hackademix.net

So the Hokkaido G8 has food security, climate changes and oil prices in a prominent place of its agenda.

Bush has made accountability a major theme for this year’s G8 meetings, arguing that “we need people who not only make promises, but write checks, for the sake of human rights and human dignity, and for the sake of peace.” The G8 includes Britain, Canada, France, Germany, Italy, Japan, Russia and the United States.

G8 leaders are expected to address an array of political, security and economic issues when they meet for three days. “We expect that they will discuss a broad range of issues, including development, Africa, food security, trade and investment policy, energy security, climate change and issues relating to the global economy, including oil prices.

Obviously, we expect the very same people who became insanely rich thanks to these “issues” ¹ to clean up their profitable mess and save the world.

We expect politicians whose career and position is entirely built upon terror to fight it.
We expect governments driven by ruthless corporate interests to regulate for a planet-sustainable economy, which may require profit margin reductions or even degrowth ².
We expect oil companies, mercenary armies, reconstruction contractors and weapon manufacturers, which rather than bribing the elected people representatives like they used to do in the past, nowadays have their executives directly placed in key government roles as an obscene parody of democracy, to shoot themselves in their feet.

Just like expecting anti-virus vendors to push technologies and approaches making our information systems really safer, or Microsoft to promote open (web) standards…

Notes

I’m happy to learn that IE8 is going to implement a less ambitious version of a feature which NoScript users have enjoyed for more than one year now. The announcement posts seem not to notice the resemblances of “XSS Filter” with NoScript’s Anti-XSS Protection, the most striking being their non-blocking approach: loading the target page in a “neutralized” form and emitting a warning as an info-bar, which doesn’t require interaction and therefore doesn’t necessarily interrupt user’s workflow. But that’s fine: in facts, under the hood, their filter looks quite less sophisticated than NoScript’s InjectionChecker engine, as it is based on a limited blacklist, apparently targeted to the most common reflective XSS attack patterns as seen in proofs of concept:

The XSS Filter defends against the most common XSS attacks but it is not, and will never be, an XSS panacea. […]
The fact that our filter effectively blocks the common “><script>”… pattern we see most frequently in Type-1 XSS attacks is inherently a step forward. Pushing that further and blocking other common cases of reflected XSS where possible, as the XSS Filter does, is extra goodness.
Caveats aside, it will be great to see the tens of thousands of publicly disclosed Type-1 XSS vulnerabilities indexed on sites like XSSed.com simply stop working in IE8.

And there I started smiling: you realize, guys, that those listed “on sites like XSSed.com” are not “XSS vulnerabilities” which will “stop working in IE8″, but just minimal exploit test cases — <script>alert("XSS")<script> — which can be refactored and obfuscated in endless ways to obtain the “IE8 compatible” certification. Yeah, it will be great to see.

Anyway, such a feature being deployed as a built in of a popular browser, rather than as an add-on for an awesome browser, will likely keep script kiddies busy for a while, maybe taking a filter evasion crash course. I just hope it won’t give some site owners an alibi not to fix their bugs, though, putting a “This site is best viewed with IE8” badge near to their McAfee Hackersafe logo.

Final thought: echoing the news on his blog, RSnake did swiftly mention NoScript (thanks), but at the end of that post, calling for adoption of his own bright Content Restrictions idea, he forgot to say that one (experimental) implementation already exists… Do these cross-site scripting filters suppress legitimate cross-site references as well? ;)

According to an independent study by Google Switzerland, IBM Internet Security Systems and CSG ETH Zurich, Mozilla Firefox users are the safest among web surfers (on average), because they are more likely to be running the latest and most secure version of their browser.
This research analyzed the user agent headers sent with Google search queries beetween January 2007 and June 2008 (lots of data points!), finding that more than 83% of the surveyed Firefox browsers were up-to-date. Safari scored 65.3%, Opera 58.1% and IE, not surprising, was the worst with 47.6% (it should be noticed, though, that IE6 has been considered, rightly, an “insecure version”).

The most important factor in this achievement is probably Firefox’s streamlined patching process, which is painless and hard to avoid: in facts, security updates are downloaded in background and proposed to the user as soon as they’re ready. He can refuse installing (e.g. not to interrupt his work), but as soon as the browser restarts they get installed nonetheless.
There’s obviously room for improvement. For instance, upgrading requires administrative privileges. Therefore, a warning to low-permissions users saying something like “You’re running an outdated version of Firefox, please ask your administrator to upgrade” would be helpful. But even so, Firefox already shows a stunning lead over its competitors.

