Please Don't Break Tabbed Browsing and Browsing History!

Tabbed browsing or the ability to browse websites in multiple tabs at the same time is now an acquired benefit. Yet, it can be broken if ill-designed websites just try to mess with it.

Basically, when you click a link, the address of the link gets copied into the address bar of the browser and you access that address. If you open the link in a new tab (middle button on the mouse, usually), the address gets copied to the address bar of the new tab. Pretty simple, huh?

But some sites try to add scripts that tell your browser where to go when the link is clicked, instead of just doing the normal way. So, they mess with the regular work of the browser. Three kinds of bugs can then be encountered:

1. The link opens both in the current tab and the new tab.
2. The new tab opens but the linked page doesn't show in it.
3. The browsing history gets broken, preventing you from correctly returning to the previous page.

So, here is my point:

STOP MESSING WITH LINKS!
STOP MESSING WITH BROWSING HISTORIES!
Just let users open what they want where they see fit.

Example:
Viadeo, a French kind of LinkedIn, is doing it. If you middle-click a link, it will open both in the current tab and in the new tab. Thank you developers! Let me add that this is particularly inadvisable for a social network, where the most valuable users are very experienced and open dozens of tabs at once.

Adverse Effects of a Security Measure: the Example of French Speedometers

As far as analogies might go, I find the example of French speedometers a revealing example of security failure.

Automated speedometers have been installed in many places along motorways and also in town centers or in rural areas. Those devices take a picture of every car going 5% or 10% above the speed limit. The driver is fined a high penalty and even gets points removed from his driving license. The license is invalidated once 12 points have been removed.

That sounds good, but there are all kinds of problems. To name just a few design problems:

• People brake a lot when they see one ahead of them. They risk provoking an accident on a motorway just because of that.
• Whether they were "shot" or not, they' re angry about it and they then speed up a lot, knowing there won't be another speedometer in the next few miles.

People started knowing the exact locations of the speedometers or even invested detectors, bundled in iPhones, Androids or other specific devices. So the government sent the policemen roam the country with "mobile" speedometers.
And then came the social problems:

• Tax money is used to put fines on the taxpayers. If that's only in case of danger, that's good. But if it goes into fussiness, that's parasitic!
• After a short drop in the death rates of road accidents, the system reached its limit and the death rates started stagnating again. So the government intensified the pressure on policemen. They are now accountable for the number of fines given in their area. That measures the efficiency of the system on an irrelevant variable.
  
• Additionally, citizens are exasperated by this overpressure, clearly conscious that it's not an efficient security measure anymore.
• In a significant number of cases, policemen start to put fines in places where they can do it easily, whether there is a real danger or not.
• All that of course leads to a vicious circle where citizens are angry about policemen and about the government and where the "measure" of efficiency becomes more and more irrelevant.
  
• Eventually, the policemen are so pressured to put speedometer fines that they forget to put fines for other -actually efficient- reasons. For example, you'll find more cars in poor conditions (no light, flat tyres...) than a few years ago.

There's also the border effect:

• Foreigners are "shot" by the speedometers, but the French state doesn't know to whom the fine must be sent. In the end, they dont' have to pay and they don't risk to have their license removed. And they often profit from our beautiful roads at speeds higher than 180kmph. So citizens feel as if foreigners are better treated than themselves.
  

There's the implementation problem:

• In their rush to put fines, policemen just park anywhere, including dangerous locations! They are a factor of accident sometimes.

And finally, there are the typical VIP exceptions that plague any security measure:

• Police cars themselves are not subject to these fines, so currently the worst drivers you can find anywhere whether in town or on motorways are: policemen!

All in all, I'm impressed if the government behind that ever gets re-elected.

Please NO MORE Top 10 Security Measures!

I have a habit to collect web articles about security measures to apply for specific security situations. Those articles usually have a title like "Top 10 security measures for the administration of XYZ" or "Top 20 vulnerabilities in XYZ servers". And I now have a feeling that it's a bad thing to present a security approach that way.

Let's take a few examples:

• Top 20 OpenSSH Server Best Security Practices
  
• 5 Things That Will Mess Up Your Backups -- and How to Avoid Them
  
• Slideshow: The 10 Most Common Database Vulnerabilities
  
• OWASP Top 10 for 2010
  
• The 10 dumbest mistakes network managers make

What's good in these articles is that you can use them for what they are: a grid to think about your own security. But they don't provide exhaustiveness and, for that matter, they may not even be suitable for your own case.

