Thought Snack

“You want free speech? Let’s see you acknowledge a man whose words make your blood boil, who’s standing center stage and advocating at the top of his lungs that which you would spend a lifetime opposing at the top of yours.”

~ The American President (1995)

I’m just going to leave this favored quote of mine here as food for thought.

Tagged with:
Posted in Random

SOPA Protest

Going dark to protest SOPA see you on the other side.

Posted in Uncategorized

2011 in review

The WordPress.com stats helper monkeys prepared a 2011 annual report for this blog.

Here’s an excerpt:

A New York City subway train holds 1,200 people. This blog was viewed about 7,400 times in 2011. If it were a NYC subway train, it would take about 6 trips to carry that many people.

Click here to see the complete report.

Posted in Uncategorized

November: A Busy month

So no blogging for a while, its been a busy month. In addition to being a family man of 3 kids, involved in Scouting with my son and just general life it’s been a month of traveling.

First, I spoke at SkyDogCon 2011 in Nashville, TN on The Neurobiology of Decision Making (youtube). I was the first speaker and it was my first time speaking at a conference, I was very pleased that it was well received. I met SkyDog at DerbyCon 2011 which was my first small con and I really enjoyed it. I had easily as much fun at SkyDogCon and really enjoyed getting to spend more time with individuals talking about Mozilla, Firefox and other fun topics. It was also great fun hacking the arduino badges and learning how to pick a lock. The staff treated me exceptional well, the speakers were a fun bunch to hang out with. I really hope I get a chance to speak again at next years con.

The weekend after that I was at MozCamp EU in Berlin, Germany, again as a speaker but more importantly as a member of the Security Team. I really wanted to meet and make some connections with contributors and further the message of “we’re all in this together for the betterment of our users”. It was also a moving experience for me personally, last time I was in Germany was 1987 and as 3rd generation American of German immigrants it was really painful to see Germany divided. I fulfilled a 24yr old promise to myself to walk beneath the Brandenburg Gate.

From Berlin

Then we have the fall holiday here in the USA known as Thanksgiving. Unfortunately for me I caught some bug in my travels through London and Berlin and was pretty ill. A trip to the Dr. for meds to keep the rest of my family well and not to ruin the holiday finished up any time before the holiday and family, geocaching with the kids, socializing and eating at up the rest of my blogging time.

The rest of my month was taken up the the usual security meetings & Firefox meetings; you know the get stuff built and shipped movements.

Thankfully the traveling, meeting, talking and thinking time has left me with many things to talk about. I hope all my readers had as good a month as I did.

Posted in General, Mozilla, Technology

OWASP Louisville Meeting Announcement

Meeting: Louisville OWASP – Nov 11th , 11:30 AM – 1 PM

Meeting Location:
Sullivan University Campus, 3101 Bardstown Road, Room 254, Louisville KY 40205 – (about 15 minutes from the airport…on I-264 East)

When you arrive at the University’s main building, Drive around past the front visitor’s doors to the parking area on the right side of the Main Building. Room 254 can be accessed via a back stairway near a break area on the back right-hand side of the building, very easy to spot.

Desktop Betrayal: Exploiting Clients through the Features They Demand
In this talk, Tom Eston will explore the use of client features to gain privileged access to client systems. During previous talks around social networks, Tom Eston and fellow security researcher Kevin Johnson discovered that most of the damage they could perform against a target didn’t use an exploit against any vulnerable system. Tom and Kevin were able to create various attacks that made use of features being used on client machines. While this talk will not disclose any vulnerabilities within popular client software, Tom will be releasing multiple attacks that use these clients against their users. Tom will be discussing attacks using JavaScript, HTML5, PDF files, Flash, Data URIs, Web Workers and more. Tom will also discuss code to perform these attacks as well as add-ons to popular tools such as BeEF (Browser Exploitation Framework) that will enable these tools to make use of the attacks.

Tom Eston is the manager of the SecureState Profiling Team. Tom leads a team of highly skilled penetration testers that provides attack and penetration testing services for SecureState’s clients. Tom focuses much of his research on new technologies such as social media, mobile devices and new web technology. He is the founder of SocialMediaSecurity.com which is an open source community dedicated to exposing the insecurities of social media. Tom is also a security blogger, co-host of the Security Justice and Social Media Security podcasts and is a frequent speaker at security user groups and national conferences including DerbyCon, Notacon, OWASP AppSec, Black Hat USA, DEFCON and ShmooCon.

Tagged with:
Posted in AppSec, Computers, OWASP

Microsoft’s Browser Security Website / Marketing

Alright to star this one off I think I need to do a few house keeping items:
Disclaimer:
This blog is my opinion, thoughts or whatever you choose to call it. This does not represent the opinion of anyone or entity other than myself and should not be taken as a position of my employer or the developer community. Yada-yada you should understand this.

