Update: One more speech added for Blackhat - turns out I am speaking there after all!

DefCon is fast approaching and I have a bunch of speeches to prep for (and this doesn’t include the other non-DefCon speeches on my roster). Thankfully I’m mostly done with my prep work, but there’s never enough time is there? If you happen to be at DefCon and want to hear me speak, here are the speeches and times:

1) Wednesday at 4:45 - Unmasking You! - I’ll be co-presenting with Josh Abraham about a bunch of anti-privacy 0day as well as a major privacy leak built into a huge percentage of browsers.

2) Friday at 2PM - DefCon Security Jam (AKA Fail speech) - I’ll be speaking about a really dumb/funny browser Fail.

3) Saturday at 3PM - Hijacking Web 2.0 Sites with SSLstrip - I’ll be co-presenting with Sam Bowne regarding Slowloris.

4) Sunday at 12PM - Unmasking You - repeat of the Blackhat talk.

So yeah, I’ll be very busy while I’m there. Feel free to drop by and say hi at some point if you happen to be at the conference. I’ll be checking Twitter periodically while I’m there too if you want to message me directly. If you know about any good industry parties please message me too. You can never have too many invites!

Going down memory lane I decided to go back and look at Microsoft’s Active Agent. For those of you who aren’t familiar with this, “Clippy” might sound more familiar. Clippy actually came much later. It all started with a little bird named “Peedy” the parrot. Peedy could read text, fly around, dance, look bored, and all kinds of stuff. It was scriptable, could be instantiated through a web-page and worked well in browsers that had the agent pre-installed (which was pretty much no one).

A few companies decided to try to create business models based on it - trying to read people’s emails for them, and other similar things. All doomed to failure and internet obscurity, although all very cool in their own way. Alas, as I was going and looking back at some old links I found this:

Microsoft has decided to discontinue development of Microsoft Agent technologies. Beginning with Windows® 7, Microsoft Agent will not be included or supported in future versions of the Microsoft Windows operating system. We encourage Microsoft Agent application developers and redistributors to evaluate their activities in light of this decision.

*sigh* Even though it never took off, Peedy will always have a place in my heart. Like that time we called up Bronc’s girlfriend and read off some ransom note we had crafted using Robby the robot’s text to speech. We laughed and laughed - until she called Bronc’s cell phone. You should have seen his face, “Hi honey. Yeah, we were just screwing around.” Man, that still cracks me up and yes he was in trouble. Yeah, we were dumb kids, but boy, Peedy and the gang will be missed! Farewell…

Some of you who have been following my blog over the last 3+ years may recall me talking about Content Restrictions - a way for websites to tell the browser to raise their security on pages where the site knows the content is user submitted and therefore potentially dangerous. In reality I’ve been talking about this for close to 5 years privately with the Mozilla team - back when their offices were about 2000 square feet and the entire office smelled like feet. Ahh, those were the days. Well, we are creeping very close to seeing Content Restrictions (now named Content Security Policy) in reality, finally! Thanks in huge part to Gerv and Brandon over at Mozilla.

I hear rumors that it should be released in Firefox-next (also known as 3.6 - scheduled for early to mid 2010). So give it another year or so and we should have a workable defense against XSS on pages that must allow user submitted HTML and JavaScript - think eBay, MySpace, and so on. The only trick is making sure the companies who have these problems have projects in their pipelines to use this header once it becomes live. So if you happen to know someone who works for a company who has this problem or happen to work there yourself, please make sure others are aware of this well ahead of time. I for one am very excited to see this approaching reality after all these years, and I encourage you to watch their website for updates if you are at all interested in building user submitted widgets and the like.

On a less thrilling note it also has some clickjacking defenses in it, but just like Microsoft’s X-FRAME-OPTIONS header, I think it’s really not particularly interesting, it’s an opt-in model and clickjacking is so prevalent as an avenue for attack. Opt in security models work on sites that know they’ve got a problem (like user submitted HTML and JS) not on sites that don’t know they’ve got a problem (like wireless access points and web enabled firewalls). Alas - I digress, and I don’t mean to diminish the overall positives of this solve. Indeed, I’m very excited by the future of Content Security Policy as it may make surfing “fun” sites safe again - even with JavaScript and Flash enabled! Wouldn’t that be a crazy thought?

In unrelated news, I did a podcast with Dennis Fisher over at Threatpost on some of the RFC1918 issues I discussed a few weeks back and Slowloris. If you’re interested, please feel free to have a listen!

This year’s RSAcon has been a lot of laughs. The parties were great, the people were fun, I actually learned some stuff, and took away a few new ideas for vulnerabilities. So all in all it was a great time. At one point I found my self staring face to face with a vacant Google booth. So I took it upon myself to seize the moment, especially since Google hasn’t figured out how to put computers into kiosk mode (they weren’t the only ones either, by the way - ask mubix). *sigh*

Click to enlarge

The really amusing part was when a rather dim witted Google marketing person came over after a minute or so and asked if she could help us. Then she saw the ha.ckers.org logo, to which I said, “Don’t worry, we were just playing a practical joke on you.” To which she said, “Okay.” Okay indeed.

So you’ve seen ha.ckers.org on Google’s own machines at a security conference - where there’s so much irony it hurts. But what about you guys? Where can you get ha.ckers.org to show up in places it shouldn’t be? I’ll give out some sort of special prize for the winner - I just haven’t figured out what it is yet.

