This is a non-technical post and completely my own opinion (as if you asked). I’m sure you all have seen this by now, in the news, on blogs, or even on Google’s employees’ sites but it’s time for me to discuss my view on Google’s recent ranking of the absolute worst privacy of the top 23 companies chosen for scrutiny by Privacy International in their latest report. They ranked lower than anyone else looked at, and the list included companies like Microsoft, eBay, Yahoo and MySpace. Here is a choice quote that should put to rest that this is simply some rogue company’s vendetta against Google as some people have conjectured:

This material, submitted by the Electronic Privacy Information Center (EPIC) and coupled with a submission to the FTC from the New York State Consumer Protection Board, provided additional weight for our assessment that Google has created the most onerous privacy environment on the Internet.

Again, Matt Cutts let me down when he responded to this by pointing to other people’s follies instead of focusing on Google’s privacy issues. Shame on you Matt - and didn’t Google buy a huge stake in AOL right before that privacy disclosure happened? It’s easy to point fingers but please do your homework first. I have to give Matt some leeway here - he may simply be ignorant of how the rest of the company operates.

Anyway, as a side note this was followed up by an interesting thread finding more places where a man in the middle could read usernames and passwords in Google. Google doesn’t have a great track record with security either. Tons of private information and very poor track record in keeping that information safe? Great combination.

I’ve had the dubious distinction of being tangentially part of some secret Google meetings (I am under no NDAs with them in any shape or form) and I have no doubt in my mind that every accusation made against them is true - and some I have actually seen myself. While Google plays the we’re not evil dance to the devil’s flute, the rest of the industry is actually trying to play by the rules. Even the FTC sided against Google in the Microsoft anti-trust case where Google claimed that Google’s Desktop wasn’t as useful on Vista as it was on XP. Microsoft’s answer? Google Desktop slows the computer down, it’s not Vista slowing Google’s Desktop down. Touché! I don’t blame the FTC for putting the advertising company in its place - especially an advertising company that intends on buying another advertising company that people have loathed for their privacy mis-deeds for nearly a decade (DoubleClick). I used to work for an advertising company - I personally have experienced how evil they are.

Google’s tools cannot be easily avoided, even by people who choose not to download their spyware. Adsense and Google Analytics also report home and can track users as they travel from domain to domain, as do the Google images that you see on search boxes that float all over the Internet. Unless consumers know how to avoid Google’s reach, they cannot simply avoid Google by not using their downloaded executables or their search engine. That to me constitutes a huge risk to privacy. That they delete or rather anonymize (and how good is that anonymization strategy, really?) after two years is irrelevant - that’s already too long when you combine it with all the other forms of information that they have access to and log. Yes, it is a requirement of the various governments they work with, but the governments don’t ask them to combine this information, they do that on their own.

The next most common thing I hear is that most of the tracked information is only used to tune the search engine. While that sounds like a noble task, what if I am uncomfortable with having personally identifiable information combined into custom or targeted search queries? Why is there no way to opt out of their reach (even DoubleClick had this)? Herein lies my biggest concern and why I recommend privacy concerned people seek alternatives. I’ve stopped using all things Google whenever possible, and am considering adding their entire netblock to my egress filters, except for testing purposes. While Google is an innovative company in some respects, I don’t trust the motives of an advertising company. Are they any better or worse than the others? There’s probably no way to know for sure, but at least the others are forthcoming.

I’m not sure I can add anything to this link because it pretty much does all the talking for itself. Check this out. “Just upload one of your files and see what you get!” Wow, just… wow. Every once in a while you just see something that makes you want to smack someone around. This is one of those times. Who came up with this?

This is a non-technical post, just to let everyone know what’s going on. It’s been a crazy last few weeks and it only gets more crazy. After moving to Texas, I’ve been working really hard on a client of ours, getting our office set up, and learning my way around. It’s been a lot of fun but a lot of hard work. But over the next week it’s going to get more interesting.

Next week I am going to be doing a lot of talks. Firstly I’m doing three talks (two short ones for executives and one long one for the developers) at Microsoft’s Bluehat conference. I’m doing a talk on Death by 1000 cuts (well, not entirely, but similar concept - on how small holes become a big deal). Here’s the overview:

Web application security is the new security frontier. Firewalls, IDSs, and IPSs have become all but commodities. Today’s threats completely circumvent the whole concept of network security, attacking websites, web browsers and the victim’s themselves. Many modern threats don’t damage websites at all, but they can have drastically bad effects on users and corporate perception. Phishing, cross-site scripting, cross site request forgeries and dozens of technologies tied together greatly increase the threat landscape. This talk will do a deep dive into the technical aspects of the threat, while keeping a steady eye on the consumer issues that drive large-scale website design.