That's a question of risk management (of course) but, putting away big words like these, you'd simply wonder why there are 5, 10 or 20 top measures and not 2, 6, or 11. The measures in these articles are gathered not to provide a level of security, or a level of security maturity, but to make for a long, publishable list. And that you should implement only the top 3 measures, or only measures number 2, 4 and 5 is left up to you. Not mentioning that you may not implement 2, 4 and 5 in this order but may very well begin with number 4 or 5.

What these articles lack is an identification of the precise risks addressed by these measures and the location of these measures on a security maturity scale.

Let's add an illustration to this (nasty) comment: Friends recently asked me to attempt penetration on a website that they wanted to secure. What I found was:

• an easy access to htpasswd file,
• obvious passwords that John the Ripper guessed in no time and
• cleartext credentials to access the database.

If you look at the OWASP list, you'll find the corresponding measures at number 6 and 7. Yet, all Apache admins know that they are on maturity level zero. Furthermore, for that precise site, OWASP's number 1 (code injection) was almost irrelevant.

That's not to say that OWASP's work (or anyone's listed above) is not good. It is, and useful if used correctly. It's just to say that I'd prefer to see more "Beginner level 7 security measures for XYZ servers" or "What to do if XXX is critical for your company: From step 1 to step 4" articles.

Why Windows 7 will not crush Linux

Sorry, just a rant against a nonsensical piece "Why Windows 7 will crush Linux" from Ron Barret who, surprisingly, usually has good technical articles and a few interesting non-technical articles.

This one piece shows, very clearly, a lack of knowledge of how things work outside the Microsoft world. Let me comment point by point, before I make more general statements further down. Quotes are in italic.

Okay it is no secret that Linux has not been able to crack the desktop, either at the home or at the workplace. Not to ignored either is that Windows lost some desktops last year (a little over 3%),but let’s not panic just yet, Windows still owns over 88% of all the desktops according to leading research.

Why does Ron Barret concentrate on "crushing" Linux when he could attack the main marketshare grabber: Apple? Does he really think of panicking or is that just an expression?

[...]Windows 7 installs easier, has simpler configuration of user settings, greater availability of software, support (you could argue that all support is awful, which is probably true) Windows support is easier to get when you need help. Gaming, MP3’s,… I could go on and on.

• Windows 7 installs easier, but by the installation you get only the OS, not the office suite, the usual programs, the good media players, the image manipulation programs, etc.
• Windows 7 has simpler configuration of user settings. But simplicity isn't the only question since you can get the MacOSX perverse effect : too many hidden options, which makes that anything a little more complicated than usual cannot get done from the interface, you have to go commandline. So my question is quantity of settings VS simplicity VS good explanation VS automation of whatever can be automated. And here, if whoever has any precise comparison list, I am listening carefully.
• Windows 7 has greater availability of software. Depends on what you want to do. When my WAMP solution claims that a WAMP is only for testing and that a production tool should be a LAMP, what should I do? I am also a firm believer in centralized depots, and I find that the way to install software under Linux (like Synaptic) is much more modern and efficient than Windows software install.
  

To real Linux die hards… terminals rule.

Yeah, conquering die hards is the crucial problem when you're getting after marketshares!?

So Powershell presents an interesting argument for Windows adoption by the Linux user.

The very idea that an experienced Linux user could switch from the Unix philosophy to the Windows philosophy "disguised" as a command line drains tears of laughter from my eyes. Words or icons are just means, but the Unix philosophy that transpires through bash, csh or perl is a cement stronger than any interface tool.

Some people want free software (even if support is limited or non-existent).

RedHat sales are going higher and higher, is that a coincidence or does support just exist?

Applications like Firefox, Open Office, MYSQL, GIMP… wait all these applications are now available for Windows.

OK but with the exception of Firefox, most of them still run better and integrate better under Linux than under Windows.

Moreover, they are easier to install in Windows then they are in Linux.

Complete idiocy: once you have installed Ubuntu, the applications like Firefox, OOo, GIMP... are already installed. Concerning MySQL, you just have to go to Synaptic, check the "mysql" checkbox and click "install". Far easier than under Windows.

Windows 7 has solved a long-standing thorn in Microsoft’s side, How to deliver a feature rich OS without killing resources?

Okay, so Ron Barrett just confesses that Windows has long lagged behind competitors in terms of resource usage. Fine. Thanks.

Linux users have no reason to hold back anymore. Windows 7 is well placed to crush and put an end to the penguin.