Full Disclosure
I currently work for Mozilla, the group/movement behind Firefox. I have also worked in the past for Microsoft.

Ok, now lets get started. Microsoft launched a site called yourbrowsermatters.org and right off the bat my first issue is that they did this under a .org banner. Which to most people means some nice non-profit is doing this, as that is what .org addresses are for. In my opinion, this is an attempt to hide the true backer of the site, Microsoft. Yesterday when this site showed up it had a nice Windows flag style icon on the bottom (today Oct-12-2011 this is gone). Unlike most Microsoft sites the Microsoft and Azure items are at the bottom and quite small. Nor does the methodology page (http://yourbrowsermatters.org/docs/methodology.pdf) mention Microsoft. The site does use a “Metro-style” interface and unless users are familiar that means little to them. As well the methodology doc has the same layout as many Microsoft docs, but yet again unless you are familiar I doubt one would notice this. So right off the bat this began to tickle my thinking.

Also this site does not really test anything. It takes the User Agent string from the browser (which can be changed) and returns a pre-built answer for that string. How do I know, well I used the User Agent Switcher add-on for Firefox to try this out and just by switching this string I get different answers. So they could have just as easily just produced a chart that showed what they think the outcome is. Also keep in mind this is for Windows only, this does not give a score for other operating systems or OS protection models.

My take
ghackes.net did a nice write up on this as well, since this covered some of this nicely I suggest you read the analysis there as I don’t want to be repetitive on certain aspects.

So lets take a look at the whole criteria:

Category:Dangerous Downloads

  1. Does the browser help protect you from websites that are known to distribute socially engineered malware?
    • This is a rehash of the NSS Labs Socially Engineered Malware Report, on its face this is a semi-interesting report. but I think it’s also somewhat skewed. I am still working my way through all of this report, but my first concern is around making claims with fixed versions (Apple® Safari® 5, Google Chrome™ 12 , Windows® Internet Explorer® 9 Mozilla® Firefox® 4, Opera™ 11) used in the report but using that to infer about newer versions (namely Firefox 4 ≠Firefox 7 in capability). Our current rapid release process allows us to make all kinds of changes and using a static set to make an inference about something newer is just not something I can support.
    • Yes there are going to be differences between SmartScreen in Windows and StopBadware used by others, but to think they would be this large seems off to me, again I need to do more analysis of the methodology. Also why Firefox and Chrome would be so different in results when using the same list is something that bears more analysis.
  2. Does your browser provide a distinct warning when you download and application that is of higher risk but not yet confirmed as malware?
    • So no, Firefox does not have this capability today and we are looking into adding it. What is it? Well you take the hash of the file being downloaded and if it’s known to be a problem you tell the user, if you don’t know, you tell the user. This could be good for users if you actually know something or if they don’t really understand what they are downloading.

Category: Phishing Sites

  1. Does the browser have a feature that can help protect you from phishing sites?
    • Everyone gets marks for this as we all have something, so lets move along.

Category: Attack on your browser and its plug-ins

  1. Does the browser have the ability to restrict an extension or a plugin on a per site basis?
    • This is a point of contention, only IE gets points her. Our plugin model is directly comparable, and this is a relatively important feature. Practically speaking it’s only “more secure” if plugins default to OFF and you let users build up a whitelist which is NOT what IE does. Chrome sort of does (yes for Java, no for Flash). We definitely have a different extension model. Compare Greasemonkey, where each installed user script has a default list of sites/pages it applies to but the user can manage that list. Given that extensions and plugins are very different how does one really rate this?
  2. Does the browser have a system for auto updating browser extensions?
    • This is one spot where Chrome and Firefox have a feature that IE currently does not.

Category: Effective Sandbox

  1. Does the browser process utilize Windows Protected Mode or implement a similar mechanism such that browser processes cannot modify parts of the system that it doesn’t have access to?
    • As far as I can tell this is a literal use of the Windows Protected Mode, and no Firefox is not using this today for a variety of reasons.
  2. Does the browser extend the sandbox such that it cannot read data from parts of the system that it doesn’t have access to?
    • See #1
  3. Does the browser benefit from Windows operating system features that protect against arbitrary data execution?
    • We do this, why this does not show up for some Firefox UA strings on this site I don’t know.
  4. Does the browser benefit from Windows operating system features that randomize the memory layout to make it harder for attackers to find their target?
    • See answer to 3.
  5. Does the browser benefit from Windows operating system features that protect against structured exception handling overwrite attacks
    • So according to to the criteria doc link for this one this is talking about /SAFESEH, odd we don’t get a tick here as we do this on our Windows builds.

