Paid Advertising
web application security lab

And Beyond…

December 1st, 2010

Here we are, my friends. The 1000th post. Whew! It’s quite a load off to have finally made it. Hopefully this doesn’t come as a surprise to anyone since I’ve been announcing it for months, and if you have questions, hopefully the FAQ can answer them. I wrote and re-wrote this post several times. There’s so much to say. How can you sum up 5 years of a blog in one post? I have so much to say, but I’m not going to write a book about why I’m shutting the blog down, I’ll just focus on the major issue at hand - happiness. Isn’t that what life’s really all about?

It wasn’t that long ago that I unfortunately lost my love affair with security. Even a few years ago my wife would find me up way too late at night writing some little proof of concept code, excited to post about it the next day. A lot has changed. Some of it is external forces, and some of it is that I realized that I’ve done what I came here to do. When I ask audiences at conferences how many people have heard of XSS or CSRF or command injection or SQL injection, nearly everyone raises their hand. I can rest easy now in that the ultimate mission of the blog has been a success - people have been educated, partly through me, and partly because the industry at large has stepped up to the plate and done an amazing job of absorbing the problems.

I started as a place for me to experiment on my own, and share ideas with a few like-minded folks. I never intended it to be a big site, but scope creep from the original mission changed all that. I realized I could educate a lot more people than the 20 or so readers I had started out with. 20,000 readers, countless press articles and 5 years later, and I’ve been run through the meat grinder. My love for security was unfortunately replaced by a sense of servitude.

With any kind of work you get a sense of anxiety. But the biggest problem is that security stopped making me happy. I got into security because I enjoyed the intellectual puzzle. The industry around me has certainly changed several times since I got started but more importantly I too changed. My wife told me not too long ago that I wasn’t a hacker anymore, I was a politician, looking to see how I rated in the polls. I really didn’t like what I had become - that’s not me at all. I normally hate the press, and I’ve never enjoyed public speaking. It was always a necessary evil. An evil that I embraced far too much, if you ask me.

They say that if you look at the graph of happiness in your life you can tell what sort of life you led. For instance, if your life starts positive, then goes down, and then ends positive it’s a comedy. If it starts low, goes up and then ends badly, well, then you lead a tragic life. I’ve never claimed to be a futurist, and in fact, I’ve found the question, “What do you think we’ll see in the future” to be a terrifying question - what if I’m completely wrong?

I’m not an oracle and I really don’t like giving people incorrect information. But if I were to look at the graph of my life honestly, it wasn’t trending well over the last few years, looking more like downward trending saw blade of perpetual highs and lows. Although there have been a lot of individual highlights and amazing things that have happened, I’ve noticed and other friends, family, and peers have noticed that I’ve gotten less and less happy as a whole. As much as my trustworthy friends tried to convince me that the negative sentiment was meaningless, it was having a profound effect on my desire to continue. The saw blade was trending downward. I’m not blameless for how I got here - no one is perfect, least of all me.

Although I’m a fun loving person in many ways I also tend to be a pessimist and I do take things too seriously sometimes - definitely to a fault. I saw my happiness declining and the light at the end of that tunnel was getting further and smaller as I went on. It became harder to shrug things off, and I started worrying about even the simplest of things. So instead of being a victim of my own circumstance I made a decision to make my own destiny and start enjoying life again.

So this is it - I’m taking my happiness back and I’ll be taking on new and exciting challenges without the drama of intense public scrutiny. It’s time to make the graph of my life into a comedy - filled with excitement and wonder in the unknown. I’ll always have a soft spot for security; I’ll keep up on it, and I’ll continue to research and run my company, among a lot of other things, insofar as it doesn’t impinge on my happiness. Not hedonism, my friends, happiness. Now is the time to seize the day and start having fun again. Life’s too short.

I could also spend pages iterating all the people who’ve helped me think through the countless issues we’ve talked about, sent in ideas and generally made this website and WebAppSec in general a success. Rather than risk excluding anyone all I can say is that I truly, deeply respect all of you for your skills and appreciate what you’ve done for me and the industry as a whole. Perhaps no one but me will truly appreciate everything you’ve done, but trust me, you’re the real gods of WebAppSec. I wish you the best. So I leave it to you all - this industry along with all the good and bad, in very capable hands. Trust me, there are plenty of amazing people out there. Now it’s time for them to take their rightful place.

So… where can this mythical happiness monster be found, you may be asking? For me the journey to find happiness starts with a cold beer - so that’s where I’m headed. On behalf of id and myself, adios, my friends! Thank you for reading.