That’ll be fun, and I’m sure I’ll have a lot more stories once I get back. After that I’ll be doing a very short talk at Toorcon’s Seattle Beta conference. It’s an invite-only conference with 150 people or so (not on their website). Here’s the overview on my “Master Recon Tool” talk:

A 5 minute power presentation that just discusses a new tool that helps combine many known browser based information disclosure issues into one (hence the word “Master”). It also turns into a cool acronym when you spell it out. MR-T (Mr. T - as in, “I pity the foo who uses JavaScript”). When combined they can tell a lot about the target, or multiple targets who visit the website under an attacker’s control. Since we know 80% of websites are XSS-able, 99% of users use JavaScript and 100% of web users use more than one website it provides a good framework for knowing more about your or other people’s web users.

So if anyone is going to be at either of those, drop me a line if you want to meet up at some point. So if I don’t do a lot of posting over the next week that’s what’s going on.

Well, we are finally done with the XSS book (XSS Attacks - Cross Site Scripting Attacks Exploits and Defense). It’s off at the presses, and should be on the shelves in a few week’s time. We were authorized to throw up a sample chapter and the table of contents from the book for anyone who would like to read it. You can download a zipped up version of Chapter 5 and the table of contents.

Since it wasn’t super clear, and because we had a tiny bit of a cast change, here is the final author list from the book: Jeremiah Grossman, Robert “RSnake” Hansen, Petko “pdp” D. Petkov, Anton Rager and Seth Fogie (both a technical editor and contributor). I hope anyone who buys the book likes what they read. Please take a look at the zip file for anyone curious about what the book is like. It’s a technical read, but I think it’s a good reference for anyone new to the field or anyone unfamiliar with the nuances of what we talk about every day.

Btw, I am in the process of making a big move across the country, so starting tomorrow and over the next several day the posts on the site will slow or completely stop. I’ll have next to no access to any computer. I’ll be back online hopefully by the end of the week. Catch you on the flip side!

Yesterday was my very last day at my old day job, so I was swamped with goodbye meetings. It’s good to be doing security full time. This isn’t going to be a technical post as a result. Anyway, a few weekends ago, I thought through what it would take to graph out some of the thoughts I’ve had about some of the more bizarre stats I’ve got, bot in my logs, as well as other sets of data that I could get a hold of. I spent at least 5-6 hours looking through various types of graphs as well as graphing programs to help visualize some known attributes. This is more eye candy than anything but I thought I’d at least share some of the cool stuff I found like Visual Complexity and the site on Data Mining, both of which I think are highly relevant to some of the stuff I’m working on.

Unfortunately I can’t find any good free software to do this sort of work for me that doesn’t require a full fledged programming language, so I think I’ll just have to stick to my mental theories since I can’t quickly draw it out by hand. Specifically I have some thoughts on how robot activity can be demonstrated and proven using known patterns, and how certain signatures relate to other signatures, both for passive and active scanning. It’s too complicated to go over in a single post, but anyway, just some cool graphs!

my name is emily nice to meet u all this guy came up to me and aksed if i wanted a site so i said sure an he aksed how old i waz and i said 13 lol!!! and he aksed how much i had an i said 5 dolarz an he said sure lol! so i guess i run this site so i should start doing stuff u can see the colorz hav changed cuz those old colorz are so yesterday rofl!!!

so it is nice to own the site an expect to see some changes around here lol!!! ill take some pictures of my poniez an put them online so u can all see them lollll!!! xoxoxox

I’m sorry to say this but this will be my last post at ha.ckers.org. Why you ask? Because Google has hired me! What about my company? Well, I was always waiting for a good offer to buy me out, so Google decided to pay that thing off and hire me directly. id is shit out of luck, but I’m going to be living in a nice luxury house in Palo Alto. Last I heard id was going to start a biker bar somewhere - he’s not talking to me anymore. How did this all come to be?

Google send me a few emails asking me about anti-anti-anti DNS pinning. Finally they just came out and said, “You know, we find all this whole anti-anti-anti DNS pinning stuff very confusing and distracting, after looking into it, we can’t figure out how to stop it, and rather than fixing it, we’d prefer if you could just stop talking about it.”

Most of the details of the deal are secret, but there are two terms that I feel you should all know about. Firstly, they said they can’t hire anyone who doesn’t have a degree from Stanford, so they granted me a degree since they are so in bed with the people who run the school. So, cool, I now have a degree in liberal arts. Secondly, Google said that I’d have to sell or get rid of my site. They don’t want anyone talking about their holes anymore. So I’ve decided to sell it to the first person I find who wants it. So consider this my last post on ha.ckers.org. It’s been a great ride, but I’m off to sell some banner ads! Caio!