Category: Attacks on Websites

  1. Does the browser automatically block insecure content from secure (HTTPs) pages?
    • They are giving points for mixed content handling
  2. Does the browser filter out scripts on the client to help protect against Cross-Site Scripting (XSS) attacks?
    • I think I can consed on this one, even thought we do have this feature landing soon.
  3. Can the browser sanitize HTML to remove potentially problematic code?
    • They are giving points for their own ToStaticHTML API usage, we’ve looked at it but there is not agreement that this is the correct what to help protect from web developers doing potentially dangerous things.
  4. Does the browser have features that websites can take advantage of to help protect you from Cross Site Request Forgery attacks, also known as “Click Jacking”?
    • So we all get points for something that are 2 different things CSRF is not also known as Click Jacking, so this one just confuses me. In fact these 2 items require very different mitigations.

Bottom Line
So if we look at the “output” no browser has a”perfect” score, they all have things missing. The great disappointment here for me is this could have been a very good site to help encourage users who are on any older platform to pick a more modern one for safety; instead this has been warped into what I perceive as a marketing tool to promote IE. This was best said by Maxim on the browserupgrade@list.otalliance.org list

I’m disappointed that Microsoft is using similar language to OTA’s Why Your Browser Matters campaign to serve as a marketing tool to pitch IE as superior to other browsers. The goal of this campaign was supposed to be to get people to upgrade older browsers to newer browsers, not to push one browser over another.

It’s particularly frustrating that Microsoft misrepresents Firefox as not protecting users from social engineering malware sites. This is patently untrue.

Regards,
Maxim

I shall now get off my soapbox for the time being.

Posted in Computers, General, Security

Adjusting My Thinking

I have been spending the last 2 weeks in the office in Mountain View (going home Saturday. Yeah!) and have had some really interesting meetings and thoughts that I think I should talk about. And I am going to start with one that occurred today as I think it’s going to end up possibly changing some of the thinking on other topics.

So I decided to attend the bi-weekly Contribute Group Meeting, which is an open forum where we discuss how we can better engage the Mozilla community in our particular areas of focus. I went into the meeting with the idea that we (the product security) team needed to do more or do something different to engage the community to participate more in the things we are trying to accomplish. I know people care about security here and I have been talking about it on my blog, on the official security blog, on mailing lists, on twitter; but results have not really been evident. We have shared a public calendar so people can see when the meetings are, and the how to attend details; and I talk about each weeks upcoming meetings in several venues. We make the notes of these reviews public on our security wiki and try to encourage discussion on our open IRC channel #security. But still the best I’ve seen to date is one person who labeled themselves as “lurker” on an etherpad, they did not speak on the call (if they were there), did not participate in the IRC channel and did not type anything in the etherpad. Other than the paid Mozillians who have been invited directly to the meetings no-one else has really been participating. I really do want more participants in our meetings to help give their cognitive power to improving Firefox security.

The meeting turned out to be very impact-full, not only in ideas but how I perceive the company, the community and my role in all of it. The best quotable for me (and this is from memory) came from David Boswell; “Mozilla is a community that has an organization that supports it, not an organization with a community around it“, in essence the company exists to allow some people to be full time community contributors. It is not above or below or separate from the community but an integral part of it. For me this is a shift in thinking, this is my first experience in open source community development and being unused to the idea I had been thinking of Mozilla as more of a paid guiding hand. That we were here to make decisions that others maybe could not make and in some way apart from the community. In the end that change was realizing that I am part of the community, the community is part of Mozilla; they are inseparable and we need to remember this as we do what we do on a daily basis.

David and I continued our discussion for a bit after the meeting as I was still sort of grasping at this concept and the last key that brought it home for me is the other passion in my life. When I am not working I volunteer with the Boy Scouts of America, my son is a Cub Scout, I am an Eagle Scout and I want to pay back all the great skills and experiences I had as a young man being a Scout. Much like Mozilla the BSA is a non-profit and has a paid staff, many of whom also have children who are or were at some point Scouts. We sometimes don’t treat these paid Scouts as we would the full volunteers there is a mental block of “they are paid so they must be different“, and to be effective in our missions (both BSA and Mozilla) we have to drop this thinking. The paid BSA/Mozilla members are as much the BSA/Mozilla as any of us. We are a community with a goal, we have roles to play in that community that are based on our talents and desires. This sometimes means that decisions are made by people who are paid and sometimes are made by people who are not, but they are all the same community and we all need to show respect for all sides in these decisions.

So thanks to all Mozillians and the Contribute Group, you’ve given me something that goes beyond just my work. You’ve given me a mindset that will help me be more successful in communities that drive my passions. And hopefully I can use what I have learned to engage all of my communities more effectively and in a way that helps others have value too.

Posted in General, Uncategorized
LinkedIn Profile
Follow

Get every new post delivered to your Inbox.