funkatron.com: Infosec Posts

Why Spaz isn’t “signed”

2009-03-09T02:56:26Z

We don’t sign Spaz with a code signing certificate generated by one of the 4 (as of this writing) certificate authorities Adobe accepts. This means that when you install Spaz, you get a scary “Publisher:UNVERIFIED” warning. This is why we don’t sign, from a letter I wrote when asked about it in Spring 2008:

If I sign Spaz with a paid-for Thawte cert, I am on the hook every year for a Thawte cert. I can’t change my cert signer or go back to a self-signed cert without breaking auto updating (at least as I understand it), and I’m therefore locked into a $300 expense every year. That’s not terrible for a commercial app backed by a company, but that’s a pretty significant chunk of change for a free, open-source app developed by one person as a hobby to lay out.

I’m familiar with how certs work, and how Thawte handles certification as compared to other, less expensive cert vendors. Were I convinced that Thawte did some kind of verification process/background checking on the applicant I could see the value, but at least with SSL certs, they certainly didn’t do anything more than vendors who donate free certs to EDUs.

Currently, there are 3 other CAs in addition to Thawte, and the prices range between $180 and $300 per year. Some of these CAs do seem to do a little more background checking. Still, the same arguments apply, especially the one related to cost.

Spaz doesn’t generate revenue, and relies on donated time from myself and a handful of other generous folks. Committing to a yearly expense in the hundreds of dollars seems unwise.

If this is something you would like to see change, I’d encourage you to ask Adobe to make code signing a realistic option for Free, Open-Source Software like Spaz by providing certificates free-of-charge – after a reasonable review process – to projects like ours.

Security for the Social Set at SXSW - A Conversation

2009-03-06T22:34:22Z

Do you work in social media? Do you develop social networking sites? Do you like it when people do not hack your Facebook account? If you answered “yes” to one of the above, then you simply must attend Security for the Social Set, a Core Conversation I’m leading at SXSW. It will take place on Sunday morning at 11:30 a.m.

I’m excited to be able to lead this conversation, especially because I think security – especially practical solutions – is woefully under-represented in social media discussion. It’s my hope that we can raise awareness of these issues, identify where the biggest problems lie, and start sorting out how to address them.

I am told the Core Conversations will suck less this year. Last year it was often hard to hear people in your group if there was a raucous group next to yours. This year each group should have their own room, which will be a lot better, I think.

Hope to see you there!

Safely parsing JSON in JavaScript

2008-10-15T15:24:17Z

I love me some JSON. It saves me tons of parsing headaches when exchanging data between web services because it maps so well to concepts shared among most common programming languages. It’s super easy to take a PHP object, convert it to JSON, and then push it to a Javascript (or a Ruby, or a Python) app.

Because JSON is valid JavaScript code, the most common method for converting it into native JS objects is to just eval the JSON. This is an extremely bad idea, because it opens your app up to all sorts of code injection attacks. Even with “trusted” sources, a security failure on your source’s end, or just a disgruntled employee, could wreak havoc on your apps and your users. I’d recommend reading Douglas Crockford’s “JSON and Browser Security”. Go ahead; I’ll wait.

jQuery, which we’ll use for all our examples because it’s awesome, will in many cases automatically parse JSON responses for you. This, as we learned above, is a Bad Thing. The following Ajax methods will automatically parse JSON in jQ (as of 1.2):

jQuery.getJSON() – always
jQuery.ajax() – if type is ‘json’
jQuery.get() – if type is ‘json’
jQuery.post() – if type is ‘json’

So my rules of thumbs are:

never, ever use $.getJSON()
never, ever set the type option to ‘json.’

