links for 2008-06-21

links for 2008-06-20

Resources for application security education

As I’ve been getting myself up to speed in learning about application security, a few resources have been extremely helpful.

A good general background on application security issues, unsurprisingly, is contained in The Art of Software Security Testing, co-authored by Veracode cofounder Chris Wysopal. The book goes beyond the basic description of classes of application security vulnerabilities into specific recommendations for testing strategies and ways to improve the software development lifecycle to avoid introducing vulnerabilities.

There have been a few pivotal written works about how certain classes of software vulnerability work. The canonical one is the Cult of the Dead Cow’s “The Tao of Windows Buffer Overflow,” written by veteran hacker Dildog. Written in a clear and easy to read (if profane) style, this work should scare the living bejeezus out of you.

There are some more business friendly summaries of other vulnerability classes available. One source for this information is Veracode’s own web site, which features clear explanations of SQL injection and cross-site scripting (XSS).

Serious new Mac OS X escalation of privilege vulnerability

Slashdot is reporting a new escalation of privilege vulnerability in Mac OS X 10.4 and 10.5. The details are a little sparse, but it appears that calling the Apple Remote Desktop Agent (ARDAgent) from AppleScript allows execution of arbitrary code with root privilege. Bad, for sure.

The mitigation is that it requires execution as the currently logged in user from the UI session, and apparently can’t be initiated over an SSH or other remote connection unless the attacker can log in as an account that is currently physically logged in on the machine. However, at a minimum it allows brute-forcing root access on any kiosk or other restricted machine that can be physically accessed. And one intelligent poster points out that all it takes is a phishing exploit that gets the user to execute the code on their own machine to open things wide up for a remote assailant–or a buffer overflow in (Safari, QuickTime, Flash, Firefox) that allows starting a shell.

Incidentally, simply disabling remote access is insufficient to prevent the attack. The ARDAgent.app must physically be removed from the machine. (For those interested, it’s usually found in /System/Library/CoreServices/RemoteManagement/.)

Apple needs to close this pronto.

N. Marie Brackbill, 1943 – 2008

My aunt Marie passed away Monday afternoon. This one hurts. Unlike my grandfather, who had been in ill health for quite a few years before his death in January, we didn’t even know how sick she was until two months ago.

My aunt was one of the strongest people I know. Stricken with juvenile arthritis at the age of nine and spending the next two years in the hospital recovering, she was put on a path at an early age that might have limited her potential. But she recovered her mobility (albeit with the aid of multiple joint replacements over the years), learned to drive, went to college, became a teacher, and then did a career change into accounting, business, and quantitative analysis. She was always independent, stubbornly so, living alone for many years.

It’s not her stubborn independence that I’ll remember as much as her sense of humor and her willingness to treat me as an adult when I was still very much a kid. She treasured the company of her cats, and let me name one of them. At the time we were both reading Lord of the Rings, so I suggested Boromir. Yes, it was a geeky thing to do, but she had already named one cat Bilbo Baggins, so we were very much on the same wavelength. Boromir it was. And she was always a lot of fun to be with. I still remember dinners out with her at the Corn Crib, a corny pizza place with a warped sense of humor (a sign above the door said, “In the event of nuclear war, will the last person to leave please turn off the soup!”).

It was during her early years as an accountant that she came to stay with my family when I was growing up. I think it was because she spent so much time with us that she had such a strong influence on me. I don’t think I’d be half the bookworm I am without her, and I know I wouldn’t be as brave. She was never one to hold back what she thought and never one to bite her tongue when she thought something was wrong. In her last days, we used to hold out hope that she would pull through by saying, “At least she’s still got her sharp tongue.” When my sister was sufficiently alarmed by updates on her health to drive through the night to get to see her, my aunt’s first words as she walked through the door at 3 am were “You’re an idiot!” And of course she was right, she was always right.

