Open Source Programming Security Web Development

Enhancing Security With Nonce

A little while back I read about how WordPress was implementing Nonce to help enhance security. What I like about this technique is that it doesn’t rely on referrer checking (which is faulty at best).

Today I implemented that on a project I’m working on, rather similar in style to WordPress. I think overall it’s a better approach to referrer checking. It seems the nonce approach is actually quite popular on the web looking at commercial sites, but not a technique often talked about.

Well done by the WordPress team. My implementation is pretty similar to theirs (my variables and salting is a little different based on the app) since it was pretty hard to improve upon. Not sure how long to make the Nonce, so I stuck with 10, which is what I believe they did as well. Not sure if I should go with something longer.

One of the great things about open source is the discussion of best practices and techniques. It also benefits closed source projects who can gain influence and knowledge from those discussions.

Mozilla Security Software

Windows Vista

Foreword: This is somewhat of an informal rant, it’s pretty much my notes tinkering in Windows Vista.

Am I the only one who is not very impressed with Windows Vista? Several things so far have just shown to be a complete turnoff:

  • It warns me about everything. Warnings stink, people just ignore them if they happen to often. This will prove to be effective security for about 2 weeks. After that, people will click OK without reading a thing. I got a security warning trying to show processes from all users in the task manager. Why? How can a Microsoft App not trust another Microsoft App? I’m guessing the next step is a CAPTCHA on each dialog.
  • Learning Curves are evil. The new Save dialog isn’t totally evil, but it’s quasi evil. It took me a few seconds to figure out how it works, and still feels really really awkward no matter what method I use to navigate. On a somewhat related note, took a while to find the familiar command prompt (it’s nested deep in the start menu now). Is there a “classic view” for the control panel like there was in XP? This “intuitive” stuff is just extra clicks and a waste of my time.
  • Despite my best effort, I’m still not sure why I’m denied permission to my own Application Data directory. It’s my data!
  • Start menu with scroll bars? Maximizing a folder caused scrollbars! Oh come on, that’s awkward, as if the old design wasn’t bad, now I have to scroll as well? What I’d really like is programs get sorted by category in the Start Menu (tagging) rather than how the publisher thinks they should be. That way you don’t get programs all over the place.
  • Killer feature? This is my biggest complaint. Other than shiny menu’s (which I’m not to fond of) and some new icons (which I do like), I don’t really see much in here that says “this is worth money”… not to mention in many cases you’ll want “Vista Ultimate” (or Vista ‘Take a Loan From The Bank’ Ultimate) if you want some of the features from various different editions they will be offering. If they include them all on 1 media anyway, why not let me pay per extra feature? Rather than these bundles? Perhaps I want some of the mobile and some of the business stuff, but don’t need the kitchen sink, dishwasher, and knit toaster cover.

But is there anything cool besides the icons? Well I tried out the new Parental Controls on a profile, and to my surprise, they don’t just effect IE, but everything including Firefox (because it’s likely sniffing the TCP/IP stack like it should). Of course a very fitting screenshot:

Firefox with Parental Controls

And for those wondering, it does give what seem to be pretty nice HTTP Headers, so it would be possible to sniff and serve up our own pretty error pages to keep a consistent UI if desired. I can’t vouch for the effectiveness of the filter, since I haven’t tested it for what it filters, only how it interacts.

So will I upgrade? I’m really not sure to be honest. I see a few things that make me hesitant:

  1. Will my Thinkpad T43 handle it well? Or will it be sluggish and annoying (I’m running it virtualized right now, hence I said nothing about performance). I know the minimum specs are pretty low, but typically the minimum specs are nothing but a pipe dream, nothing you could use on a daily basis.
  2. I don’t want to pay extra to keep the features I have with XP Pro.
  3. Annoyances fixed… the above is really annoying stuff. Really annoying. I don’t think I’d be able to tolerate warnings all over the place. It’s just to distracting if even simple tasks involve signing wavers and sacrificing your first born child.

Perhaps I’m just fussy, or maybe I’m selfish for wanting an easy to use OS, that doesn’t have an abrasive security policy, is secure without locking me out of my own files or nagging me with warnings, and doesn’t cost me an arm and a leg to upgrade my somewhat new (less than a year old) hardware.

