Some of you who have been following my blog over the last 3+ years may recall me talking about Content Restrictions - a way for websites to tell the browser to raise their security on pages where the site knows the content is user submitted and therefore potentially dangerous. In reality I’ve been talking about this for close to 5 years privately with the Mozilla team - back when their offices were about 2000 square feet and the entire office smelled like feet. Ahh, those were the days. Well, we are creeping very close to seeing Content Restrictions (now named Content Security Policy) in reality, finally! Thanks in huge part to Gerv and Brandon over at Mozilla.

I hear rumors that it should be released in Firefox-next (also known as 3.6 - scheduled for early to mid 2010). So give it another year or so and we should have a workable defense against XSS on pages that must allow user submitted HTML and JavaScript - think eBay, MySpace, and so on. The only trick is making sure the companies who have these problems have projects in their pipelines to use this header once it becomes live. So if you happen to know someone who works for a company who has this problem or happen to work there yourself, please make sure others are aware of this well ahead of time. I for one am very excited to see this approaching reality after all these years, and I encourage you to watch their website for updates if you are at all interested in building user submitted widgets and the like.

On a less thrilling note it also has some clickjacking defenses in it, but just like Microsoft’s X-FRAME-OPTIONS header, I think it’s really not particularly interesting, it’s an opt-in model and clickjacking is so prevalent as an avenue for attack. Opt in security models work on sites that know they’ve got a problem (like user submitted HTML and JS) not on sites that don’t know they’ve got a problem (like wireless access points and web enabled firewalls). Alas - I digress, and I don’t mean to diminish the overall positives of this solve. Indeed, I’m very excited by the future of Content Security Policy as it may make surfing “fun” sites safe again - even with JavaScript and Flash enabled! Wouldn’t that be a crazy thought?

In unrelated news, I did a podcast with Dennis Fisher over at Threatpost on some of the RFC1918 issues I discussed a few weeks back and Slowloris. If you’re interested, please feel free to have a listen!

This year’s RSAcon has been a lot of laughs. The parties were great, the people were fun, I actually learned some stuff, and took away a few new ideas for vulnerabilities. So all in all it was a great time. At one point I found my self staring face to face with a vacant Google booth. So I took it upon myself to seize the moment, especially since Google hasn’t figured out how to put computers into kiosk mode (they weren’t the only ones either, by the way - ask mubix). *sigh*

Click to enlarge

The really amusing part was when a rather dim witted Google marketing person came over after a minute or so and asked if she could help us. Then she saw the ha.ckers.org logo, to which I said, “Don’t worry, we were just playing a practical joke on you.” To which she said, “Okay.” Okay indeed.

So you’ve seen ha.ckers.org on Google’s own machines at a security conference - where there’s so much irony it hurts. But what about you guys? Where can you get ha.ckers.org to show up in places it shouldn’t be? I’ll give out some sort of special prize for the winner - I just haven’t figured out what it is yet.

RSAcon is starting today - and yes, I do plan on being there for anyone who happens to be in the bay. I also suggest checking out the WASC meetup on Wednesday at lunch. If you are excited about webappsec you should probably make the meet up. It’s grown to be huge from a few short years ago. We pretty much fill up that entire pool hall at Jillian’s. So yeah, it’s worth being there if you can make it. If you can’t, I suggest you live vicariously, 160 characters at a time via the IRC over SMS that is Twitter.

Next, for those of you who are into good causes Johnny Long sent out an email saying that the informer is back online. So if you have anything to disclose and you want to help out kids - disclose it there and let everyone know. Johnny was nice enough to send out a really nice x-mas card with the kids thanking us and lettings us know that the clickjacking article helped and a nice video etc… Johnny is a nice guy!

This isn’t like most the other posts I do on here since it’s only tangentially security related, but it was a fun experiment that we spent a few days working on over the last few weeks. We were researching “green” browsing, and found that certain client side internet technologies, like Flash and JavaScript, to name a few, were the worst in terms of power consumption. For anyone interested in this topic feel free to review the paper here.

For those of you who don’t have time to read the whole thing, the jist is that Noscript and Adblock Plus do a very good job of reducing the power consumption of the least “green” websites. Just another reason to use them! I don’t consider myself to be much in the way of a conservationist, but stuff like this fascinates me since I live so close to the browser world. I hope everyone had a good Thanksgiving, for those in the US!