Except complete programming station, polyvalent kernel that puts it everywhere from DVD players to car computers to mainframe servers, freedom from unwanted "home calls", complete view on the software from the kernel to the application, ready and working middlewares such as Apache, very good support (with full source access) like those of RedHat, IBM, HP and others...

Now that I could calm down, seriously, why would anything change about Linux users? There are two major situations:

• Those who were fed up with Microsoft or wanted specific freedom and they will not change anything because of Windows 7.
• Those who use Linux because it's at work or because they have a specific technical reason and they will not change either. At best they will consider changing, but whether that will be worth the migration, I doubt.
  

Microsoft fallacious IE8 campaign

Is the market of browsers so opaque, obscure, for non-technical people, that Microsoft think they can fool them with a simple table?

To summarize the history of facts, Microsoft once had a monopoly in web browsers because the software shipped with their operating system, Windows, which is ubiquitous. They then sat on their laurels for a while (roughly from the end of the nineties to 2006) and lost a part of their market shares to more secure, faster, more flexible browsers, such as Mozilla's Firefox. They finally reacted and released Internet Explorer 7 and Internet Explorer 8, fixing a lot, but, to many eyes, not climbing to the level of quality of their rivals.

And now, they try to get their market shares back by a marketing campaign, with an awfully simplified and fallacious comparison table.

Now, let's return to normal. Below is their table, with my remarks or modifications in orange.

I do not comment on Chrome, because I have used it too little.

		Internet Explorer 8	Firefox 3.0	Google Chrome 2.0	Comments
Security					Internet Explorer 8 takes the cake with better phishing and malware protection, as well as protection from emerging threats. And so can say anyone. But with intimate relations between the operating system and the browser, Internet Explorer puts the system at a greater risk against malware.
Vulnerabilities					The time to fix vulnerabilities once they are public is the shortest in Firefox. Internet Explorer has got the worst record of critical vulnerabilities, sometimes not patched long after they are public.
Privacy					InPrivate Browsing and InPrivate Filtering help Internet Explorer 8 claim privacy victory.
Ease of Use					Features like Accelerators, Web Slices and Visual Search Suggestions make Internet Explorer 8 easiest to use. Some might say it's a question of taste. I feel like Internet Explorer is rigid while Firefox is flexible.
Web Standards					Firefox and Chrome have more support for emerging standards like HTML5 and CSS3, but Internet Explorer 8 invested heavily in having world-class, consistent support for the entire CSS2.1 specification. I don't deny Microsoft made big improvements, but almost any web developer still frowns the eye at the very name of Internet Explorer. Yet, they did improve.
Developer Tools					Internet Explorer 8 has the most comprehensive developer tools built in, including HTML, CSS and JavaScript editing, but also JavaScript profiling; other browsers have developer tools available, but either require you to download them separately, or aren't as complete. You could also argue that the simplicity of XUL, Firefox's development language, is one reason it's been such a success.
Reliability					Only Internet Explorer 8 has both tab isolation and crash recovery features; Firefox and Chrome have one or the other. Only Internet Explorer crashes when too many pages are open at the same time.
Customizability					Sure, Firefox may win in sheer number of add-ons, but many of the customizations you'd want to download for Firefox are already a part of Internet Explorer 8 – right out of the box. I have never found for Internet Explorer precisely the equivalent of what I use in Firefox.
Compatibility					Internet Explorer 8 is more compatible with more sites on the Internet than any other browser. That's certainly true because of Microsoft long record of purposeful incompatibility which, in the past, encouraged developers to not develop for other browsers. However, I do not know one of the sites that I use today that is not compatible with Firefox.
Manageability					Neither Firefox nor Chrome provide guidance or enterprise tools. That's not true. With the tools provided by Frontmotion, you can achieve a similar manageability (for instance, centrally from an Active Directory server) and I would say you get a more precise customizability of what's managed.
Performance					Knowing the top speed of a car doesn't tell you how fast you can drive in rush hour. To actually see the difference in page loads between all three browsers, you need slow-motion video. This one’s also a tie. Whatever recent benchmark shows Internet Explorer as the last of the last browsers in matters of speed.

I was not the only one to notice that :-)

• Savio Rodrigues (IBM) at his blog
• also a post on Royal Pingdom

Some comments are worth reading.

EDIT 06/29/2009:
They're going to some extremities for their marketing... in my natal region, they advertise on pizza boxes, and also have a look at this one in the US:
http://www.browserforthebetter.com/index-htm.html#getie8:6qmoqjtZ9pH

EDIT 07/28/2009:
I have found some pictures of those IE pizza boxes here and here.