As far as next-generation OS’s go, my initial impression says Mac OS X, and Ubuntu still have a lead over Vista. If Apple can get Windows binaries running from within OS X (virtualized as rumored), that could be a crushing blow to Microsoft.

Hopefully someone at Microsoft is listening.

Internet Mozilla Security

SiteAdvisor Spyware Quiz

Site Advisor is running a quiz to see if users can correctly identify sites that ship spyware with their products. A few things crossed my mind while taking the quiz:

The age old method of knowing if an establishment is legitimate is to ask someone who knows, or rely on reviews. In my case I use Google queries, and got 7/8 (simply because I guessed on the P2P programs presented in the end, because I got lazy and it’s getting late). That proved pretty accurate. Just the site name and “spyware” turned up good results each time. Granted that’s more technical than most. I know many who limit their downloads to those offered by more trusted sources (recommended by tech mags for example, or included on CD with them). This test doesn’t really reflect those habits accurately, making more people seem vulnerable.

Why do they have an old version of Firefox for the screenshots (I see the update icon)? Don’t they know running the latest version has more security fixes, and will protect them from known and fixed exploits? I’d expect more from them on that one.

Oh yea, after your done taking the test you can see the analysis of the results, but don’t view that if you plan to take the test or you’ll ruin it. But I know your all honest and wouldn’t cheat ;-).

Mozilla Security

Symantec on Firefox vs IE

Many remember a few months ago Symantec came under fire for suggesting that IE was more secure than Firefox, because it had less security issues. Immediately many pointed out that Symantec’s methodology in the research was flawed, since they focused on vendor acknowledged security issues. That essentially lets the development teams decide how many security issues they want to have.

Symantec has now revised their research to include how many non-vendor confirmed security issues were reported. This puts things a bit more level of a playing field. Naturally you’d expect Firefox to have more confirmed flaws, because development is transparent. The IE team has the ability to selectively choose what’s “critical”. That’s a big advantage in the old comparison. They don’t seem to declare a “winner”, they just lay out the data.

Moral of the story? Data is only accurate if the research is well done. Symantec realized their research was flawed, and corrected it in a way that seems pretty fair, considering Firefox and IE have totally different development situations.

Security Software

Backdoor? “Over My Dead Body”

Niels Ferguson of the Security Integrety Team had this to say about the idea of a backdoor being implemented in Windows Vista’s new Bitlocker security system:

Over my dead body.

Well, maybe not literally—I’m not ready to be a martyr quite yet—but certainly not in any product I work on. And I’m not alone in that sentiment. The official line from high up is that we do not create back doors. And in the unlikely situation that we are forced to by law we’ll either announce it publicly or withdraw the entire feature. Back doors are simply not acceptable. Besides, they wouldn’t find anybody on this team willing to implement and test the back door.

Very good to hear. If there is anything of the sort in Vista, it’s only a matter of hours before someone (bad cop, someone on vista team) leaks enough info for hackers to figure stuff out. That changes the product from a “security” product to an “obscurity” product.

Security is important in computing. “Backdoor” is just a public relations spin on “security hole”. Nothing less.

Security Software

Norton AntiVirus doesn’t like Windows Defender

I upgraded from MS AntiSpyware to Windows Defender. Seems Norton AntiVirus doesn’t exactly like it. In Norton’s Log Viewer are a ton of the following:

Event Details:
Time: 2/22/2006 8:02:17 PM
Actor: C:\Program Files\Windows Defender\MsMpEng.exe (PID=464)
Target: C:\Program Files\Common Files\Symantec Shared\ccLgView.exe
Action: Unauthorized access
Reaction: Unauthorized access stopped

Not nearly as bad as Kaspersky zapping Microsoft AntiVirus. Hopefully Symantec or Microsoft will get to it soon. Nothing about that in the release notes.

Other than that, no opinion formed quite yet.. It has a “new engine” supposedly. Not sure if it will prove any better or worse. I guess time will tell. Doesn’t seem to give as many alerts to the user as the old version did. Personally I liked them, let me know what’s going on. Perhaps I’ll revisit and review it a bit at a later date.