December 1st, 2010

One post left…

I know people have a few questions about the remaining fate of the site, so I decided to write a little FAQ prior to my last post:

Q: Are you planning on keeping up for reference at least?

Yes. There’s a very small chance (read near zero) that I will be making any updates though.

Q: Are you going to keep comments open on the blog?

The short answer is no. I’ve already been shutting down comments on some of the older posts to reduce the volume of comment spam. I’ll probably leave comments in place for a few months and then close it up, just to reduce the maintenance. So if you have anything you want to say about any of the recent posts, please say it now.

Q: Are you planning on keeping up?

For the foreseeable future, yes. I do want to encourage people to keep researching, and innovating, even if I’m not directly a part of it. So yes, there’s no plans on taking offline, and I still encourage people to visit and ask “dumb” questions. You have to get started somewhere, and it all starts with intense curiosity. For those who are starting, don’t be afraid to approach people who know what they’re talking about. If they blow you off, they’re jerks, but a lot of times they’ll be patient and help. It never hurts to try. Update: and both suffered a massive RAID and simultaneous backup failure on December 17th 2010 related in part to an exhaust system failure in our redundant cooling system. So some dates are messed up on comments over the last few months of posts, some files and directories (like hashmaster) are gone, and suffered some loss of posts because we had to go back to an old backup. Sorry about that. It’s hard to predict so many failures at once.

Q: I still want to read what you’re writing, are you posting anywhere else?

I may post in lots of places regarding various topics and for various reasons, but no, my days of WebAppSec blog posting a la are over. It’s time for others to pick up where I left off. But if you just want to read 300+ more pages of RSnake content, please check out Detecting Malice.

Q: Why 1,000 posts and not 10,000 or 100,000 posts?

Because I made a promise to myself to make it to 1,000 posts. That’s it. Simple enough. It was really easy to get to 100 posts, and even easier to get to 250. After that, it got harder and harder. I was thinking about stopping at 500, but one day I checked and I had accidentally gotten to over 550… so then I made another promise that I’d stop at 1000. And here we are, my friends - one post remaining.

Q: Someone mentioned to me something about a “Dread Pirate RSnake”. What is that?

A year or so ago I was thinking that rather than shutting down the blog outright I would find a talented person to take my place. Like the character in the Princess Bride, the Dread Pirate Roberts, they could take on the Dread Pirate RSnake persona, and pass that along to others once they got tired of the name. I talked with several people about that who seemed interested in taking up the cause, but after thinking about it longer I decided it was a bad idea. Ultimately I decided the blog was fun while it lasted, but it’s over for me, and my handle doesn’t need to live on. The research is the important part and others have long ago taken over those reigns anyway.

Q: Will you continue to be part of security?

In short, yes, I’ll still be working in security. I’ll always be available by email, but no, my time in the spotlight is thankfully coming to a close. It’s time for other people to get their moment in the sun. Having already made a few commitments I will remain somewhat visibly involved in the security world, but otherwise I’m trying to do less and less in the public eye. I’m definitely not leaving security altogether though. SecTheory will continue to operate, and I have a number of security ideas in the works that will no doubt see the light of day at some point, but that’s about it. And Jer seems to think I may twitter more now than ever. Who knows? Only time will tell. I really dislike twittering though, so the forecast does not look good.

Q: What about any other vulns you find?

Ah, the hardest question of all. I haven’t made up my mind. Some issues will no doubt get disclosed to the appropriate parties. Some may end up in a friend’s lap for them to disclose under their name. The remaining issues… who knows? To be honest, like a lot of researchers these days, I’ll probably just sit on them.

What’s Left?

December 1st, 2010

2 posts left…

As I wind down, I’ve gotten a lot of requests to talk about various things in my final posts. Everything from talking about what to study for newbies, how to keep up on WebAppSec when I’m gone, to talking about O2. But what I really want to talk about is what’s left? After having researched for 15 years and having blogged for 5, what areas do I think are left to research/write/build? There are tons of things. I’ll just type free-form for the next few minutes:

- I think mobile browsers are Swiss cheese and they need a much more serious look. And then we need to have a fierce conversation with the mobile providers about better/faster mechanisms to do patch management.

- I think browser port blocking blacklists are dumb and have already been broken at least three times. It’s time to do a month of inter-protocol exploitation!

- I think browser UP&P attacks against routers are highly likely and need a lot more research.

- I think the whole concept of replacing SSL/TLS with SSL/TLS over DNSSEC needs a ton of thought as a replacement.

- Browser UIs need to be hammered - they all have problems.

- Re-writing firmware in home DSL routers and making router-based botnets is under-researched.

