Category: Life, the universe, and everything…

I was having lunch today at a nearby Chinese restaurant. I was seated next to some young folks who were loudly having a biology discussion. I tuned in because I’m a geek, but I kept my mouth shut after I heard one bad science moment after another.

Unfortunately, the discussion quite quickly changed from being a biology discussion to a metaphysical discussion about whether mitochondria see us as the parasite or vice versa. Whilst I am not a biologist, I do receive “Nature” and therefore have the right to blog mindlessly on this topic and any other science related topic.

From what limited understanding I scraped from the Wikipedia article, mitochondria and us are at best symbiotes, but the reality is that without mitochondria we would be nothing and without us, our specific types of mitochondria would not exist. Therefore, I doubt the mitochondria fear me any more than I fear the trillions of them running around my body right now.

In the next few minutes, the discussion on the next table did not get any closer to making any sense. In the end, I realized that they were design students (I am lunching near Madison Ave). Nothing wrong with design and fashion per se beyond its obvious superficiality and banality, but it’s obvious that science is not a part of their education.

I wonder about this country’s long term future. The USA needs folks who at the very least understand science and do not fear it.

This is the one year anniversary of being diagnosed with type 2 diabetes. It’s been an interesting year, and I’ve learnt a lot about what it means to have diabetes, and it’s definitely impacted my diet.

The biggest change is a sad one for me – some of my favorites are simply not good for me. I can’t eat a bunch of stuff, including white rice (> 200 mg/dL blood glucose for even small amounts), which eliminates so many foods and makes eating commercial asian food basically off limits. Pretty much everything white – white flour, white bread, sugar, potatoes, etc, is off limits.

Another loss, which I feel sad about the most is alcohol (I do have the very occasional drink, but I’ve had less than 1 litre of alcoholic drinks in the last year, mostly beer, and I usually pay at the finger jab for it too).

In some ways, knowing that I have diabetes helps explain some of the things I have had wrong with me for a while, but in other ways, I’m sort of frustrated as I’m at the very low end of the diabetic scale. My A1C is 6.1 for several endocrinologist visits. I’ve been put on some interesting medications, including one that helped me mostly get over my needle phobia. Nothing concentrates the mind more than having to inject yourself three times a day. However, that med made me feel quite ill, so I was able to stop it.

The one disappointment is that I’ve not had much luck in losing weight, which is a key component of getting off the various medications I’m on. I really need to spend way more time at the gym as my diet is optimized to the point that I’m no longer losing weight by eating less (and different). My body is extremely good at making me awesomely tired and exhausted rather than giving up the fat reserves. The only way to beat this thing is get the metabolism moving. I hope this time next year, I will have better news on the weight front. The good news is that I now fit into the clothes I came to the USA in, but that’s not as good as I wanted or expected of myself.

From time to time, I look at WordPress, which as you may have guessed, runs my blog. It’s had a spotty security history. If I can find something in a few minutes, I’ll help out as it’s my data at risk.

But then they go and do this:


<?php

<script type="text/javascript" src="$j"></script>
<script type="text/javascript">
/* <![CDATA[ */
var n = '$n';
eval(function(p,a,c,k,e,r){e= ... crap deleted ...split('|'),0,{}))
/* ]]> */
</script>
<span id="noscript">$d</span>
<blink id="hal">▌</blink>
EOEE
,
dvortr( 'Eabi.p!' )
);


So what does it do? Let’s undo this obfuscation one thing at a time:

The Caesar Cipher was easy – I created a new PHP file with the dvortr() function and the strings to be decoded. They came out as:


Don't let this happen again. Go Back.
Danger!


The packer was also easy, I changed the code to pump out the HTML on the command line, plonked that back into Eclipse, and changed the definition of eval to alert, one of the more evil / stupid things JavaScript can get up to:


eval = alert;
eval(...)


I then copy and pasted the code in the alert pop up and re-formatted it in Eclipse.

Guess what? It’s got another layer of obfuscation, again using the same crappy caesar cipher. Figuring out the strings and what it does it pretty easy from that point on.

Interestingly, when Firebug stumbles across code it thinks is compressed JS, it stops showing you the code. WTF? You can still step through it one line at a time, but the compressor is NOT a security mechanism, and hiding it will not stop me. I will report a bug with the Firebug team as stopping the display of JavaScript is a defect, not a feature to protect the revenues / reputations of compressors.

So, decoding in multiple passes, the final output is this:


Self-comparison detected.
Initiating infinite loop eschewal protocol.
Self destruct in... 3
2
1


It’s an easter egg error message when a revision comparison fails. Or something like that. This is completely unnecessary – there’s no dark secret here requiring this level of sneakiness, and it’s an excellent place for malicious folks to hide attacks.

The code is so obscure, that no static analysis tool can inspect it, or security auditor would normally take the time out to look at it, and yet it may contain an XSS or DOM injection, or it may contain malware if the download is corrupted, or a fake version comes out. 

