Friday, June 29. 2007
Tuesday, June 12. 2007
Safari 3 Public Beta - also for Windows Posted by Christian in ** English, Security at 11:00
WWDC time means announcement time. This time, Steve Jobs did not announce that much, but spared one special highlight for the end of his keynote: The Safari browser (version 3) is available for download as a beta — for both Mac OS X and Windows. I have to admit that I am not too fond of Safari 2, especially in comparison to the competition. However Safari 3 looks really nice. I also like that there are several Windows plugins available, including various media players, Flash, Java, and Adobe Reader (the plugin site still linking to 8.0, not 8.1, btw).
Update: Apple's infamous security track record (not that all other companies do a better job, of course) is undeniable, since Thor Larholm claims it took him two hours to find a security vulnerability, other researchers also announced that they would present their findings soon. So do not use this on a production machine (yet)!
Monday, November 27. 2006
SANS Top-20 Internet Security Attack ... Posted by Christian in PHP, Security at 09:09
Two weeks ago, the SANS Institute has released its annual Top 20 Internet Security Attack Targets list. Of course you can debate how such a Top list came together and what the real value behind that is, but there are two specific points in this year's list that I found quite interesting.
First of all, there is a new entry: Users (H2). This shows that phishing, social engineering and related attacks are getting more and more prevalent. User education is therefore more important than ever.
Second, PHP is specifically mentioned a couple of times (one wonders why). In entry C2 of the SANS Top 20 (Web Applications), the institute gives some very specific advice:
From the PHP system administration and hosting perspective:
You could argue whether the PDO migration is superior to using, say, prepared statements (and why no other databases are mentioned). You could also argue why there is such an emphasis on PHP and that all advice is somehow well-known. But fact of the matter is, there are still so many PHP installations and PHP developers that do not follow these guidelines, as for instance Damien's survey shows. In my opinion, there is only one possible solution: Continue to talk with developers, continue to talk with hosting providers.
Wednesday, October 25. 2006
LiveHTTPHeaders and Firefox 2.0 Posted by Christian in Security at 10:04
As other people have already noted, the LiveHTTPHeaders Mozilla extension does not work on Firefox 2.0 (yet), since it has not been marked compatible with the new version yet. However there are two ways in which you can "force" Firefox 2.0 to activate the extension. Both are of course to be considered as hacks until a new version of the extension is released.
The first way is to change the extension itself. Download the XPI package and unzip it (yes, it's a ZIP file; if you are using a GUI tool you may want to change the file extension to .zip first). The contents of the package will look like this:
Open the install.rdf file (it's XML). There you will find the following XML element (around line 16):
Change the maximum version number to
The second way is easier yet potentially more dangerous: Just tell Firefox to install extensions regardless of the minimum/maximum required version numbers they supply in the install.rdf file. In order to do so, call the special URL
Of course the best way is to wait till a new LiveHTTPHeaders version for Firefox 2.0 has been released, since there is no guarantee that the current version (0.12) is fully compatible with the new browser version. However on one of my test systems it seems to run quite nicely (using the first workaround from this entry).
Monday, July 31. 2006
OSCON 2006 Posted by Christian in ASP.NET (English), PHP, Security at 05:56
Just a short recap from last week's OSCON, while I am on the plane back home (I really love on-plane WiFi). After a terrible travel to Portland (including delays, rebooking on other flights, and finally the information that my hotel reservation could not be found, *again*), I faced the usual issue with large and well-organized conferences: too many interesting presentations at the same time. So I missed quite a lot of the PHP content, some of which I had already seen elsewhere, but also new stuff like Adam Trachtenberg's advanced SOAP presentation which I was looking forward to (but I was lured into an OSCamp session titled "Why we suck", by Microsoft, which was quite interesting, but sometimes on the verge of escalation). Among the presentations I did see were one on upcoming changes in Perl 6 (both entertaining and confirming why I quit using Perl altogether eight years ago), Andrew van der Stock about AJAX security (which I find an overrated topic, but he showed nice examples and also did not rant about PHP too much this time ), Luke's & Laura's tutorial featuring a poker application, some of the other OmniTI presentations (too many to mention ), and some other AJAX-related stuff (mostly regarding cross-site applications). As usual, there were some quite bad speakers, but the majority was excellent.
Another scheduling problem was Thursday night which three overlapping events: PDXPHP, a Microsoft sponsored dinner, and Powell´s technical bookstore. I tried to attend both, but after meeting Patrick Reilly at the MS dinner and chatting about PHP, other technologies, and the movie industry, I completely lost track of time. Sorry. When I returned back to the hotel later after over four hours of eating and drinking, I even ran into half of the PHP crew, but declined going for cocktails again. Conferences obviously take their toll on me
My Atlas presentation, by the way, went very well. Only half of the attendees were actually using ASP.NET 2.0 (who wonders at OSCON). Contrary to popular beliefs, "the guy" was not in the audience; I only got intelligent questions, from people sitting in the middle.