To force the issue, I set my type to ‘text’ in my ajax calls. For example:

<script type="text/javascript" charset="utf-8" src="/js/jquery.js"></script>
<script type="text/javascript" charset="utf-8">
    $.ajax('http://twitter.com/statuses/public_timeline.json', function(data, textStatus) {
        alert('Status is '+textStatus);
        alert('JSON data string is: '+data);
    }, 'text');     
</script>

In the example above, we’re including the jquery library with the first <script> tag, and then calling the jQuery.ajax() method in the second. We’re passing three parameters:

the URL we’re pulling the JSON string from. In this case, it’s the Twitter public timeline
an anonymous function that’s called when the request is successful
the type of data we’re getting, as a string. Using ‘text’ ensures no extra processing is done on the response string

So this is great, but all we’ve got is a string of serialized data, which isn’t terribly useful. Thankfully, there’s a handy library at JSON.org that takes care of parsing JSON ~~without using eval~~ without using eval on non-JSON code¹. The library gives us two methods: JSON.parse() for turning a JSON string into a JS object, and JSON.stringify() for turning a JS object into a JSON string. So let’s utilize JSON.parse() in our code, and actually do something with that data:

<script type="text/javascript" charset="utf-8" src="/js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="/js/JSON2.js"></script>
<script type="text/javascript" charset="utf-8">
    $.get('http://twitter.com/statuses/public_timeline.json', function(data, textStatus) {
        alert('Status is '+textStatus);
        alert('JSON data string is: '+data);

        // this will give us an array of objects
        var public_tweets = JSON.parse(data);

        // iterate over public_tweets
        for(var x=0; x < public_tweets.length; x++) {
            var twt = public_tweets[x];
            var elm = '<div class="tweet" id="'+twt.id+'"> \
                <a href="'+twt.user.url+'"><img src="'+twt.user.profile_image_url+'" /></a> \
                    <div class="tweet-text">'+twt.text+'</div> \
                </div>';
            $('BODY').prepend(elm);
        }
    }, 'text');
</script>

In the modified example above, the second script tag loads the JSON2 library. We then use the JSON.parse() method to turn the data string into a JavaScript object – in this case, and array of Twitter message objects. Then we iterate over the array, building a string of HTML for each entry and prepending it to the <body> tag (so the newest item is on top).

Note: If you’re using this code on a remotely-hosted html page (or loading it as a local file under Firefox 3), it won’t work, and if you check in your error console you’ll probably see a security warning. That’s because our $.get() call directly accesses the Twitter API hosted on Twitter.com, which is almost certainly not the domain your files are hosted on. When we try to do so, it violates the same-origin policy enforced by browsers. The only workaround that I think is safe is to set up some sort of proxy on your domain to pass requests – other approaches like JSONP rely on eval()ing the result, which is what we’re trying to avoid here. I’ll try to cover setting up a local domain proxy in a future post.

By handling JSON with a parser rather than just using eval(), we mitigate the risk of code injection. This helps us protect both our application and our users.

Basically, JSON.parse() runs a regex search for code that appears to be defining a function or redefining prototypes or other kinds of stuff beyond simple data transmission, and guts those parts. ↩

Let’s make SXSWi 2009 suck less!

2008-08-20T02:52:00Z

Remember when you went to SXSWi last year, and you said “I love the parts where I meet cool people and eat free food and drink free booze and throw up, but I wish the presentations and panels weren’t so goddamn fluffy?” Me too. That’s why Alex Payne (aka “The Guy Who Has Actual Name Recognition”) and myself submitted the talk “Security for the Social Set.”

The idea is that we give some solid, useful information about the security problems social networking apps have to deal with, and how to deal with them. While we can’t get too focused on specific languages and frameworks, client-side defense with JavaScript will certainly be demonstrated, and I intend to show examples in PHP and probably a couple other platforms (coughRailscough). It will be hard to get into heavy detail within the alloted time, but it’s my hope that we can kickstart awareness and understanding of fundamental secure web app programming techniques.

Plus, I need a justification for dropping the coin for hotel and air fare on this boozefest, so please, vote for us.

Security for the Social Set (SXSW 2009)

Oh, and a few other meaty talks you should consider include:

Slides from OSCON 2008 PHPSecInfo talk

2008-07-24T21:54:00Z

Just a quick note that my slides from my OSCON 2008 talk, “Securing the PHP Environment With PHPSecInfo,” are now online.

