredding files [4/4]: Additional details on shredding

A link to the three previous bills, please read them first:

1. Why it's useless to "shred" files, most of the time
2. Shredding empty space
3. Please shred the hard drive

Then the matters I wanted to speak about.

First, the choice of the shredding software. Given the high number of vendors for that and the increasing number of rogue security software, I advise to take only software from a well-known vendor (from its official site or from a reseller) or opensource software.
I would bet that among all the software that claim to shred files, one quarter are rogue software.

Second, the views I gave in the three previous bills only take in consideration a part of the complexity of the question. For instance, different media (RAIDed hard drives, Flash memory...) may not follow the same behaviors as hard drives. Another example: filesystems are not considered. If the setup includes a rollback system at the filesystem level, then shredding empty space might not be efficient.

Third and final: let's think practical. There is no need to buy expensive software when you don't have a need for expensive functionalities. Most of the functionalities are covered by the tools included in a basic Linux distribution (thanks ketherius (RO) for the example). There is no need to shred everything everyday if you don't handle extremely valuable information (and even then...)

EDIT 22/06/09: If you can speak French, there has been an eXCellent discussion thread on the matter on linuxfr.org.

Shredding files [3/4]: Please shred the hard drive

At this point, we don't shred files anymore and we shred the empty space when we have time and a motivation.

Now, the last important step is not to forget to destroy all of the data when the hard drive is disposed of. There is a lot of data that you must destroy, even if you destroyed your main "My documents": Internet downloaded files, drafts that you may have forgotten, saved passwords or connection parameters...

There are countless stories of companies being spied upon by use of their old hard drives. To get rid of this threat, you can use a hard drive shredder such as the one below.



OK. So, good practice is to establish a policy that forbids hard drives (including internal hard drives in the printers and xerox machines) going out before a shred. Don't donate, sell or dump an old hard drive before a shred.

Shredding files [2/4]: Shredding empty space

Once you understand that there are shadow copies of your files of value, you get it that it's useless to shred files, as is often recommended, though.

So what's next, how to ensure your files are not recovered? At this point in our reflexion, the problem is that there are confidential bytes in the "empty" space of the hard drive. So, some software provide a tool to "shred" the whole of the empty space. Here, we mean that it will browse the full length of the empty part of the disk and cover it with random patterns, to remove all chances of recovery of the previous data.



The good point is: theoretically it works. The bad point is: practically, it's unmanageable because it means using those random patterns on the size of the empty space of your hard drive. Like dozens of gigabytes. So it takes very long.

The good practice becomes: tell your top management to bring in their laptops for a good shred, before they go to a risk area (like travelling abroad to negotiate contracts). The bad practice is: present your executives with the tool and tell them to do it themselves regularly.

Why it's useless to "shred" files, most of the time

It's becoming common knowledge that a file can be recovered from the hard drive even after being removed. The basic idea is that a file = a container + a content.

When you remove the file, the operating system (whether it be Windows or Linux or else) destroys the container but keeps the content. So the actual bytes of your file remain on the hard drive. And a myriad of software (most with a shareware license) have grown to sell you the idea that by writing zeroes or random patterns over the content, it will make it unrecoverable. That's theoretically true.



The problem is that the soft only destroys what you ask it to. So if there is another copy of the file, that you don't know about, that one will still be available for recovery. And that's the problem with all of MS Office software (and other office suites). These office applications create backup copies to recover if (ever) there is a crash.
And you don't ask the shredder to shred them, so they remain on the hard drive, even if you shred correctly the main file. (You can't shred them, because 1° they're necessary 2° you don't know where they are 3° that would be a long job.)

As a conclusion, if you use your shredder for office files such as .doc, .xls and so on, just drop it, it's useless.

Detecting and mitigating vulnerabilities in web applications

I wanted to write a summary article about vulnerabilities in web applications since a long time. So, here it is.

After a good look at my CISSP CBK and my ISO 27002, I thought of the following categorization:

1. Vulnerabilities in the code techniques
2. Vulnerabilities in the code design
3. Vulnerabilities in the network infrastructure
4. Vulnerabilities in the configuration of the subcomponents
5. Vulnerabilities on the client-side

I don't think I saw an attack on a web application that used a vulnerability that doesn't fit in one these five categories. For each of these categories, I will give a short explanation, a few examples, the skills required for the people who will detect and address them, and some tools that might help in detection.