Already looking forward to next year!
Tuesday, May 16. 2006
Outsourcing, Even More Injection: ... Posted by Christian in Security at 22:39
I have posted similar stories before, but this new entry on thedailywtf.com just beats them all. Oh. My. God.
Monday, March 6. 2006
Mac OS X Hacked in Less Than 30 Minutes Posted by Christian in Security at 20:19
Tuesday, February 21. 2006
MamboForge goes MamboXchange, and the first news entry is an important one: Some security issues have been found and were fixed for Mambo 4.5.3 and Mambo 4.5.3h. I do not understand yet why they did not create Mambo 4.5.3i and also have not checked yet whether a similar issue exists in Joomla!, as well, but anyway updating any installation is highly recommended.
Tuesday, January 31. 2006
More Consultants, More Injection: ... Posted by Christian in Security at 18:29
I have blogged about a SQL Injection posting on The Daily WTF before, but this posting beats it all. Never has SQL Injection been used in such a clever way
Friday, August 19. 2005
Consultants, Stored Procedures, and ... Posted by Christian in ASP.NET (English), Security at 19:19
I keep on mentioning in security-related talks that using stored procedures does not generally avoid the dangers of SQL Injection, but just limits the number of sloppy programmers that can mess it up. This entry in The Daily WTF proves me right -- in a very funny way.
Saturday, July 30. 2005
At this week's BlackHat conference, OWASP released the much anticipated version 2.0 of their "Guide to Building Secure Web Applications" (and one day later, they added some changes by Microsoft's Michael Howard and released version 2.0.1). A huge leap forward form the Top Ten, 293 pages packed with valuable information about various aspects of Web Application Security. It will come out as a book later this year.
Friday, July 29. 2005
Genuine (Dis-)Advantage Posted by Christian in ** English, Security at 08:47
Microsoft is making serious with their Genuine Advantage "offering". I just did a Vanilla install of Windows XP with SP2 and then went to Windows Update. As usual, I was prompted to install an ActiveX control and then to install mandatory components. Usually, these only consist of Windows Installer 3.1, but this time it also installed something else ... (click image to enlarge)
Then, I was prompted to validate my Windows. (click image to enlarge)
No problem, I thought. Until I got this message: (click image to enlarge)
And this is, in my opinion, a real bummer. Of course I do have a license, but I am using this specific license to do tests. Which means that I reinstall the OS quite often and therefore usually do not activate it, the 60 days grace period are more than enough. However what should I do now? Either I activate Windows over and over again (including nice chats with hotline people when I activate "too often"), or I can just sit back, relax, and wait till the 20-30 minutes are over.
Friday, July 15. 2005
Waiting for Firefox 1.0.5 Posted by Christian in ** English, Security at 13:56
On July 12th, Updates for Firefox (to 1.0.5) and Thunderbird (to 1.0.5, as well) were released. Unfortunately, as of now, only the English language versions. As the download pages for Firefox and Thunderbird show, all the other language versions are at 1.0.4 (for Firefox) and 1.0.2 or less (for Thunderbird).
Also, in various forums, people complain about issues with the new releases. Some even speculate about a version 1.0.6 being released soon.
Now this is a tough situation: On one hand, several security vulnerabilities were fixed, but on the other hand, people report about crashes or mail filters vanishing. In this case, I usually do a full backup and then upgrade (being able to revert back when things get bad). But let's hope the Mozilla Foundation gets an official statment (and maybe a new version) out soon.
Update 2005-07-16: Uh-oh. I was right.
Update 2005-07-20: Firefox 1.0.6 ist now available for other languages. Thunderbird 1.0.6 is currently only available in English.
Update 2005-07-23: Finally, Thunderbird 1.0.6 is available for other languages.
Update 2005-07-26: A couple of days ago, a new Mozilla version (1.7.10) was released ... and sucks. Read more here.
Friday, June 17. 2005
Tech Ed Europe 2005 Posted by Christian in ASP.NET (English), Security at 09:13
I am happy to announce that Damir from INETA gave me the opportunity to give a BoF session at this year's Tech Ed Europe. The topic: "Web Security: What Can I Do?". Here is the complete list. Looking forward to seeing you there!
Thursday, May 19. 2005
Netscape 8.0.1 ... [Update] Posted by Christian in ** English, Security at 15:05
... is available for download. As some of you know, I have been a part of the closed beta test and so much has changed since the first versions we had a look at. I am still not yet convinced about the (optional, on-demand) integration of the IE engine, but it's a neat browser with nice features. Go have a look! I am however curious which Firefox version was the basis, since 1.0.4 is relatively new.
Update: Now it's 8.0.1, because they found out that version 8.0 based on Firefox 1.0.3 which has some security vulnerabilities. The download address for the new, full version is the same; no patch from 8.0 to 8.0.1 is available yet.