What do I have in common with Magnum PI? What does id have in common with Dog the Bounty Hunter? Well in the state of Texas we all need PI licenses. That’s right, if you want to help anyone recover from an incident, investigate computer theft, or engage in any sort of investigation relating to computers whatsoever, you need to become a private investigator in Texas. We can chalk this up to lawyers legislating something they completely fail to understand.

Firstly, I highly doubt any of my customers would get any more value out of hiring Dog the Bounty Hunter to hunt through logs, or recover deleted data. Secondly, legislators are making broad statements like, “the computer industry needs cleaning up”. I’d like to make my own broad sweeping statement, “legislators who write ill-concieved laws need cleaning up.” I understand the reasoning, as poor as it might be. Proper handling of evidence, is always an important thing for convictions, but this is far more broad than that - even delving into the inner workings of private companies working to help other private companies do business.

I guess I better start waxing my chest and wearing dog tags, so I can start understanding how these darned computer thingies work.

Yup, it’s about that time again. Jeremiah has put up yet another webappsec professional survey. If you haven’t taken a look at his previous surveys you should - some of them are actually pretty interesting. Either way, it’s worth looking at the results, even if you don’t take part in the survey itself.

Also, I should note that the time is quickly approaching in which we’ll all be descending upon Blackhat and DefCon. I’ll be speaking at Blackhat on Xploiting Google Gadgets and an abrieviated version of the speech at DefCon as well. I’m also doing another speech at DefCon with Rich Mogul, David Mortman, Chris Hoff, Robert Graham, and David Maynor called All Your Sploits (and Servers) Are Belong To Us. So if you are planning on being there, drop on by and introduce yourself! I hope to see you all there.

I got forwarded this link today from businesswire about how Google and Yahoo are now going to be armed with the information necessary to look at and extract information out of SWF files. Ho-boy, here we go. The link was sent to me with the “bad juju” caveat, and I’m pretty sure I agree.

The problem is, like anything, if the search engines start pulling down rich applications that actually interact with the web application, there is untold issues that could arise. For instance, Flash applications have quite a bit of rich features in them, and some of that could be dangerous if they interact with back end applications. Also, if the word “test” appears in a Flash movie, does that mean it should get indexed? Or is it a frame that’s not visible, or off the side of the page, or whatever? What if it takes ten minutes to find that particular line of text or dozens of sub-menus? Are people really going to sit for that?

Do people really want to load a Flash movie when they query for things? I know I sure don’t! I’m already annoyed when I get linked to PDF files or .docx files. I think this just takes searching to a new level where people don’t actually want to go. Instead of crawling deeper and refining their search, the search engines are going to new mediums to stave off the people (like myself) who have argued that Flash isn’t a good medium for accessibility, usability and SEO. SEO is going to be off the table soon enough, leaving accessibility and usability.

But seriously, what’s next? Are the search engines going to decompile Java applets looking for text? As a side note, this should, at least in the short term, lead to a new round of Flash hacking, once it goes live. I’ll give a tee-shirt to the first person who writes a Google dork for internal Flash text that leads to exploitation.

Notice how I’m always fashionably late to the party? Well anyway, this time is no different, but I highly recommend if you are heading out to Blackhat this year you try to hit up the Breach/OWASP/WASC party on Wednesday night. The details are on Jeremiah’s blog.

Think about it like this - Dinis Cruz is drinking and yelling at the top of his lungs something about creating a worhol worm to “show them all”, Jeff Williams is yelling something about how whitebox scanning is the only answer, Ivan Ristić is talking so quiet I can’t hardly hear him, Jer’s wife does some MMA on the Whitehat Security newbies, Portswigger is yelling something in some crazy cockney accent that I can hardly understand - but I’m sure I’m agreeing with him on whatever it is. It’s just a great time. I hope to see you all there!

I had some very disturbing news today from one of the forum users - he had just been fired by TJX for whistle blowing on their security issues. CrYpTiC_MauleR, who’s posts on TJX can be found here was fired today by TJX for talking about the company’s security flaws. This is the same company who recently lost millions of credit card numbers, for those of you who don’t recall. They tracked him down by IP (we’re still not completely sure how they did this, but we think it may have to do with a DynDNS account he uses), contacted his ISP to find out who he was, brought him into the office, questioned him about what he found, asked for him to write down his thoughts on how to fix the issues and then promptly fired him.

I completely understand why a company would want to reduce their risk, but this doesn’t bode well for future would-be whistle blowers, or for the future state of security for TJX. CrYpTiC_MauleR has been a long time poster on sla.ckers.org and has made a lot of contributions. I, for one, feel terrible about what happened, and I implore the community to reach out to him on sla.ckers.org, especially if you are looking for someone to help out in any open positions you might have. I think the best possible outcome of this would be that he gets a better job for caring about consumer security at large. Only time will tell.

