Month: July 2009

Whose file is it anyway?

One of the things that starting out as a computer science major does for you is give you a finer appreciation for just how buggy software is. While massive storage, middleware and caching, ever more sophisticated microprocessors, service-oriented architecture, and the like make things appear a little more reliable, the fact is it’s a miracle all of this stuff works half of the time.
The truth is, when it comes to security, rather than a than a Swiss bank, your average application more closely resembles Swiss cheese in terms of the number of holes by which it may be compromised. Frequently, the path to poking through the holes and compromising an app’s security is through user-level controls (or the lack thereof).
There have been a number of recent examples of these types of security holes in situations as innocuous as document and file management. For example, here’s a good example involving Facebook as documented in an InformationWeek article earlier this year entitled “25 Things Facebook Couldn’t Keep Secret in Court.”

 

As a senior product manager for Adobe surmised in the article: “At some point in the document’s workflow, it appears that someone added a white rectangle over white text in order to cover it. And that’s what they thought was sufficient to make that content undiscoverable. That’s not the right way to redact content.” No duh, as my teenage son would say.
Clever, but that’s nothing compared to some of the other PDF security holes plugged by Adobe this year. How about having an attacker take over complete control of your computer? In March, CNET wrote about the zero-day Reader vulnerability that Adobe was scrambling to patch. Overall, document and file attacks have become a ripe area for bad guys, with twice as many PDF attacks in July as in all of the first half of 2008.
It’s no surprise. If anyone like me can remember working with Microsoft Office in the mid-1990s, then you probably remember the Concept (sometimes called the Normal.dot macro) virus which was all about exploiting Microsoft Word and Excel files. That was the first time I remember cleaning my PC and installing security software, Norton at the time.
But, our ignorance with what’s in our files and the information they carry is beyond technical. For example, when was the last time you looked at or consciously modified the Properties of your MS-Office file? (Do you even know what or where file properties are?)
Well, the next time you have a moment, take a look at them. If you are running the last version of MS-Office, you can follow the sequence shown in the Scrib’d figures.

One of the things I’ve done for years is to add information to my summary file properties, to designate authorship, copyright, user permissions, and other important elements. Just in case a form document or thought piece for a company of mine somehow gets involved in a dispute.

In the reverse, a mild form of entertainment of mine is to occasionally browse the File Properties of documents that I receive from others – especially when they are from 3rd party service providers.

It’s amazing the little tidbits you can discover, related to document origination, travel history, etc. It’s especially humorous to get a form document from one law firm that the File Properties shows was created at another law firm – it’s happened!

As usual, the answer to whose file is it anyway is: “it’s yours.” That is, if you care about what happens to it and its contents. Therefore, just keep in mind that knowing a little more about files and applications and where they come from can make a difference in protecting your investment in the ideas and information that you share with others.

Advertisements

Why I love /.

Why do I love /. (aka, Slashdot)?   I’ve been a long-time reader of slashdot and have asked myself this question from time to time.  I am a classic lurker (Forrester calls us “spectators”) in the sense that I have never contributed, but am a loyal follower.  Why?  Because it’s like a barcamp run amuck.

I learn something new every time I dive into the fascinating Slashdot headlines that hit my igoogle RSS feed.  Like last Sunday the 19th, I caught this interesting headline:  “Something may have just hit Jupiter”:  http://science.slashdot.org/story/09/07/20/0114250/Something-May-Have-Just-Hit-Jupiter?from=rss.  Then, three days later on Wednesday, the news about the Jupiter hit made the New York Times front page, after being confirmed by NASA. 

What I love about it is the way every discussion entry begins with a bit of news and links to the originating sources.   For example, I picked up a fascinating article about automatic game design months ago that still remains somewhat unique, in my opinion, about shedding light on the critical connection between gaming and learning:   http://togelius.blogspot.com/2008/12/automatic-game-design.html.

But, more often than not, the real magic of Slashdot is the free-for-all that goes on in the discussion thread that extends for pages and pages below the story header.  I find you learn, you laugh, you cringe, and you learn some more.  For example, here is a typical exchange – in this example – answering a PHP web developer’s inquiry regarding taking reasonable steps to protect his websites:  http://it.slashdot.org/article.pl?sid=09/02/09/2254232&from=rss

The replies ranged from technical:

OWASP is invaluable for learning the WHY and HOW behind security, but for an amateur, I think the first best thing he could do is apply the Suhosin patch for PHP: http://www.hardened-php.net/ [hardened-php.net]

This lets him worry about the why and how AFTER he’s already closed many of the attack vectors a default PHP install leaves open. Especially if he’s running below 5.2.x.