I’m really angry about her passing. To watch her struggle for so long against her various illnesses, only to see her get blindsided by the left hook of cancer, is maddening. Not only that: the fact that her cancer was so advanced when it was diagnosed makes me think, if only it had been caught sooner! But ultimately that’s self delusional: her cancer was a type that has a very poor cure rate, and we know it was very aggressive. I suppose I’m angriest for selfish reasons: I wanted her to be a part of my family’s life for a very long time. I miss you already, Aunt Marie.

links for 2008-06-18

Get a jump on Download Day

Courtesy a little bird, it’s possible to download Firefox 3.0 already, though it hasn’t been announced yet.

The latest public download is RC3:

http://download.mozilla.org/?product=firefox-3.0rc3&os=win〈=en-US

but if you remove rc3 from the URL, you get:

http://download.mozilla.org/?product=firefox-3.0&os=win〈=en-US

which is a valid URL. (So much for security by obscurity.) Enjoy your early start on Download Day! (Tip o’ the hat to Dil.)

Update: Or not. The version string in the -3.0 version is the same as the one in the RC3 version about box. Oh well.

links for 2008-06-17

What does “beta” mean for Software as a Service?

Steve Johnson at Pragmatic Marketing points to an interesting article on five different types of betas. One of Steve’s commenters suggests there is a sixth kind, the SaaS beta:

…ratchet up your release cycles to monthly, then you can call it a ‘release’ or a ‘beta.’ Either way customers get their hands on the new functionality. If they don’t like what they get you’ll hear about it.

The good news about SaaS is that, by eliminating concerns about customer migration and installation costs, you can truly embrace the frequent releases recommended by most agile methodologies. The bad news is that four to six week release cycles don’t leave much time for customer feedback, and so most of it comes after the update has been pushed, when sales and customers start pushing back on some of the changes (or asking for more).

One way around this is inherent in the agile model itself. By breaking down new functionality into small chunks for release, you can take customer feedback as each chunk is delivered. You may be wrong with every release, but you won’t be as dramatically wrong as if you waited six months before getting customer feedback, and you’ll be able to quickly find and correct the areas where you were wrong with each new functional push.

In the meantime, you can take your overall plan for the functionality that you hope to have completely delivered over three to four releases, whether in the form of a design prototype or even a set of slides, in front of your key customers and get their feedback, and prioritize any changes into upcoming releases.

Piece of the past

While I was in Pennsylvania, I helped my uncle move some junk out of the storage unit where we put some of my grandfather’s things. A few items held memories for me (I never could get comfortable on that fold-up metal cot, and was glad to see it go), but others were remnants: the boxes for his stereo, a piece of old demolished kitchen cabinets that was being used as a laundry table.

I happened to open one of the drawers in the aforementioned kitchen cabinets, and found an odd artifact: a hand drill, but looking like none I had ever seen. I asked my uncle about it, and he said he remembered using it with my grandfather on the farm back in the 1950s and 1960s. He said I could take it, so I brought it home.

The lettering on the gear handle said “Millers Falls Company, Greenfield, Mass.” A little searching turned up a history of the Millers Falls company and an illustration, description and photograph of our drill: a number 308, the so called “Buck Rogers” drill. The drill as manufactured featured red plastic grips and a fully enclosed gear, which had the benefit of keeping the mechanism working smoothly even after many years in a drawer. My grandfather’s was missing the box, and had white paint on both handles, but otherwise was intact. The handle still had some of the drill bits inside, though I haven’t looked closely to see if they are the originals.

It was oddly evocative to have this palmsize memento of my grandfather, who was so much bigger, whose hands fixed and built, fed and sheltered his family, until he couldn’t any more.

Waiting for a phone call

I came home from Pennsylvania on Saturday, which stands as one of the harder things that I’ve had to do. My aunt’s condition has been up and down. While I was there she was lucid, eating and drinking a little, watching the Phillies beat up St. Louis, and ornery (she complained to the nurses that while they had temporarily rolled her away from the TV, the Phillies got their first three runs of the game). But she’s in a lot of pain and keeps getting more and more health complications, and our guess as to how long she’ll be with us keeps spinning around to longer and shorter numbers.

I wish I could just have stayed there. A good part of my mind is still there. Now all I can do is wait for a phone call. My connection to my aunt and her status now comes in drips and drops over a long distance wire.

links for 2008-06-14

links for 2008-06-13