Mozilla Open Source Security

DHS helping to secure open-source software

CNet News is reporting that Homeland Security is sponsoring an effort to secure open source software. According to the article:

In the effort, which the government agency calls the “Vulnerability Discovery and Remediation, Open Source Hardening Project,” Stanford and Coverity will build and maintain a system that does daily scans of code contributed to popular open-source projects. The automated system should be running by March, and the resulting database of bugs will be accessible to developers, they said.

And yes Firefox is listed as one of the projects to be scanned. Thunderbird unfortunately isn’t listed, which personally I think would be a good candidate for this project considering mail clients have been used quite a bit as a point of entry. Since it shares common code with Firefox it still gets some benefit. It says the “resulting database” will be accessible, but I don’t know if that means they will file in bugzilla, or host their own database which developers need to visit and harvest from.

Personally I think this is great. Getting open source projects an audit like this will enhance security online, so end users will benefit. Hopefully things work out well, and they expand to cover more projects over time.

A criticism of the project is that this only funds finding bugs, rather than fixing them. This isn’t likely to be as large of a problem for Firefox as there are paid staff working on the project. Perhaps bounties will be put out by third parties? Who knows. Hopefully in the end, these products become better.

Security Software Tech (General)

Patch for WMF Exploit is out

It’s officially been released. Anyone running Windows should run Windows Update, or download the patch now. CNet has more info on the topic.

Do not wait. Install, and reboot.

Funny Politics Security Software

Google Earth A Threat

If some of this silliness keeps going on, were going to end up having airplanes without windows, because it could threaten security if you look outside.

Perhaps it’s time for some countries to consider building roofs over classified equipment, or perhaps putting a tarp over it. What ever happened to underground bunkers and camouflage?

Mozilla Security

Reporter, the next generation

Now that I’ve basically stabilized the new reporter tool for the branch, I’ve been planning for what will come in the next version. Quite a few neat little enhancements, some small, some larger.

Client Side

  • Screenshots – you will be able to attach a screenshot when sending a report. The option will be disabled by default (likely a button or a checkbox on send) to prevent submitting screenshots of things you shouldn’t for security reasons, you can send when you want.
  • Remember Email Address – I’ve been debating if this is necessary. It would just remember your email address for you so you don’t have to type it in again and again.

Server Side

  • Adjustable Columns – you can choose what columns to show in the results page, making it much more useful to analyze. [Done]
  • Reporter Proxy – this will give the ability for a company to host it’s own reporter server, capture reports within their intranet, and forward the rest to the mozilla reporter server. Perfect for companies who want to improve the Firefox experience on their intranet. [Work In Progress]
  • Screenshots – see above, this is pretty much the same thing.
  • Mark Invalid – some reports are on occasion totally bogus. We don’t need them in the database. We’ll have an option to report bogus reports, and an admin can confirm and get rid of them. This will keep everything as accurate as possible.
  • Bugs for Host – we’ll have the ability to view related bugzilla bugs on a particular host.
  • Reporter Toys – yea, I’ve been tinkering. I won’t say what this exactly is, but it’s a variety of extra code and stuff that could be fun to play with.
  • Templating – on the technical side, were moving to templates so the html is separate. Much easier to manage from a programming point of view. [Done]
  • Bug Fixes – during the above templating, a bunch of bug fixes and other small changes. [Done]
  • Stats – some statistics are always fun to have. Basic right now, we may expand as time and ideas become available. [Done]
  • CSS Design Love – reporter’s webtool is rather pathetic visually. I’m the first to admit it. I’d love an improved stylesheet. Something that makes reporter look cleaner, and more professional.


Some of the server stuff already landed. Some is in the works (in particular proxy). I’m not promising any particular feature in any timeframe at this point. Some of the above may be bumped to another milestone, or scratched all together. If you have any ideas, or feel like contributing, feel free. I’d love to get some good css, or perhaps some patches for reporter.

That basically serves as the roadmap/status update of where the tool is right now. We’ve got some great feedback, and close to 5000 reports already (and were only at alpha 2 in the release cycle).