Furthermore, PHP has been more security focused since 5.01. You can learn a lot about security just by reading the release notes, even if you don’t think you’re learning about security!

For example, the filter_input() function. Instead of doing this:

$phone_number = $_POST[‘phone_number’];

do this:

$phone_number = filter_input(INPUT_POST, ‘phone_number’, FILTER_SANITIZE_STRING);

That simple change applied to all of your $_POST, $_GET (and/or $_REQUEST) look-ups will shut down most of your application-level attacks.

Any PHP developer should learn and ALWAYS use the new Filter features: http://us2.php.net/manual/en/ref.filter.php [php.net]

To the procedural:

It’s a few easy steps that keeps most of the knuckleheads at bay.

Set up your site on a hosting service with automated backups. Dreamhost has a great backup system that can restore your entire site with DB in minutes once it’s been compromised. This will satisfy your client while you figure out how the defacer did his trick. It also puts the burden of OS-level security on them, so any intrusion will be incredibly unlikely to escalate priveleges and purge the logs.

Minimize use of web software packages (forums, blogs, photo galleries, etc.). This will limit your site’s exposure to known exploits when you fail to keep these packages updated. If you must use such a package, edit the paths so that it won’t fall prey to automated script attacks spidering for these packages. This makes upgrades more complex, but it will repel the dumb script kids.

Use .htaccess to ban foreign IPs. Most small-time sites have no need to be visited from overseas IPs. The site you build for a dentist doesn’t need to be accessible to a kid sitting behind a computer in Brazil.

Check your form inputs. Plain and simple.

To the hysterical:

Buy a pony.  [ To which another “slasher” replied:  “I would use the protein.” ]

A last example of why I love Slashdot comes from an article about intellectual property rights, the WTO, and China, wherein there was a vigorous exchange about taxation, open source, the mixing of global politics and finance, and East-West relations. In the end, as so often occurs, after wading through the technical weeds and silly chaff, the discussion ends with some wonderful observations from people who at least claim to have on-the-ground experience in-country.

by Ritz_Just_Ritz (883997) on Wednesday January 28, @12:20AM (#26634721)

I spend a great deal of time in China. The real crux of the problem is that there is a WIDE gulf between the law and enforcement of the law (unless it involves anti-government behavior…then the gulf narrows quickly).

I can easily go to any one of hundreds of locations that I know of (and I’m a damn foreigner) in Beijing and buy openly pirated movies and software. Sure, it is illegal to sell that stuff per the law books, but the government just doesn’t care. And when they make some noise about caring, it’s VERY temporary, the press gets their story and photos, and then it’s back to business as usual.

Government officials are profiting directly from winking at this illicit trade so there’s little incentive for those lower on the totem poles to rock the boat.

It’s not uncommon for the owner of one of these illicit DVD/CD fabs to bring in the relative of some party official in as a “silent partner” to keep the heat off. Welcome to China. Now be quiet and enjoy your 10RMB DVD (complete with fancy packaging and liner notes) that can be had in most subway stations and street corners in Beijing…er…roughly 7% of the price I’d pay at my local Best Buy for the same title in similar packaging…..

[REPLY] by Sanat (702) on Wednesday January 28, @01:30AM (#26635213)

I was a visiting American Scientist during my prolonged stay in China and was the first American that many Chinese seen since the Chiang Kai-shek stuff from the 50’s and 60’s. I traveled some with the president of the American company where I worked (he was American Chinese) and so I had a lot of opportunities to explore many place that most Americans would not be admitted.

I literally traveled from one end of China to another. I am rather a low key guy but because of my title then each Chinese providence would hold a banquet in my honor and so we would drink wu-shing pigu (5 star beer) and a clear liquor that I forget the name of but it was potent… anyway, I found the Chinese to be a most proper group of individuals and were good to their word… except if government was involved then they followed the ticket that was being trailed out… probably for self preservation.