- A table of all the ways to leak information across domains (img tags, style tags, iframes, etc…) needs to be kept and cataloged by browser type.

- An acid test should be built on a website somewhere so that people can test all known security problems against their browser. Then we can start a healthy competition and track how long each browser takes to close each issue.

- Cloud providers need to be hacked to prove how frail everything is that rely on them.

- SSL/TLS resellers need to be hacked to prove how frail PKI is when you distribute it out to the least common denominator.

- Alternate encoding issues are still barely understood and very poorly documented.

- Someone needs to build a ubiquitous DoS (not DDoS) package that includes every known DoS tool and throw it into MetaSploit, so companies start having to test against it and start pressuring the vendors to fix the issues.

… and that’s just what I could type out in a few minutes. Look, anyone who says there’s nothing left to research isn’t thinking creatively. There’s an absolutely amazing amount of issues out there left to research, and projects to make the industry move faster. One problem I wish the industry would get away from is saying something isn’t new or isn’t interesting. If it’s not new but it’s still broken, there’s a problem there (Firesheep is a great example). If you’re interested in it, don’t let other people tell you it’s not interesting. Go ahead and research it! So what’s left? Everything’s left, my friends! The world is yours! You have the power to make amazing things happen if you so choose. It’s just a matter of deciding what kind of world you want to live in.

Mod_Security and Slowloris

December 1st, 2010

3 posts left…

After all the press around Wong Onn Chee and Tom Brennan’s version of a HTTP DoS attack, I think people started taking HTTP DoS a tad more seriously. Yes, there are lots of variants of HTTP based DoS attack, and I’m sure more tools will surface over time. The really interesting part is how both Apache and IIS has disagreed that it is their problem to fix. So we are left to fend for ourselves. Enter mod_security (at least for Apache).

When I originally tested Slowloris against mod_security, it had no chance of solving the problem. I spoke with Ivan Ristic who said that it simply ran too late (same thing with .htaccess, and many other things built into Apache). So the world was at a bit of a loss when the DoS originally came out. Now with the latest changes in mod_security at least we now have a viable (non experimental) solution other than using alternate webservers, load balancers or networking solutions. Very cool stuff!

Minimalistic UI Decisions in Browsers

November 30th, 2010

4 posts left…

I’ve tried to talk about this a few times to people over the last year or so, but I think it’s hard to explain without pictures. So I gathered a bunch of screen shots that should help explain why I’m not a huge fan of the minimalistic browser concept. More browsers are getting on board with this, and while I absolutely do believe it makes people more productive and therefore faster, there are some negatives that are worth pointing out. Frankly, I do believe there is a lot of wasted space in browsers, so at first blush, I’m sure most people would agree that the various browsers are heading into the right direction by emulating Chrome. I actually agree with the basic concept, with the exception that I think there are some gotchas that are worth thinking about before we’re “got”.

I’m certainly not saying there’s no way to fix these issue either, but I don’t think it’s wise to run headlong into a bunch of potentially dangerous problems without knowing that they’re there. So I hope this sheds some light for those people I talked to, and for anyone else who’s interested! :)

Cheating Part 2

November 21st, 2010

5 posts left…

So my Wife decided that she loves to play that game “Words with Friends” on the iPhone. It’s basically just like Scrabble but probably for legal reasons it’s just slightly different (bonus placement, tile value, etc… are different). Unfortunately for me, my Wife is scary smart and knows the English language far better than I. So I’m at a huge disadvantage when playing games that involve words or spelling. The only thing I’m good at is the math part, figuring out what the highest scoring word is… oh, yeah, and cheating. Well after a few dozen games, I kinda got fed up with the whole thing and started looking for ways to cheat. Sure, it’s probably talking an unencrypted protocol and it’s probably doing most of it’s validation checks on the client side, but my Wife is going to notice if I start using words that aren’t words.

So I start thinking about writing a tool that brute forces through the dictionary and attempts each word in a simulator to see if it’ll fit. Then the idea starts taking shape in the form of a program that starts tabulating which letters are worth what, and where the various double and triple word scores are in relation, etc… It grows in complexity further and further until I finally decide that I had better test it before I go much further. So on my first trial run it picks the word, “exine”. Okay, whatever, I plug it in and it works as expected. My Wife was on chat with me at the same time and instantly she writes, “Wtf is exine? You’re cheating.” So at this point I look up the word and sure enough it’s defined as “the outer coat of a spore, esp. a pollen grain” to which she write, “You totally cheated. You are so not a botanist. Spore my ass. Your mom is the outer coat of a spore. I don’t believe it for a second that you knew that word before playing it.”