Small yet eternal lesson from a successful SQL injection attack

I just conduced a penetration attempt on behalf of a site's owner. The site is the kind you use for home-grown, not critical matters. I wanted to try SQL injections first, because since I read Security Warrior, by Cyrus Peikari and Anton Chuvakin, I felt a kind of inner vacuum for never having done that. Here is how I proceeded:


My goal was to change an existing data of the site to add the mention "hacked". The site was a typical interface to a database, with the notions of "new item", "update item" and "view item" clearly visible.

• From that, I deduced it worked with a database.

Looking at a targetable data, one that I would want to target and mark as "hacked", I saw that the URL contained a GET parameter ?id=20

• From that, I made the assumption that there would be a database table with the field id equal to 20 for the element I wanted to mark as "hacked".

Looking at the main connection page to the site, I saw another GET parameter in which I tried to input a single quote. The server answered me with an error message including the path to a library file, with the extension .php, with an identifiable name. I typed that name into a Google box and found it was a fairly well known free software underlying library.

• From the fact that this library was free software, and that the files were named .php, I made the assumption that the database would be a MySQL one, as is most often the case.

I used the normal way to create an element inside the software of the same kind as that of the element I wanted to change. Then I went to the modification page for this element and gave a single quote in one of the text field values of the element. The server returned me an error message with the faulty SQL request.

• From this I learnt the names of the table and some of its fields inside the database.
• From this, I validated that id was actually a field inside the same table, which I only assumed earlier.
  
• From there, I guessed it would be piece of cake :-)

I crafted a request, using id='20', value of the targeted element instead of that of my legally owned element. I looked on the Internet to find that the comment marker for MySQL was hyphen-hyphen-space and not hyphen-hyphen. And I changed the name field of the attacked element from "dummy title" to "dummy title hacked". And I pressed the button and everything went well. I then used the normal way to visualize data and found the victim element to be called "dummy title hacked".

So, from all that, I conclude that it's important to hide programmer's data from the eye of the user. Especially, GET parameters should not be used unthoughtfully and the error messages from server or middleware should not be displayed to the user. A good polite "We encountered an internal error." is fair enough.

So, next time the webservers' admin or the web dev tells you such small details are not important, just kick him in the balls. I take complaints at cpradier _at_ gmail.com

Larry Page's law also for mobile phones and gaming consoles?

Larry Page once said his thought that "software is going twice slower every 18 months". This became known as Page's law, and I suddenly wondered if the same was not true of mobile phones content and gaming consoles when I had to change my cellphone.

I asked a cousin working in the field of mobile phones and he gave me a spare good old Nokia 1600, saying it's one of the you-cant-find-them-anymore-nor-nothing-as-good.

When I first turned it on, I was overwhelmed by a feeling of quiet efficiency. It's not doing MMS, doesn't take pictures, doesn't allow you to surf the web, but damnit! it's fast. Well, indeed, I just don't notice that I am using a cellphone at all. It's just become plain transparent. Take your directory entry, push the button and that's all. A plain good old feeling of Fire-and-Forget.

And it reminded me how frustrated I got when friends invited me to play the new Street Fighter game on a Xbox 360. It's beautiful, it's respecting the design principles of the series, yet it's no way the same fun as in the old ones on the SNES.

I'd seem bitter if I concluded on a law like "every software or platform evolves to the point where usability suffers a lot from the number of functions, then evolves to the point where it's not usable at all anymore" or another Zawinsky-like law, yet I see no other conclusion.

PS: thx, couz'

Javascript and PDF

Have a look at Google's answer when both "PDF" and "Javascript" are in the search box. When I did, I got 4 results out of 10 concerned with security faults.
So, here is my initial question: Why should Javascript be put inside PDF files?
Answer: it's in the ISO norm defining PDF 1.7, with no precise details, but at least references to more detailed documents.

It's long known to web developers that Javascript is a nest for problems, especially when it's not correctly documented. Yet Adobe looks to develop forward the possibilities of its software, its file formats and that's normal. However I would wish they did it differently. First, that they did not melt innovations under a unique "PDF" name, which refers to a format that users choose primarily because it's supposed to be portable, simple and solid like rock. Then, that they did not activate Javascript by default. Few users really require it and even they recommend to deactivate it.