I really wish that folks who think this sort of thing is necessary really stop to think about the amount of time it took them to craft this particular gem

It would be best to delete this – and every other WP easter egg – now before it infects any 2.7 installations. Easter eggs are incompatible with secure software.

I’m repro-ing this from the OWASP Top 10 mail list. I would like to hear folks’ thoughts about what I have included, taking into account that this is designed to be a standard, and not just a guide.

The OWASP Top 10 Coding Standard

I’ve been working on this on and off (mostly off) ever since getting a few comments back in 2005 that the Guide was too big. The big idea is that it’s short and every single item is actionable. If it’s not actionable, it’s not in there. It doesn’t try to fix everything, just the 80-90% of things that really bite folks. Looking through the breach chronology, I think if folks had to stick to this list, they would have been safe, or at least a lot better off.

My goals are

* Scalable – works from a single open source developer through to major enterprises through to huge ISVs
* Applicable – nothing in here is because I wear tin foil underwear, but because it’s essential for a secure app – the omission of that one item will create insecurity
* Easy to apply for new code – the proper way should be the fastest, easiest way to do it right without causing performance issues
* Not hard for old code – the controls in here are going to be a stretch for the billions of lines of existing (crap) code. We can’t ask all that millions and millions of lines of COBOL or Java or C# or VBScript or PHP to be secure overnight. It’s not possible.

To make it scalable, I propose a self-rating system, where single developers and small groups can state up front that they’ve complied with the small group version, with the sole exception of framework authors, who would have to comply with all relevant sections. I’m sick of frameworks being insecure because they can’t be bothered or believe (wrongly) that it’s not their problem. If you’re a framework / library author, such behavior / attitudes are criminally negligent as far as I’m concerned (Jack Slocum – I mean you! http://extjs.com/forum/showthread.php?p=68097#post68097 ). Large ISVs and enterprises have no excuses as they can generally afford this stuff; it’s just as cheap to do it the right way as the wrong way. Just pick those controls that are essential for the risk level and do them.

My current outline is:

1. Secure Development Lifecycle Best Practices
– Discussion about SDLCs and ensure that folks have one
– Development methodology – mandatory. Just pick one, add security as necessary
– Code repository – mandatory. I never seen secure code without one
– Defect tracker – mandatory. I never seen secure code without one
– Peer review of checkins and break the build check in policy – nice to have
– SCA tools – nice to have
– Way to report security bugs – nice to have (although required by some RFCs)

2. Secure Architecture and Design
– Apply Security Principles to your design
– Apply Risk Management to your design
– Picking and implementing the correct controls for your app
– Architecture Reference Model for Initiator / Approver / Receiver transactions
– Architecture Reference Model for privileged CSR, admin features / apps
– Documentation – mandatory. Secure apps have documentation

3. Authentication
– Evidence of identity
– UML Sequence diagrams for common login and credential management scenarios for two factor, trx signing and SMS authentication
– UML Sequence diagrams for low value login and credential management scenarios using passwords. This has in-built countermeasures for brute forcing, etc
– Prohibition against questions and answers (this is how Sarah Palin was attacked. I’ve been railing against them since at least 2004 – see the Guide 2.0 drafts and final text)
– Prohibition against CAPTCHA if disabled access is required (usually is)

4. Access Control
– Create an access control matrix for each secured function and secured resource
– Deny all by default
– Principle of Least privilege
– Fail closed
– Environment Access Control
– Controller / Business Logic Access Control
– Data Access Control
– Access Reference Maps
– Presentation Access Control

5. Validation and Encoding
– Validate from all sources (trust boundaries, where and how much to validate at that layer)
– Canocalization
– Input validation methods (positive validation only, how to validate text fields, fail safe, etc)
– Output encoding (ESAPI like – encodeForJavaScript, encodeForXml() etc)

6. Data Protection
– Define a Collection and Retention of Sensitive Data Policy. Stick to it
– Protect Data at rest (what to encrypt and where, backups)
– In transit (SSL, IPsec, etc)

7. Securely Accessing Services
– Ajax and JSON
– REST
– Web Services (WS-Security)
– Operating System
– Databases (use only safe mechanisms, low privilege access)
– Directories
– Message queues and reliable messaging mechanisms
– Mainframes

8. Accountability
– Error handling (fail safe / closed, etc)
– Logging
– Auditing

9. Debugging, Testing and Maintenance
– Do not deploy test or debug code into production
– How to fix security bugs once and properly
– How to write security tests for fixes
– Prohibition against Easter eggs and magic modes

10. Testing and Assurance
– How to build up assurance
– Doing your own security tests every build
– When to get a SME involved
– SCA tools – nice to have
– Dynamic tools and services – nice to have

Obviously, this is starting to look like the Developer Guide 3.0. I’m not sure that it can be done in any less volume, but we should try, especially as the non-control stuff in the Developer Guide 3.0 is going to the ADSR, the Testing Guide and the Code Review Guide.

Thoughts?

Well, I’ve had the snip, which apparently is surprising to most of the folks who know us.