Alas, all that work and she called me out the VERY first time I tried out my program. Of course in hindsight I should have parsed apart every word I had ever written in the blog or in my books and compared them against the dictionary to only use words that I was guaranteed to know. Such a waste. So I never got to try my other theories, about how to play defensively. For instance when I know there’s only a certain number of letters left in the deck of tiles, I can figure out which characters she can have left and the probability of which words she can play.

It would have been fun to create a contest to see which strategies are the most effective in a bot on bot scenario. Is an all defensive strategy better, or an all offensive (always opportunistically taking the highest value word)? Or maybe a hybrid of both where you play defensively at some points or offensively when you know it’s better in the long run. Anyway… unlike the previous cheating at Casino night it was not a very successful attempt. Like I said, my Wife knows that I cheat - she knows her adversary way too well. You win some, you lose some, I guess. That’s what I get for not marrying a bimbo.

Cheating Part 1

November 21st, 2010

6 posts left…

I just thought I’d write a few vaguely amusing posts having just come back from Abu Dhabi (Blackhat) and Brazil (OWASP). A few weeks back my Wife was having a rather fancy soiree work party that also had a casino night attached to it. I was pretty annoyed about the whole work party thing, having rarely had a good time at these things in the past. So immediately I start looking for ways to entertain myself. Well upon entering they gave us both a ticket which we could turn in for $500 in chips. Then they said, “For every $100 in chips you turn in we’ll give you a ticket.” Immediately I saw a fault, “So if I give you $500 in chips you’ll give me 5 tickets… and if I give you 5 tickets you’ll give me $2500 in chips? Do you see a problem with that?” My wife was instantly annoyed - she knows full well I’ll ruin the whole night for everyone if I start cheating. So she tells me I’m not allowed to do that. Okay, maybe I just shouldn’t have said it out loud. I just love cheating at games and she knows it.

So I take my ticket and my Wife’s ticket who has decided to ditch me to talk to her work friends while I do the casino night thing. They give me $1000 in chips in exchange, and a few caveats. The first is that there are three prizes at the end of the night, an iPad, and two Flip videos and the drawing is after the casino closes at 10:30. They also tell me that I can buy back in at any time for $20 and get another $500 in chips. Fair enough. So I peruse the various games. Roulette - a fast game but crap for odds. Poker, a man’s game, with good odds if you’re good at playing, but way too slow. Blackjack - ahh, perfect. Blackjack has good odds, it’s fast, and it’s also social, so I can at least talk to some people while I play. Plus it doesn’t hurt that id was a professional Blackjack player for years and taught me everything I know about it.

So I start playing Blackjack and I realize right away two very important things about the dealer. First - she’s very good - Vegas quality good. The second is that she doesn’t care at all about her job. I see her bury cards when it’ll bust someone, even when they don’t notice or particularly care. She’s doing it so slyly though that I’m the only one who’s noticing. So I call her out on it in a good way and tell her she should work in Vegas. Well it turns out that she used to, and we hit it off. I notice that she starts helping me out too. So I vary my bet and start increasing my winnings from $25 per hand to $100 then $500 and eventually $1000 or more a hand. Meanwhile I’m trying to help other people by paying to get them to split when they should - making a few thousand for other players here and there. I know the dealer appreciated that because happy customers makes for bigger tips.

Now this dealer, for the most part is in a $1-5 tip situation per person. I realize by the end of the night I’ll probably end up with the highest chip count by at least three times, so I tell her to let me know when she’s going to play the last hand. The last hand comes and I give her a $20 bill as a tip, partly because she had made the night so much fun when I had had such low expectations of the whole thing, and partly because I knew it would help me in the last hand. Of course she was very thankful. So on my last hand of the night I bet $7000. She intentionally busted herself out and instead of paying me $7000, she paid me $10,000.

So at this point I’m at $22,000 and change in chips with the next highest player that I could see being at $4,000. So I give her a big hug goodbye because she had just made the whole thing that much better. Then she slipped me two more $10,000 chips, for a grand total of $42,000 and change in chips. So I am more than 10x higher than the next highest player. That sounds all well and good, except now I have to convert a relatively small number of high value chips into tickets. So a huge line builds up as a half dozen volunteers have to sit there and rip up 420 tickets. It took a lot longer than I had expected and people were starting to get pissed. And rightfully so since I was basically guaranteed to win something or everything at that point. So I settled for closer to 300 tickets, just so I could get out of there without getting on my Wife’s company’s shit-list. And here’s the smarmy talk show host picture of it:

Surprisingly my Wife was actually amused by the whole thing, because she’s usually annoyed by my antics. For $20 we ended up winning a Flip and I had the best time I’ve ever had at one of those stupid work parties. If I had tried to buy the tickets using their assigned value in actual cash it would have taken $1,680 - a pretty expensive Flip if you ask me. The amusing questions went along the lines of, “What did you play?” followed by, “Man, I should have played Blackjack! All I got was $800 in chips.” My Wife says that I’m a dick.