One of the declared limits of this study is that nothing could be said about browser plugins, universally recognized as an endless source of security pain. Even on this side, though, Firefox has some clear advantages: plugins can be disabled either manually, from the Tools|Add-Ons|Plugins panel, or automatically through a centralized blacklist. Last but not least, if you’re really security minded, you can always adopt a whitelist approach.

Researcher NKTPRO does not like the way Yahoo! manages security reports.

Last year he discovered a XSS Vulnerability in Yahoo! Mail, allowing attackers to steal Yahoo! accounts. After asking for “para-legal” advice, he decided to do the right thing and go for responsible disclosure. Communication was described as “very good” in the beginning, but almost two months later it wasn’t clear if the bug had been fully fixed yet, and no public acknowledgment of the problem nor credits to the reporter were given, anyway.

By contrast, Google maintains a dedicated communication channel for security researchers, is known to fix reported issues very timely and publicly thanks reporters.

Some weeks ago, NKTPRO found another XSS vulnerability affecting Yahoo! blogs, and this one was even worse: persistent, CSS-based and working with IE6, IE7 and Firefox 2 (unless NoScript was installed), it could enable attackers to build worms spreading through Yahoo! networks at a potentially very fast pace. Since our hero is apparently a nice guy, he decided to give Yahoo! a second chance, filing a responsible report again. But after waiting one month, frustrated by its counterpart’s kind of expected (lack of) responsiveness, he gave up and went for full disclosure, greeted by the almost unanimous approval of his fellow sla.ckers.

After full disclosure, the one-month old bug has been fixed in 3 days.

“Full vs responsible disclosure” is a potentially endless debate, but here we can see two different “corporate styles”, Yahoo!’s and Google’s, eliciting different reactions from whitehat hackers and ultimately leading to different results:

1. You can be open about your issues and your security processes, and “reward” reporters, not necessarily with money prizes, which may become dangerous when they feed an anonymous, uncontrolled vulnerability brokerage market. Most of these guys would just appreciate their name attached to your security page, for the glory and something interesting to add to their CV. In turn, you get valuable bug reports with practical proof of concepts, and a reasonable time frame to make your users safer and run regression tests.
2. Or you can decide to discourage confidential reports, either by threatening legal consequences for “testers” or just refusing to give public credit on their findings. It can work once, but as soon as it’s clear that responsible disclosure is not an option, you will be forced into tracking every each full disclosure forum out there and playing catch up in a rush because your vulnerabilities are already public and script kiddies may be busy with your users (good luck with code quality).

So, “big brother” concerns aside, do you feel safer with a Yahoo! Mail account or a GMail one?

I’m a very lazy geek, of the funny kind who tries to automate every each repetitive task, usually ending to spend more time in coding the automation script than doing the job manually :)

However, today I wanted to install a Thunderbird add-on called Clippings for managing semi-canned responses (such as “Please read FAQ x.y” or “Thank you for your report, I’ll investigate this issue and let you know ASAP”) to the tons of always welcome support email inquiries I get.

Now, according to AMO, installing a Thunderbird add-on is quite a daunting task in my eyes:

How to Install in Thunderbird

1. Right-click the link below and choose “Save Link As…” to download and save the file to your hard disk.
2. In Mozilla Thunderbird, open Add-ons from the Tools menu.
3. Click the Install button, and locate/select the file you downloaded and click “OK”.

I don’t know your tastes, but searching my filesystem(s) for a file I’ve just saved from a different application (especially when the file browser lacks auto-completion features) is one of the most tedious activities for me. I’d also hate leaving random XPI files here and there on my hard disk…

So I just rebelled and tried something slightly different:

1. In Mozilla Thunderbird, open Add-ons from the Tools menu.
2. From Mozilla Firefox, drag the “Download Now” link and drop it onto the Mozilla Thunderbird’s “Add-ons” window.

You know what? It worked just fine, with no filesystem round-trips!

As a bonus, something you may or may not know about installing Firefox add-ons from sites which are not on your installation whitelist (i.e. every site except addons.mozilla.org, by default).
When you try, you get a yellow warning saying installation is prevented, and a button to override the block.
But rather than clicking and being warned, you can just drag the install link and drop it onto your location awesome bar: this entirely skips the warning.
Quick, clean and safer* :)

* Notice: Firefox 3 features a significant improvement over Firefox 2: the notification bar contains an “Allow” button to permit just the current one-shot installation, rather than the old “Edit options” button to modify your whitelist permanently.