Articles

2008-05-24

Open Source Software and You: Part 1

What is it and what's in it for me?

Open source software is more than freeware - it is software which is written under a license which allows access to its underlying programming code.

Note: developing your web application with open source technology does not mean your own proprietary information or logic have to be made open or revealed in any way.

You would be surprised how much source code does for you even if you don't read it.

When the source code for a technology is open it is:

1. virtually impossible to conceal spyware, rootkits or other malicious intents
2. possible for very broad collaboration to improve and update software

The first item is quite unique to open source software.

With the increasing deployment of spyware, not only by hackers but by a growing number of established computer software and hardware vendors as well, you are being watched and monitored like never before. Perhaps that does not bother you. But if it does, you should take a look at open source.

The second item can be seen when patches are released. Updates keep coming down the pike and people who report security flaws become part of the solution. Patches are often released within hours or even minutes instead of weeks.

In future posts we will discuss how open source software relates to both consumers and businesses.

2009-05-19

Security versus Features - what you probably didn't want to hear

This article could also have been named "Real life versus pie in the sky" and I don't imagine it will win me much popularity, otherwise the material herein would long ago have made it into public advertising.

There is a very good reason why Windows Vista plagues the user with an unending stream of security dialogue pop-ups. Nobody in Redmond was slamming his fist on the boardroom table saying "Let's annoy our user base for no good reason!"

The early versions of Windows were released in a more trusting time, a fact also reflected in other operating systems of that era. One of the things which made it attractive to build software for Windows was the wide range of API's which gave developers generous access to the user's system. These hooks into the system were made available everywhere: user installed software, remote access calls, emails, even web pages! This introduced a wave of application development but it also introduced an era of poor practices.

Queu the hackers. A lot of applications granted themselves administrative access even when it was not necessary. The result was that a hacker could obtain full access to the user's machine by finding an exploit in one of those programs. Users have been trapped in a virtual turkey shoot ever since. Some of the worst API hooks have already been removed. (e.g. incoming email having full access to the user's system) While this has removed some very creative possibilities it has been an absolute necessity.

So how does this relate to web applications? For one thing, the default settings in Internet Explorer have changed so that the entire internet is no longer granted administrative access to a user's computer. I will tell you, a chill ran down my spine back when I first saw how trivial it was to create a web page that could delete critical system files from Windows. That should never have been a possibility but the rush for features obviously superseded long term planning.

Holes have also been found with numerous other web technologies that execute on the client side. And client side execution is popular. You may have heard about AJAX, Flash or applets, all of which execute on the user's computer and inside their firewall. The model itself is flawed and fundamentally unacceptable from a security point of view. I have witnessed some chilling proof of concept code and model attacks. The same technology which supports “drag-and-drop” on web pages can silently cough up your credit card numbers, internal network details or the login for your bank.

The most obvious solution is to nip the problem in the bud and discontinue the path of web delivered client side execution. Continue to use pages and forms (submitted when you decide to) and let execution occur on the remote server, outside your firewall. This gives users the ability to remove vulnerable technology. But sleek sells. In all likelihood we will address problems one at a time and only after serious hacks have occurred.

My own approach is once again to layer technologies. I prefer to have it so that the heart of the web application can function without client side execution. That way users are permitted to make themselves less vulnerable if they so choose. Then client side technology can be layered on top so that the average user (who is unwittingly intrepid) gets their eye candy.

2007-07-10

Is your password putting your business at risk?

So you've got a firewall that could turn back a full scale invasion force. Encryption? Even the Kremlin has trouble eavesdropping on you. VPN, TLS, DMZ - you name a three letter acronym for security technology and you have it. And you certainly remember paying for it.

You're covered right?

It's surprising just how many businesses have addressed all the difficult, expensive aspects of securing their networks only to be made trivially vulnerable by easily cracked passwords. Despite the growing market for security technology, hacking is as easy as it ever was thanks to good old fashioned laziness.

It doesn't help that every web site you use, your business email, your personal email, your company VPN, your ISP, your wireless networks, etc. all have passwords. Passwords, passwords, passwords. Let's be serious for a minute: how can you honestly be expected to remember all of those passwords?

And thus the easy password is born of necessity.

To make things worse, one well memorized password is often applied to as many logins as possible. Obviously this is not the most secure approach.

Jesper Johansson of Microsoft has an interesting solution. Write your passwords down.

If you can keep that information reasonably secured, for example on a card in your wallet alongside your credit cards, you can keep a record of your passwords without leaving them in a place they are likely to be found. Such as the sticky notes found below so many office monitors. Oh dear.

2007-05-31

Web 2.0 - a hijacker's paradise

Perhaps you've heard the buzz around Web 2.0. One can hardly argue that a phenomenon pretentious enough to bear pronouncing a redundant "point oh" at the tail end of a whole integer must be quite important. Indeed it is important, although perhaps not for the reasons one would wish.

First we need to be clear that the term "Web 2.0" has itself been hijacked. At first it referred to the emergence of community driven sites which benefit from user generated content. But lately the term has begun to refer to anything modern to web development, a handy dilution which covers everything from technology to artwork.

Almost any way you choose to interpret the term, Web 2.0 is a hijacker's paradise.

Spammers are using blogs as launchpads. Identity theft no longer requires leg work. And here is the part that concerns all of us: the new breed of web sites are increasingly employing technology that weakens our security.

After studying and considering what some of the brighter minds in this field have to say, I am becoming deeply concerned by the emerging landscape. Let me give you an analogy from the physical world:

One would hardly consider Swiss cheese the most appropriate material from which to fashion a boat. And certainly not a submarine even though it may be quite adept at diving. The challenge with building your craft of such porous material is that you will spend the rest of your life patching it — and even so may experience loss. But if the majority of people started building their boats of Swiss cheese it would, by definition, become the normal thing to do. At that point people building watercraft with wood, fiberglass or metal would concordantly be defined as abnormal. Not a bad "fringe" to belong to!

The thing which startles me is that even after witnessing the security breaches (which are still permeating) from the Windows 95/Outlook era, much of the I.T. world is once again blindly embracing intrinsically weak technology. Some principal software and web service vendors are treating this with a surprising triteness which accordingly keeps a lot of developers in the dark. Perhaps the "head-in-the-sand" approach will luck out, perhaps hackers will refrain from exploiting these new opportunities. The question is, are you willing to bet on it?

I will visit the technical side of this shift and its implications more thoroughly in future articles. But suffice to say, if security is a priority to you, it needs to be a priority to your developer.