A security blog – to be or not to be?

I have been toying with the idea of starting a security blog for some time now. Today, again, was talking to my colleagues and at least one of them thinks it is a great idea.

I always look with horror at what passes as security “features” proposed to the people who just start writing websites. The frameworks are no better, they usually have a long outdated set of functions. Or some of them are defective by design. And there seems to be no place on the whole Internet to turn for help. You would not e-mail Bruce Schneier every time you need to make a password hash, would you?

So I think there must be a place where people can turn to for some information on how the proper security is built. How the user authentication should be set up, how the passwords are stored, what is a good and a bad implementation of “remember me” function and so on. Something has to be done to improve the security of all those start-up website coming online by the thousand every day. Even old companies, like LinkedIn and Citibank, get hacked because they do not do it right. The help on security must be provided somehow, somewhere.

Isn’t there such a place already?… -->

continue reading →

Jacek Lipski – a LinkedIn spammer

I am usually not one to indulge in public bashing of people even when they obviously misbehave but this time I am somewhat annoyed. This guy, Jacek Lipski, indulges in spamming the LinkedIn members in a very irritating manner and tops it off with a ‘fuck you’ attitude. So he deserves a mention for the annals of history.

So, here is the story. LinkedIn is a rather well behaved community. It is mostly for talking about work and business related things, at least that’s the perception, kept up by the service. Therefore you do not expect someone to send you a “friend invite” in order to peddle his wares. Well, not Jacek Lipski.

You see, Jacek Lipski has some kind of a company that he wants to sell but there are no buyers, understandably. So what does the guy do? He sends you an invite on LinkedIn. You think, “well, all right, he maybe wants to talk about my interests in security or just follow what I do” and you accept. And here you get hit with an offer to buy his stupid company.

I complained right back saying that this was not a good behavior, in my opinion. The answer I got back is as close to “fuck off” as one can get:

I am not interested in your private feelings.

Let me explain by analogy. You have an old rusty Chevy from your grandfather that noone in his right mind would even look at. So you come to people in the street and beg them to buy it. They rightly tell you off. And what do you do in return? You tell them to fuck off, of course! That’s same here, only Jacek Lipski is apparently not afraid to get punched in the face.

Well, tell you what. Maybe one day one of his victims will come across him in real life…… -->

continue reading →

Cultural change through the prism of movies

It is so strange to see some old movies nowadays. They have all the “wrong” values in them, did you notice? They teach being assertive, bold, funny, arrogant and non-compliant. That is totally not what we see these days, now it is all either fancy fantasy stories, or all sex and “regular life”. The movies nowadays do not give up on the principles and values, who would watch them then? But instead they place them in such stories that you cannot really associate with them. And the values you can associate with are totally different – being soft and understanding, suffering for your country or your family and so on.

If we accept the premise that all movies are a channel for brainwashing the population, just like every other public communication channel, we would have to ask ourselves the question “Why?” Why is all so different? Why is the change of the values propagated to the population? What are we being prepared for if we need to follow these patterns of behavior? Can you answer?… -->

continue reading →

Back to square one

I am officially announcing that the idea to write in two places just because of the language difference was a stupid one. So we are back to the square one blog and I hope having a multilingual blog makes it all the more exciting. Who wants to bet that I will now start writing in all the other languages I know as well? どうですか？:)… -->

continue reading →

Google quality

Am I the only one who noticed that the quality of service at Google suddenly took a nosedive? I mean, it still works, sort of, most of the time, but it is not quite the same.

Google used to be very snappy and the interface was very crisp. All elements worked flawlessly and the response was immediate. Now it is all starting to fray at the fringes. It is not so snappy, the code is not that crisp, it fails more often than not and you spend entirely too much time waiting.

I say they are probably loosing good engineers and replace them with cheap ones, like everyone else. It shows.… -->

continue reading →

Finding security bugs

Here is the matrix presented by Jacob West and Alexander Hoole from HP Fortify at RSA 2012. They look at security bugs along 2 different dimensions:

Explicit in Code Implied in Code Generic 50% – Can be found by static analysis tools Can be found in pen testing or expert reviews Application-Specific Need to understand application patterns and requirements – custom rules and manual reviews Probably can’t be found

These guys are in the business of finding bugs with tools. So we forgive them their optimistic estimates. But even they have to admit we can not find everything with tools. And even with expert reviews, there still remains something that is not easily discoverable…

These problems are not easy and they require actual understanding of both software design and security of software. So if you use unskilled development force in your software house, be prepared that half of the security problems will not be possible to discover, whatever tools you use.… -->

continue reading →

CakePHP: plugins models

I spent two days trying to trace why the plugin I am writing did not work. Eventually I realized that the files defining the models were not loaded at all. After several hours trying to figure this out I came across this explanation provided by zuha-3:

My bet is that you don’t have a plugin defined somewhere. I had the same problem in a couple of places after the upgrade because I had forgotten to name which plugin the model could be found in.

belongsTo = array( className = [PLUGIN].[MODEL]

instead of...

belongsTo = array(
className = [MODEL]

And this goes for all relationships, and you might have just missed one.

And so finally it worked. This should be like written in really large letters on the page that talks about plugins in CakePHP documentation. Two days for this simple stupid thing…… -->

continue reading →

Firefox Mobile Phone

The best news of the day so far: Mozilla is launching mobile phones based on the Firefox OS (using the Boot to Gecko project). Unfortunately, they do not give any deadlines or any dates at all. But I am already in line waiting to get my Open Source mobile phone! Come on, guys! Do it! Hell, yeah!… -->

continue reading →

Software security by problem setting

We had an interesting discussion with a friend of mine yesterday. The discussion was about corporate communication, its failures and difficulties. Well, that’s his job. My job is security. And today I suddenly realized that everything we discussed yesterday about communication was equally applicable to my situation simply due to the human nature.

We try and push security into the company, into the development, into management, into everything. And it does not work. Some people say that it does not work as well as we would like it to but it works a little. I say it does not work at all. All this fake interest in something that can be done instead of working – that is not an interest in applying security. That’s not what we are after.

But the problem is the sane here as everywhere else. Why would anyone want to have security? Why would my CEO want security? He wants some certificate that he can wave around at public speaking occasions and get recognition and, even better, money for it. Why would developers want security? They want to listen to funny stories about security to have a legitimate excuse not to work. But they do not want to implement any security, that’s extra work for them that is not recognized in any way. Why would my customers want security? It’s cumbersome, and annoying, and costly…

So we are stuck in pretty much the same situation: I am trying to give people a solution to the problem they do not have. Or they think they do not have. People are notoriously bad at recognizing future problems and seeing the not-so-immediate outcomes. And that’s why I am failing before I started. They will not accept it because it is not their problem.

And the main million dollar question remains: how to make software security to be their very personal and immediate problem? If I can figure it out, then and only then we will finally have software security.… -->

continue reading →

Interstate 60

I just watched again for the umpteenth time Interstate 60: Episodes of the Road. It’s an absolute marvel that wraps deep insights into a very entertaining story and wakes the longing. An absolute recommendation for all and everyone either as an entertainment and relaxation or as a not-so-subtle guidance in the moment of doubt.… -->

continue reading →

Tigr.net

Author Archives: Tigr

A security blog – to be or not to be?

Jacek Lipski – a LinkedIn spammer

Cultural change through the prism of movies

Back to square one

Google quality

Finding security bugs

CakePHP: plugins models

Firefox Mobile Phone

Software security by problem setting

Interstate 60