A rant against podcasts

I'm fed up with the news articles that give you content in the form of podcasts*. I want text back.
* equals "recorded voice", for simple

Here is why:

1. The only advantage I get over text is the voice of the reader or the interviewed guy. It's not an advantage at all.
2. Text underlines what's most important. Voice gives me all, interesting and uninteresting. It's the sign of a lazy news reporter.
3. With text, I can rewind or go fast forward in a blink, without even a mouse click. I can read the same sentence three times if I don't get its meaning easily.
4. When I get a text, many paragraphs appear on my screen at once, so I can just take a two-seconds-look and tell whether the article is about a matter of my interest or not. With a podcast, I have to listen to it during thirty seconds or more to be sure.
5. If I am looking for a precise subject, I can press Ctrl+F and look for a word in a text. The same is not possible in a podcast. In most cases, I can search the content of the text directly from my search engine. The podcast is not integrated with search engines.
   
6. I am a fast reader, I can read and understand a text three times faster than a good speaker speaks it. (And if he spoke it so fast, I would probably not understand him...)
7. When I read news, I have ten tabs open at the same time, a RSS reader, a few PDFs loading... Podcasts are using my bandwidth for something that could be done in a few hundred bytes! I call it abusing my bandwidth.

I hope the fashion of reporting news in podcasts will decrease with time. Who knows?

Acrobat Reader blocks my audio system, WTF?

I wanted to play a song (yes I have a legally bought copy from which I made the mp3) in mplayer and got the following result:

$ mplayer "01 - Adiemus - Karl Jenkins.mp3"



[...]

open /dev/dsp: Device or resource busy

After a few researches, I found:

# lsof /dev



[...]

acroread 32723 christophe 61r CHR 116,33 11606 /dev/snd/timer

acroread 32723 christophe 62u CHR 116,16 12023 /dev/snd/pcmC0D0p

An open document in Acrobat Reader was blocking my sound system. Why? No idea. I closed Acrobat Reader and opened it anew: no problem anymore.

For reference, it's a Ubuntu 8.04 on a PC, with a typical AC97 integrated chip. Package alsa-base is 1.0.16-0ubuntu4 and Acrobat Reader itself is 7.0.

EDIT1 30/04: I should say Adobe Reader, not Acrobat Reader, the former name.
EDIT2 30/04: The package acroread is version 7.0.9-0.0.ubuntu0.7.04+medibuntu2

10,000 Romanians spied upon by their employers

The news comes from the daily newspaper cotidianul.ro (RO).

The application is named Cyclope, developed by Amplusnet, a Romanian company, and works on all Windows stations. It reports things such as the time spent on some filetypes, the time spent surfing the web and integrates with notions such as overtime hours, in order to provide HR with detailed information, not only on the statistical level but also on the personal one.

The current size of the target is roughly 10,000 employees in Romania and, according to Amplusnet, 50,000 employees in other countries.

Let's take this opportunity to remind that such spying upon employees is not legal everywhere. In Europe especially, different laws exist to make sure that the workplace doesn't become a hell. In France, the monitoring of employees is allowed only in a very strict legal framework (FR). In Switzerland, spying upon employees at work is completely illegal (FR). In Romania, there is more subtlety. Cristian Ducu has examined the matter (RO).

7^W12 years old vulnerability

I blogged last week about Microsoft patching a seven-years old vulnerability. Was irritating.

According to Sid, the vulnerability was known since 1996. (The link is in French.) 12 years-old. Is irritating.

Desperate security guy

In case you missed it, Microsoft released a patch for a seven years old vulnerability. Said shortly, the Windows file servers could be hacked into by about any attacker with a tenth of luck and a hundredth of patience.

Well.

I'm often grumbling against Microsoft behaviour concerning security, but that goes too far. Once more.

Decrease in vulnerabilities: a myth

Joseph Tartakoff just published a statistics about the number of vulnerabilities in Microsoft products. They have decreased by 38% in six months. That seems to be good news, for sure, yet I would like to underline two not-so-good elements of explanation about it:

1. It's possible that the number of vulnerabilities decreased simply because the guys looking for vulnerabilities (either white, grey or black hat) don't focus on the operating system that much anymore. Online applications have come to replace a lot of our previous applications.
2. It's possible that the numbers don't reflect the actual numbers of vulnerabilities, because found vulnerabilities are sold to the underground of black hats, and not published in the open.

Furthermore, Joseph Tartakoff emphasizes on the fact that Vista gets fewer vulnerabilities than XP. This is quite normal as the very low adoption rate of Vista makes it a less interesting target of analysis both for security guys and attackers.

I am quite skeptical about the interpretation of whatever statistics of vulnerabilities. Except if the numbers were zero or infinite, I don't think we can get something productive out of it.