[PDF](http://funkatron.com/content/Securing the PHP Environment With PhpSecInfo-OSCON2008.pdf)
Slideshare

PHPSecInfo talk at OSCON 2008

2008-07-22T16:34:00Z

If you’re at OSCON, and you love security, you may or may not enjoy my talk on PHPSecInfo, a security auditing tool for the PHP environment. I’m actually going to try to show some new code, so if you’ve seen it before, you can see it again – for the first time.

The talk is at 1:45pm Thursday, 07/24/2008.

Slides from php|tek 2008

2008-06-01T17:24:00Z

After experiencing the inspiring atmosphere of php|tek 2008, I vowed to write a blog post a day to hone my writing skills.

Whoops!

Building Desktop RIAs with PHP, HTML & Javascript in AIR

Note: The ZIP on the php|tek 2008 site didn’t have the AIR code in it, so until that’s fixed I’m linking to my locally hosted copied

Securing the PHP Environment with PHPSecInfo

Slides (PDF)

Encouraging steps towards security in Wordpress 2.5

2008-04-01T18:15:00Z

Anyone who gets me liquored up knows that I’m not a fan of Wordpress. I think it’s great from a user (that is, the person writing the content) standpoint, but it has lagged behind severely in terms of security, and I don’t believe its popularity is the sole reason WP has been the subject of dozens of vulnerability reports every year. That being said, the WP 2.5 release appears to offer significant improvements in a couple areas: password hashes and cookie data encryption. From the WP blog:

Salted passwords — we now use the phpass library to stretch and salt all passwords stored in the database, which makes brute-forcing them impractical. If you use something like mod_auth_mysql we’ve created a plugin that will allow you to use legacy MD5 hashing. (The hashing is completely pluggable.) Users will automatically switch to the more secure passwords next time they log in.

Secure cookies — cookies are now encrypted based on the protocol described in this PDF paper. which is something like user name|expiration time|HMAC( user name|expiration time, k) where k = HMAC(user name|expiration time, sk) and where sk is a secret key, which you can define in your config.

These are good steps, and while I think they took way too long to happen, I’m glad they finally did. I do still feel that WP suffers from an architecture that makes it too easy to make input filtering mistakes, and I would strongly recommend a tool like WPIDS for all self-hosting Wordpress users.

Notes on SXSW2008

2008-03-13T01:36:00Z

The experience of SXSW

Unlike other conferences I’ve been to, which were mostly tech confs SXSWi is not about nuts and bolts — it’s about higher level issues of people using technology
- A couple exceptions, like the Secrets of JavaScript Libraries. This was good, and I’d like to see more like this. I don’t expect hardcore advanced code talks, but good intro-level stuff would go a long way, I think.
At most confs I attend, I’m the “weird” dude, with my earrings and black t-shirts. At SXSW I’m another asshole with a fauxhawk.
Way, way, way more women at SXSWi than any tech conf. Someone on a panel I attended complained that the % of females has been going down at SXSWi, and I’d guess it’s maybe 35-40% female. At most of the tech conferences I go, it’s 5-10% female, tops.
Despite the fact that web apps are one of the primary points of attacks for malicious users, security was really not talked about much at SXSW (although I heard there was some in the OpenID panel). This was disappointing. People running web apps are the stewards of their users security and privacy, a responsibility not to be taken likely. I’d wager under 20% of attendees and panelists could describe basic techniques for architecting software with security in mind (but I hope it’s higher). Definitely need to propose a panel for 2009.

The culture of Austin

People really do seem more hospitable. Locals will ask a stranger how there night’s going. This is pleasant, but a little weird for a yanqui when it happens in the men’s room.
Austin embraces being different. They like it, from the top down. This is so unlike most other communities.
Austin doesn’t feel like a big city. It has some big, cool buildings, but you’ll see flop houses a couple blocks away.
Closest thing I’ve experienced to Austin is Portland. I think PDX has better public transportation. Austin’s weather doesn’t cause city-wide suicide watches, though.