But as a side note, I must caution everyone who prefers full disclosure as a rule, to be particularly cautious when posting that information, especially when it’s under your own name or a name you use elsewhere that may be tied back to you. Many of the largest companies on earth post to or read this site regularly, and no doubt someone will take personal offense at your actions, so I encourage everyone by way of example to please protect yourself - especially from those who would claim to care about security. Only actions matter in this world.

This post is a few months overdue but here it is. I’ve been heavily involved in the security industry in one respect or another for well over a decade, and until recently, I had the luxury of being able to talk about whatever I pleased, especially when I got myself out of a few handcuffs that I was bound by a few years ago (around the time I started this blog). I had a lot to say and henceforth you had this website in all it’s glory. However, since I started my own company, I’ve had the fortune or mis-fortune, however you want to look at it, of being exposed to a lot of things I wouldn’t have been able to see otherwise.

That means, I am now under contract with lots of the same companies I have talked about in the past. These same companies I have talked about in positive and negative ways both. Clearly I’m not out to screw anyone, the negative stuff was mostly about my feelings regarding certain technologies. If you have seen me suspiciously not talking about things, it’s probably because I’m either too busy to talk about it or I have a reason I’m not talking about it. Long ago I used to say that I talk about 1/3 of what I know. Another 1/3rd was stuff that could only hurt people with no positive gain and the last 1/3rd was stuff that was just too theoretical or too out there for people to understand since it wasn’t yet provable. Unfortunately, the first 1/3rd (the stuff I can talk about) has been shrinking rapidly and being replaced by a fairly large percentage of things I cannot discuss. That means I’m less fun to read in blog posts, in interviews and at parties.

Rest assured, my knowledge has increased a lot since starting this website due in large part to how much more I have had the privilege of being exposed to. So the irony is, I know more but I can talk about less than ever before. Jeremiah and I were talking about this exact thing last week - he had the same feelings. Which means this blog is going to get more and more watered down with time, and there’s just nothing I can reasonably do about that, save quit and take up writing full time and I know how poorly writers get paid.

That’s the down-side. The up side is that I am not going to stop blogging, but it might not look like it has in the past, if you read my earlier posts. I thought this was an important distinction that I make public, just as I did when I told everyone that I was starting my own company so I could no longer be considered an unbiased source of information.

I started this site because of my family. I wanted a chance to make the Internet a safe place for them to interact with. What better way than to scream from the mountain top that is ha.ckers.org about the issues I see on a daily basis? I can, with lots of quantifiable evidence, say that things are worse now than they were when I started this site. But at least now people are finally aware of the problems, enough to carry that torch without my direct input. The topic of Webappsec was esoteric and lame to most people even two years ago, but now it’s finally come into it’s own, and not just because I decry it, but because there are dozens of websites and many companies devoted to the topic now. My hope is that maybe one of the readers of this site will pick up where I left off and do what I have I as of this moment been incapable of doing - make the Internet a safe place for all our families. I will continue to do the same with a slightly diminished vocal profile than before.

I apologize if this post seems like any sort of betrayal, as that’s sincerely the last thing I would want. But in the spirit of full disclosure, I wanted to at least let you know why things may seem a lot slower now than they did even a year ago. Although I can’t tell you what I know, I will tell you this - things are far worse than they appear, and there are no shortages of extremely vulnerable applications out there as I find zero-day vulnerabilities regularly. It’s simply amazing how bad things really are.

Lastly, I will talk about this more in the coming months, but I am writing a book that will probably be one of the few highly technical documents I put out to the public for a while. Even though it might appear that I’m writing less than ever, in actuality, I’m writing more. O’Reilly has tentatively agreed to publish it (contracts are not yet signed so no promises yet) and I’m really looking forward to getting it out into the hands of the people who do want to make a positive change towards the security of the Internet. If you’re one of those people I invite you to read the book when it’s finished. I’ll give more details at a later date.

I looked at my Google feedfetcher stat today in my logs - over 3,800 subscribers on Google news alone with over 7,000 total subscribers through various feed readers alone! For those of you who have followed this blog for the two years or so since I started it or for any substantial time, I really appreciate your readership. Thank you, everyone. I mean it! You’re like family to me - you know, like that close-talking crazy aunt that no one likes, who has all those cats.