Both Tanya and I are pretty darn clucky. We want more kids. But there’s this huge issue we can’t get past – Tanya’s health is just not going to get any better any time soon. Her arthritis is looking like it is staying, and her meds to maintain a moderate level of activity are simply incompatible with a pregnancy. We were very lucky with Mackenzie that she wasn’t deformed or brain damaged or dependant. We can’t knowingly do that again to another child as it’s not our life we would be affecting.

After a couple of close calls recently, where there were two terrible choices – either Tanya going back to Australia with baby girl for nine months of bed rest at her parents and 10-15 hurls a day with the associated forced weight loss, or aborting, which both Tanya and I are against. We had to make a tough decision.

So here I am.

It’s not as bad a pain as I thought it would be, but it certainly wasn’t without it’s scary moments.

I’m not good with needles, and I’m sort of glad I was put under as I don’t think I could have coped with the normal process, which involves a needle to the each site to numb the skin, and then a big needle full of local to each of the testes so you can go home in some comfort before the real pain sets in. I don’t care if you’re brave or not, that’s just one big needle I could not face.

The biggest problem so far is getting up. You can’t lift more than 15 lbs, which is about 7 kg. Baby girl currently weighs about 10 or so kg, so basically I can’t lift her. I can’t easily lift me either. So getting up and down is a painful experience.

I’m resting comfortably. After 24 hours, the pain is manageable, and most likely I’ll be completely okay by Monday or Tuesday.

We took Mackenzie to the pediatricians today. She did real well – even the vaccinations she only screamed for a few minutes. 

Here’s a few very recent photos for you!

• The first image is her sitting. By herself. At 3 and 3/4 months.
• The second image is her out on the porch wearing her snazzy new sunnies from Rebecca.
• The third image is her holding her own full bottle and drinking away without that much help. She’s been able to do this for a while, but we’ve not always had the camera to prove it

I’m currently in Colorado Springs doing some training for a customer.

The flight in was long – nearly 12 hours all up from the east coast, all told including delays and running to make my little rubber band plane connection. It takes only another 15 hours to make it to Australia. The puddle jumper was funny – as soon as we had finished climbing out of Denver, the hostie announced we had commenced our descent into Colorado Springs.

It was surprisingly cold. I suppose the wind and snow should have alerted me, but the last time I was here in late August / early September, it was over 30C every day.

I love coming here. Not only do we have a family friend (Hi Michelle! Hi Justine!) who lives here, the scenery includes Pike’s Peak dusted in snow outside my bedroom window every morning. You just can’t beat that.

I don’t think I could live here, though. I’m used to fast paced life, and things move at a leisurely pace, commensurate with Colorado Springs’ diminutive size.

In 2007, I realized I am not particularly good at prioritizing what time I have available. In true geek style, over the Christmas break I looked at all the recent time management fads to ensure I picked the laziest/easiest/geekiest (pick two), and found 43 Folders, which is based upon a slightly older – and dead tree form fad – Getting Things Done (GTD). The only downside to this particular fad is the fan boys are positively frothing at the mouth, which is what scared me off Python and Ruby on Rails. Rabid adherence is never a good sign. However, the things they want you to do are pretty simple, which is what attracts me to it.

43 Folders is a bit structured for this unstructured procrastinator. With procrastination, it’s not about “doing X now, but sometime in the future”. As any true procrastinator knows, there is an infinite range of substitute activities instead of “doing X now”. So don’t think I’m lazy, for I’m not. I just don’t achieve as much of the things I actually care about as I want. And with married life and a new daughter in a new country, the time I have available is dramatically reduced to when I was a bachelor cat slave back in Melbourne.

So far, I’ve:

• Cancel Something I’m no longer on the OWASP Board. I have totally given up the idea of writing another book for a while. I’m seriously thinking about giving up updating the next edition of the OWASP Guide as it’s just as much work (if not more) than writing a 300+ page book from scratch
• Replace a Project. I’ve picked a few things I love doing, and I’m going to find ways to do these first instead of things which interest me less. Obviously, family time comes first, but in what time I have remaining, my life should be fun and enjoyable. There’s no point in busting a gut to do something I don’t really enjoy. I’ve still yet to really do the maths to work out what makes me happiest, but once I do it, there will be a few more departures
• Time to declare DMZ E-mail Day (again)

So today, it’s DMZ E-mail Day on my renewed quest for Inbox Zero. I’ve archived all my work and personal e-mail for 2007. If you haven’t got a response from me for something, it’s time to re-send. 

It’s that time of the year again. In my previous list, it turned out I did some of the things I said I would, and a lot more besides.

In 2008, my desires are:

• Be a good dad to Mackenzie my gorgeous daughter, and a wonderful (hopefully less chubby) hubby to Tanya, my beautiful wife
• Lose some weight and mean it this time. What New Year’s Resolution is complete without this one?
• Finish at least one piece of first class research in the web app sec field

Although my time will now necessarily be limited out of hours, I think it’s better to complete one or two really good ground breaking ideas than to spurt the same old, same old things over and over again. I think many of you know what I’m currently researching, and I hope to finish that by the end of the year.