November 15th, 2010

7 posts left…

I go back and forth on whether I think FireSheep is interesting or not. Clearly, it’s old technology re-hashed. But it is interesting not because it works, but that it surprises people that it works. We’ve been talking about these problems forever, and now companies are scrambling to protect themselves. I guess the threat isn’t real until every newbie on earth has access to the hacking tools to exploit it.

One of the more interesting analysis pages I’ve seen was one which had a scorecard. At first blush it’s fairly obvious but one thing stuck out at me regarding the last part of the scorecard, where they assigned scores to each of the various protocols like POP3 fails but POP3 over SSL/TLS gets an A. The interesting thing is that there isn’t an equivalent score for HTTP vs HTTPS. This all goes back to the 24 vulnerabilities Josh and I talked about in the browser implementation of SSL/TLS in the browser.

Just because something is speaking HTTPS some of the time doesn’t even mean that session alone is secure in a multi-tabbed environment, or with certain plugins, or certain settings or with certain settings within cookies, etc… It’s just not that straight forward. Wouldn’t it be nice if we had something that did act in a safe and sane way that allowed you to contact a site securely? Maybe something that was a secured transport layer (no, not TLS, I mean something actually secure). ;) Maybe it’s something we can add on top of SSL/TLS over DNSSEC while we’re in the browser security world are still in the mood to shake things up.

Detecting Malice With ModSecurity

October 28th, 2010

8 posts remaining…

Ryan Barnett has a new series he’s doing called Detecting Malice with ModSecurity that I wanted to spend a minute talking about. Firstly, it’s personally interesting, because he’s using the book and slicing and dicing a lot of the core ideas and figuring out how to implement them. But secondly, I like practical examples of solutions to concepts that may seem to be unattainable or a technological hurdle at times. One of the reasons I didn’t spend any time talking about solutions was because so many people have varying platforms. That’s one of the nice things about the Internet but it’s also one of the problems. It seems like attacks are easier to talk about because nearly everyone is vulnerable to them. But defense is much harder, because it is always very site specific.

Anyway, it’s a great series and I recommend it, even after just the first post - not just because it’s talking about the book, but also because he really does a really nice job of giving thorough examples. I hope some people get some value out of it. Even if you use IIS, ideas like this get the creative juices flowing. Sometimes it’s tough being a security guy, so any little bit helps.

Performance Primitives

October 20th, 2010

11 more posts left…

While I was out at Bluehat I ended up having some good meetings between Intel, Mozilla and Adobe. How are these companies related, you may ask? Well all of them care about performance. A year or so ago I was hanging out with the Intel guys and they informed me that they have a series of low level performance primitives that they surface through APIs. At the time I wasn’t quite sure what to make of it. Security and performance aren’t natural bedfellows - or at least I didn’t think so at the time.

I got to talking with both Microsoft and Mozilla last week about the need for default Adblocking software built into the browser. Jeremiah thinks it should be opt-out and I think it should be opt-in, but either way, I think we’re coming to a consensus that it should be automatically part of the browser in some form. Mozilla was the first to give me a real reason it may be a problem other than it hurting Google, who is their biggest sponsor. The reason is performance. Adblockplus, as an example uses partial string regex which is a performance hog. To put that in the browser by default would really make people’s experience suffer. Then it occurred to me that I had had a conversation about performance with Intel a year before. The answer, my friends, lies in primitives.

Currently Intel supports a subset of basic math functions and Perl’s version of regex. Well, in a future version the chips could support things like the JavaScript version of regex, and other primitives involved in decision making and image/vector rendering and so on that are used within the browser. Adobe is in the same boat - although probably a different subset of primitives would be desirable. Then the idea sprang up to use these primitives within Visual Studio itself to get more generic/native improvements to performance without developers having to know anything about the chip. Intel doesn’t tend to market these concepts very well, despite how interesting they could be, but only a few people have to know to make a big difference.

So now the real question isn’t whether these companies will pick up on this technology now that they know about it - that’s a given. The real question then is once they get a performance boost are they going to use some of it to improve security or are they just going to tout themselves as the fastest? At some point we have to stop and ask ourselves how fast do we really have to get before we start using some of that processing power to make people safer instead? One can only hope…