RSAcon is starting today - and yes, I do plan on being there for anyone who happens to be in the bay. I also suggest checking out the WASC meetup on Wednesday at lunch. If you are excited about webappsec you should probably make the meet up. It’s grown to be huge from a few short years ago. We pretty much fill up that entire pool hall at Jillian’s. So yeah, it’s worth being there if you can make it. If you can’t, I suggest you live vicariously, 160 characters at a time via the IRC over SMS that is Twitter.

Next, for those of you who are into good causes Johnny Long sent out an email saying that the informer is back online. So if you have anything to disclose and you want to help out kids - disclose it there and let everyone know. Johnny was nice enough to send out a really nice x-mas card with the kids thanking us and lettings us know that the clickjacking article helped and a nice video etc… Johnny is a nice guy!

This isn’t like most the other posts I do on here since it’s only tangentially security related, but it was a fun experiment that we spent a few days working on over the last few weeks. We were researching “green” browsing, and found that certain client side internet technologies, like Flash and JavaScript, to name a few, were the worst in terms of power consumption. For anyone interested in this topic feel free to review the paper here.

For those of you who don’t have time to read the whole thing, the jist is that Noscript and Adblock Plus do a very good job of reducing the power consumption of the least “green” websites. Just another reason to use them! I don’t consider myself to be much in the way of a conservationist, but stuff like this fascinates me since I live so close to the browser world. I hope everyone had a good Thanksgiving, for those in the US!

What do I have in common with Magnum PI? What does id have in common with Dog the Bounty Hunter? Well in the state of Texas we all need PI licenses. That’s right, if you want to help anyone recover from an incident, investigate computer theft, or engage in any sort of investigation relating to computers whatsoever, you need to become a private investigator in Texas. We can chalk this up to lawyers legislating something they completely fail to understand.

Firstly, I highly doubt any of my customers would get any more value out of hiring Dog the Bounty Hunter to hunt through logs, or recover deleted data. Secondly, legislators are making broad statements like, “the computer industry needs cleaning up”. I’d like to make my own broad sweeping statement, “legislators who write ill-concieved laws need cleaning up.” I understand the reasoning, as poor as it might be. Proper handling of evidence, is always an important thing for convictions, but this is far more broad than that - even delving into the inner workings of private companies working to help other private companies do business.

I guess I better start waxing my chest and wearing dog tags, so I can start understanding how these darned computer thingies work.

Yup, it’s about that time again. Jeremiah has put up yet another webappsec professional survey. If you haven’t taken a look at his previous surveys you should - some of them are actually pretty interesting. Either way, it’s worth looking at the results, even if you don’t take part in the survey itself.

Also, I should note that the time is quickly approaching in which we’ll all be descending upon Blackhat and DefCon. I’ll be speaking at Blackhat on Xploiting Google Gadgets and an abrieviated version of the speech at DefCon as well. I’m also doing another speech at DefCon with Rich Mogul, David Mortman, Chris Hoff, Robert Graham, and David Maynor called All Your Sploits (and Servers) Are Belong To Us. So if you are planning on being there, drop on by and introduce yourself! I hope to see you all there.

I got forwarded this link today from businesswire about how Google and Yahoo are now going to be armed with the information necessary to look at and extract information out of SWF files. Ho-boy, here we go. The link was sent to me with the “bad juju” caveat, and I’m pretty sure I agree.

The problem is, like anything, if the search engines start pulling down rich applications that actually interact with the web application, there is untold issues that could arise. For instance, Flash applications have quite a bit of rich features in them, and some of that could be dangerous if they interact with back end applications. Also, if the word “test” appears in a Flash movie, does that mean it should get indexed? Or is it a frame that’s not visible, or off the side of the page, or whatever? What if it takes ten minutes to find that particular line of text or dozens of sub-menus? Are people really going to sit for that?

Do people really want to load a Flash movie when they query for things? I know I sure don’t! I’m already annoyed when I get linked to PDF files or .docx files. I think this just takes searching to a new level where people don’t actually want to go. Instead of crawling deeper and refining their search, the search engines are going to new mediums to stave off the people (like myself) who have argued that Flash isn’t a good medium for accessibility, usability and SEO. SEO is going to be off the table soon enough, leaving accessibility and usability.

But seriously, what’s next? Are the search engines going to decompile Java applets looking for text? As a side note, this should, at least in the short term, lead to a new round of Flash hacking, once it goes live. I’ll give a tee-shirt to the first person who writes a Google dork for internal Flash text that leads to exploitation.

Notice how I’m always fashionably late to the party? Well anyway, this time is no different, but I highly recommend if you are heading out to Blackhat this year you try to hit up the Breach/OWASP/WASC party on Wednesday night. The details are on Jeremiah’s blog.

Think about it like this - Dinis Cruz is drinking and yelling at the top of his lungs something about creating a worhol worm to “show them all”, Jeff Williams is yelling something about how whitebox scanning is the only answer, Ivan Ristić is talking so quiet I can’t hardly hear him, Jer’s wife does some MMA on the Whitehat Security newbies, Portswigger is yelling something in some crazy cockney accent that I can hardly understand - but I’m sure I’m agreeing with him on whatever it is. It’s just a great time. I hope to see you all there!