Just a forewarning, this is a personal blog entry, and has no technical content. I’ve been blogging on ha.ckers.org for over 500 posts now, and I have done my best to stay honest and give all my readers the facts necessary to make their own decisions about the products they use, the technology they employ and the risks they face. One thing I have said on a number of occasions is that I do not work in security. At the time I wrote that, I was telling the truth, I was working as a director of product management for a publically traded real-estate company. I was making sure the colors of the page match up, and that the search engines had the right business rules taken into account. Business only, no security. That may come as a shock to a lot of people, but I really had nothing to do with security for the last year since I started working there.

Of course, prior to that I worked for a number of big companies leading up security services, building anti-phishing, anti-virus, anti-cross site scripting, and anti-fraud tools and techniques. I’d been involved in security since there really was a web application to secure in the first place (anyone who tells you that they’ve been in security longer than I have is talking about DECs and Alphas and I’m not even sure how those are relevent to modern applications anyway). Regardless, although I didn’t work in security for the last year (since before I started this blog) I definitely have my roots in security. If it’s not obvious, this is my passion, and I’ve been out of it for too long.

So I’m starting a new consulting company called SecTheory with id and a few other part-time contractors. You may have heard wind about it on Slashdot, the Wall Street Journal, Anurag’s blog, press releases by ClickForesics or I may have told you myself in passing, but I never made it clear on this website. The goal is to deal with middle sized companies who need security help with some of their harder problems, but can’t afford to hire someone full time. Also, I have already helped a number of small security startups with their technology strategy - I will continue to do so. That said, I can no longer be considered completely unbiased as I am now a member of the security community again. In the spirit of full disclosure I thought it only fair for me to explain my new company, and what my plans are for it, so there are no secrets and each of you can make your own informed decisions about why I am saying whatever it is I am saying.

So from time to time you may see me reference material that I will be putting on SecTheory (more of the business side most likely). For the time being it’s just a shell of a site, and there’s nothing interesting on it, but over time I’ll grow it (not into a community site, don’t worry) but I’ll put more content up there as time progresses. I plan on keeping ha.ckers.org and sla.ckers.org around for the foreseeable future as I think the community needs to know what’s really happening out there and it’s a way to for me to communicate with all of you as well as the vendor community that I both love and hate.

My only concern with releasing this information is that some people might be upset with my new company (see me as a competitor or a threat) but I assure you that’s not at all how I see it. In fact I see the security community growing with time, not shrinking. The only other threat I see is that I may get into situations where I cannot talk about clients given non-disclosure agreements or whatever. This has already come up in a number of cases, that I would have liked to disclose events that occurred, but I cannot for legal reasons. I have already communicated with a few potential clients that I reserve the rights to talk about anything I learn on my own or talk about them only as “a company.” Wherever possible I will continue that trend to make sure I can share what I learn with the community.

So onward and upward. I’m really glad to be back amongst the ranks. It’s the first time I’ve been really happy since I left. If that’s not a sign, I don’t know what is. If you have questions about the company, feel free to email me off thread and I’ll share what I can. Anyway, let’s get back to the technical meat, shall we?

It’s pretty cool to have someone else write about you. There has been so many thing I’ve done over the last 12 years, it’s really hard to keep track of it all. Anurag did a pretty good job of getting a good chunk of my security background out of me. Pretty cool actually. I guess now that my name is out there people are getting to know me a little better (for good or bad, who’s to say?)

Things I didn’t mention in the interview - I’ve worked in banner advertising, I founded EHAP, and I helped invent some of almost everything that’s annoying and wrong with the internet (including spamming tools, delayed popups/popunders, and viral marketing). I’ve got a varied past, but these days I’m sticking with security and SEO - the two things that seem to evolve at the fastest pace on the Internet. Anyway, nothing new here, move along.

Kuza55 pointed me to yet another XSS vulnerability archive today. Seems that there are more of these popping up recently. This one is a little better than most, although it only has a handful listed, compared to the 1000+ listed on sla.ckers.org.

It appears to be mostly looking at international and .gov sites so far (with an emphasis on pagerank or importance). It also has metrics to track who is the top discoverer of XSS vulnerabilities. I’m just waiting for whomever is going to scrape the “so it begins” thread on sla.ckers.org and completely owns the top poster, or uses a series of google dorks to find hundreds or thousands of vulnerable XSSs. I’ve always thought ranking the number of vulnerabilities posted was rather silly given the sheer volume of vulnerable sites out there.