Other tidbits

Introduced Clint Ecker to Jason Perkins, both Chicago-based web devs. They discover that they work literally next door from one another.

Had lunch with Jason Perkins and the rest of the Pixish crew. Surprisingly was not mocked incessantly for not using Rails. They’re good peeps, and Pixish is a cool site.

I wonder how far the Zuckerberg “keynote” set back female journalism. That’s a hari-kari situation right there.

If you are unwilling to say to someone’s face what you say in your little gadget (or otherwise) blog, you need to shut up. Stop being a punk.

I was really happy to see ExpressionEngine and CodeIgniter represented as strongly as they were at SXSW. I still feel strongly that EE is the strongest CMS product in its market (which includes Drupal, Joomla, Wordpress and the like), and the improvements in EE2.0’s administration system will increase productivity considerably.

Holy shit, I have never seen as many iPhones as I did there. And it’s taking some effort on my part to not go get one now. I could have left my laptop in the hotel room if I’d had one, which would have reduced my fatigue considerably. Since I am doing about 4 conferences a year, it’s starting to make more sense. I’m making myself wait for a new hardware revision, though (and I really can’t afford one atm).

The panel on the success of icanhascheezburger.com was interesting, and I think underlines that luck is a (the?) key component for almost all of these rags-to-riches stories

Being with someone — or a small group — seems key to me. I think I would have enjoyed SXSWi a lot less if I was not able to always count on the two friends I was with.

Do not be afraid to come up and talk to people. It’s hard for me to do, but I was always glad I did. I got to meet old internet-only friends like Violet Blue because of this (so glad I did!). I also got a hug from Halcyon, which was awesome — more dudes should be down with hugs.

Meeting Alex Payne was another highlight of SXSW for me. What a great guy; I wish we’d had more time to hang and talk. And there were so many others, like Derek Allard, Jonathan Snook, Ken Fisher (thanks again for dinner Monday night), Thomas Myer, C. Eric Smith, Obie Fernandez (I wish he’d written Rails), Stephanie Booth, and many others whom I’m too forgetful to remember at the moment.

Frank Warren’s keynote on his PostSecret project was the highlight of SXSW for me. It was funny, tragic, inspiring, and compelling. One could not help but be inspired, as exemplified by the man who asked his love to marry him in front of the entire audience. Technology empowering us to express ourselves, communicate, and aid one another is so much of what the last few years in web dev has been about, and we would do well to follow the example set by Frank Warren.

Oh hell yes I’m coming back next year

New Article on Inspekt at C7Y

2008-02-19T01:50:00Z

Just a quick note that I wrote an article for the new C7Y PHP community site on Inspekt:

Step Away From the SuperGlobals! An Introduction to Inspekt

If you’re interested in Inspekt and have questions or would like to contribute, please check out the Inspekt user group.

Inspekt 0.3 now available

2008-01-21T16:56:00Z

I’ve uploaded the 0.3 release of Inspekt, the input filtering and validation library for PHP4 and 5. With this release, Inspekt completes the goals of the original specification for the OWASP SpoC007 project . I believe it is ready for “real-world” use.

Along with this release, there are new support and install options:

Brand new user documentation - written by an actual human (well, me, so close enough)
Updated API documentation generated with phpDocumentor
A PEAR channel (pear.funkatron.com) for quick packaged installs
A discussion group/mailing list for support, suggestions and discussion

What’s new in this release:

Automated filtered via external config files
Cleanup and fixes to docblocks
More example code
A fruity logo

What’s in the future:

Interact with developers to get feedback and implement suggestions
Add new options for URI, email, phone # validators
Work with framework developers to integrate Inspekt with their platforms
Better support the special requirements of session data
Integration with PHP5’s filtering API when available
Integration with other filtering and escaping systems like PHPIDS and HTML Purifier

If you are interested in contributing to Inspekt in any way, I highly encourage you to join the mailing list. I’m especially looking for development assistance and “real-world” feedback.

php|tek, AIR dev and PHPSecInfo

2007-12-03T17:17:00Z

Clearly the free booze and other gifts provided to the php|arch team is paying off, as two of my talks have been accepted for php|tek 2008 in Chicago. I’ll be speaking on desktop app development with AIR, and the PHPSecInfo project. The full schedule of talks will help you plan on how best to avoid me.