1. Vulnerabilities in the code techniques

They probably come to mind first. This category includes all the coding failures to handle input validation and output validation. Common examples are SQL injections that allow to gather confidential information or debugging error messages giving critical information.
Skills required: Experience in programming, ideally with the same environment and language.
How to proceed: Analyse the code and look for punctual vulnerabilities. Each time a vulnerability is found, check if there are other occurences of the same.
Tools: 1/ For almost each language there is a site, page, or book that lists the blunders not to do. It is a good start point for this analysis. 2/ Alas not for all environments and languages, automated tools exist to check for typical blunders. Beware, even if such a tool exists in the target environment/language, that doesn't mean it does an exhaustive work.

2. Vulnerabilities in the code design

Usually called design flaws. At the moment the programmer writes he has to make choices about the way to organize code paragraphs, subroutines, objects, classes, the location of variables: on the server or on the client?, the authentication methods... This kind of choices can be flawed from the beginning. For instance, using the same authentication method for the end-users and for the administrators can be a flaw.
Skills required: Experience in programming web applications, ideally experience in hacking.
How to proceed: Browse the code and the running application. Conceptualize the inside organization of the application and suggest methods of attack on the design.
Tools: If they were created in the first place, the UML/Merise/... diagrams of the application. No automated tool does this, to my knowledge.

3. Vulnerabilities in the network infrastructure

One of the things that are always present at the mind of CIOs, maybe too much.
Skills required: Some experience in network design.
How to proceed: Analyse the network. Suggest attack methods.
Tools: 1/ If they were created in the first place, the block diagrams. 2/ There are good books out there on the design of network infrastructure. 3/ Automated tools like Nagios or Nessus are of help, but don't do the work.

4. Vulnerabilities in the configuration of subcomponents

Often underestimated. No, always underestimated. This is the kind of vulnerabilities like negligently allowing the download of your internal code, forcing encryption but allowing weak encryptions and so on. The list is infinite.
Skills required: Experience in network administration. Courage. Time.
How to proceed: List all the software components and subcomponents of the chain of software that manipulates critical information. This includes the web server, the web server modules, the programming language compilers or interpreters, the database server, any kind of proxy or firewall, and others that I forget here. Then the documentation of all of these must be read, the configuration options analyzed, and the appropriate ones turned on or off.
Tools: Some tools allow to attack the network, acting as automated attackers. It is good, and a good start-point, but cannot be exhaustive. The good tools are the mailing-lists or forums related to each of these components or subcomponents, and the related newsfeeds.

5. Vulnerabilities on the client-side

Not really new, but it took a new start these last years. The reason? End-users stick to old, weak software instead of changing their habits. This includes vulnerabilities in the browser that the end-users will use. For instance, the browser being weak, malicious people can steal the user's password and act under the provided anonimity. To some extent, you have to protect your customers against their use of bad tools or badly configured tools :-(
Skills required: Experience in hacking or paranoia.
How to proceed: Always read a general IT channel of information, to be aware of news in this field. Slashdot first comes to my mind. More dedicated channels are good also. When you hear of a new kind of user-attack, just think if you (your users!) are vulnerable to it, and how to mitigate it. Sometimes you can prevent it by adding layers of protection (think of CSRF!). Sometimes an awareness campaign is the only tool. Think of protecting yourself by contractual means, from your users wrath, also.
Tools: There is no tool that can do this in place of a talented and interested human. One tool is helpful: a testing environment that allows security guys to act as an Internet typical user.

Summary table: automated detection of vulnerabilities

Code techniques
Good tools exist. Not in every language or programming environment.

Code design
No automation.

Network infrastructure
Partial automation. Tools to help the security guy.

Configuration of subcomponents
Good tools exist. Not exhaustive though.

Client-side
No automation.

7^W12 years old vulnerability

I blogged last week about Microsoft patching a seven-years old vulnerability. Was irritating.

According to Sid, the vulnerability was known since 1996. (The link is in French.) 12 years-old. Is irritating.