I really enjoyed the people and loved the environment… being raised originally on a farm in Ohio made me understand a lot more than if I was a city slicker. What I did find though was that the average person did what they had to do to get along in life. If it meant duplicating a song or a data file then it was not a problem for them… I must reiterate that their values were neither greater nor less than mine but rather that they did what they had to do to survive in the economy of that era.

Sometimes I wish that I had transferred there permanently. My heart is very similar to that of the typical Chinese individual and they had a warmth that I find missing in today’s life in America.

An anonymous reader writes “The World Trade Organization yesterday released its much-anticipated decision involving a US complaint against China over its protection and enforcement of intellectual property rights.

The US quickly proclaimed victory, with newspaper headlines trumpeting the WTO panel’s requirement that China reform elements of its intellectual property laws. Yet the reality is somewhat different. As Michael Geist notes, “the US lost badly on key issues such as border measures and criminal IP enforcement, with the international trade body upholding the validity of China’s laws.”

And that, my friends, are but a few examples of why I love Slashdot.

Opportunities in Age

I’ve been thinking a lot about aging lately. Perhaps it’s because I’ll soon hit the half century mark, in August.

But this latest news summary from the Bizjournals syndicate further highlighted the enormous business opportunities in aging. Here are a few gems from the article:

  • The world’s 65-and-older population is projected to triple by mid-century, from 516 million in 2009 to 1.53 billion in 2050, according to the U.S. Census Bureau.
  • In contrast, the population under 15 is expected to increase by only 6 percent during the same period, from 1.83 billion to 1.93 billion.
  • The Census Bureau said that in the United States those 65 and older will more than double by 2050, rising from 39 million today to 89 million. While children are projected to still outnumber the older population worldwide in 2050, the under 15 population in the United States is expected to fall below the older population by that date, increasing from 62 million today to 85 million.
  • Europe likely will continue to be the oldest region in the world: by 2050, 29 percent of its total population is projected to be 65 and older. On the other hand, sub-Saharan Africa is expected to remain the youngest region as a result of relatively higher fertility and, in some nations, the impact of HIV/AIDS. Only 5 percent of Africa’s population is projected to be 65 and older in 2050.
  • There are four countries with 20 percent or more of their population 65 and older: Germany, Italy, Japan and Monaco. By 2030, 55 countries are expected to have at least one-in-five of their total population in this age category; by 2050, the number of countries could rise to more than 100.
  • Although China and India are the world’s most populous countries, their older populations do not represent large percentages of their total populations today. However, these countries do have the largest number of older people — 109 million and 62 million, respectively. Both countries are projected to undergo more rapid aging, and by 2050, will have about 350 million and 240 million people 65 and older, respectively.

I’m smiling as I write this, because yesterday, at a breakfast I attended, a guest in the audience stood during the introductions and said, “Hi, my name is [John Doe] and I work as a statistician at the Texas Education Agency, so I know that 95% of all statistics are made up on the spot.”

Nevertheless, I don’t know about you, but I find data like that from the Census fascinating. It reminds me of another article on demographics that I still consider a landmark opus on the subject in recent years by the dean of american management, Peter Drucker. Written for The Economist, “The Next Society” – which later became a book – is still an amazing intellectual achievement, although Drucker himself would probably have said that it’s all there in front of us.

In coming posts, I’ll talk more about what opportunities I’ve been mulling that I think we’ will see and hear more about in the coming years…so stay tuned!

Q2 and June Wrap-up: How big are you?

June marks my 2nd year at nGenera Corp. The company has seen the best of times and the worst of times – and changed many times in the process: pretty typical.

As always, among the hardest changes to take are the ones where people you enjoy and respect leave the company. We’ve had our share this year, as has everyone.

But, you can’t let it get you down and you have to keep perspective. On that note, I offer this scrib’d powerpoint deck. It’s something that I made up, based upon some materials I located a while back…I can’t even remember where I found them. I think it was in one of those religious e-mail chain letters that my mom sends me every so often. You know, the ones that you have to scroll down about 3 pages worth of header garbage because it has been forwarded so any times to actually get to the content.

But, in any event, perhaps this caught me at just the right time. Hopefully, it catches you too. Some might think it’s a bit on the existential side. However, I think it provides an optimistic, liberating message. Enjoy!