Desktop app dev with AIR has been something near and dear to my heart lately, as I’ve spent a lot of time in the past several months developing Spaz, a Twitter client based on AIR. In the process I’ve learned a whole heck of a lot about Javascript development, and learned intimately what works well in AIR and what doesn’t. Combining PHP on the server side and Javascript/HTML on the client side makes a lot of sense for me, then. Getting the two sides to work together has gotten a fair bit easier with the JSON extension that was added in PHP 5.2.0. With that, exchange of data structures carries a lot less overhead.

PHPSecInfo has been quiet for a while on the development side, but I’m hoping things will pick up a bit with the introduction of public SVN access to the project. The trunk version has some extra stuff in it, like the beginnings of a new view system to output results in various formats. I’ve also added Paul Reinheimer as a contributor, so feel free to guilt him into making updates as well. If you’re interested in contributing patches or updates to PHPSecInfo, drop me a line and we’ll chat.

Slides from DC PHP

2007-11-20T04:06:00Z

Maintaining focus has never been one of my strong suits, but I’ve been doing a fairly bad job of it lately even for me. So, I’m finally posting the slides from my two talks a DC PHP:

I think my talks went okay, but not great. Definitely could have been more prepared and presented more useful information, especially in the Inspekt talk. It’s the first time I’ve done a talk on that project, so I still am feeling that one out a bit, whereas I’ve talked about PHPSecInfo a few times before this.

The DC PHP Conference was a nice surprise. It was clearly still in the learning stages, but everyone was friendly and happy to help, and the organizers definitely seemed interested in sorting out what worked and what didn’t. I believe they said the next one will be in July 2008; I hope to be there!

Interview on ArsTechnica about Spaz

2007-10-12T00:50:00Z

An interview I did with Jacqui Cheng of ArsTechnica about Spaz has been posted tonight. We get kinda in-depth on the origins of Spaz and the security issues with rich internet applications.

PHP|Works 2007: Presentations and Thoughts

2007-09-20T01:30:00Z

php|works 2007 was last week, and it was a great experience for me. Here are the slides and code from the presentations I gave:

I really enjoyed my trip to Atlanta and the conference experience. Much like php|tek this year in Chicago, ‘works was filled with lots of great content, smart people, and a casual, comfortable atmosphere that makes the whole thing a lot of fun. The php|architect conferences lack pretension, and that’s really nice — it’s about the people and sharing knowledge. And this one was really special for me because it’s the first time I’ve given a presentation to my colleagues in the community. I was very nervous, but it all turned out well.

I’m too ~~lazy~~ busy to write out an extended journal of the whole experience, but here are some memorable moments:

Being sick just two days before I was about to leave, and getting better just in time to go
Having my first flight cancelled, giving me time to mostly finish my CodeIgniter talk before I left the Indy airport
Getting to the hotel just in time to catch Chris Shiflett’s funny PHP4 is Dead keynote
Discovering the hotel room had a flat-panel TV. Unfortunately, no HD content
Catching up with Lucas Nealan, and getting an unexpected phonecall with great news
The fact that there were about 7,000 iPhones on-hand
The Paul Reinheimer quad-core drinking demo (sponsored by Microsoft)
Ramblecast: the loudest, drunkest, least productive group podcasting experiment ever
Learning a lot more about the Filter extension from Derick Rethans, and seeing how it compares to Inspekt
Losing power in the middle of my PHPSecInfo talk, and Paul M. Jones resuscitating the projector
Terry Chay’s software architecture talk. I didn’t agree with everything he said, but I laughed my ass off
Meeting people who have actually heard of me and used tools I’ve made. Weird
Good conversations with too many people to name