Sep 17

Crowd sourcing security and permissions; IE9’s baby steps

Security, Tech 7 Comments »

The Web lives in a sandbox. An important one. It means that you can click around on links and “feel” safe (that is, until you go to a talk by Jeremiah Grossman).

On your desktop however, you have a binary situation. You either run some code that can do pretty much anything (ignoring file permissions and virtualization etc) or you don’t run that code.

One of the dialogs that I dislike is from OS X when you “download something from the Internet”:

internet permission

I would love to see the stats that Apple may have on how people react to this. I can imagine a scenario where something has mistakenly been downloaded and run, but I would guess that 99% of the time a user goes through the following:

  • Click on something to download an app
  • Run the app, because I wanted to, hence me clicking on it
  • I have no information here…. so I think I will just click yes!

Some will yell, “think of the children!” and that if this popup has stopped ONE virus or malware through, it is worth the pain for the other millions of up pops.

Surely we can do better. Of all of the features in the IE9 beta, one that may not shout out as you as much as fancy fast chess or goldfish bowls, is how they manage this situation.

In Dean’s whirlwind keynote presentation (very nicely produced!) he showed a feature where clicking on a particular .exe wouldn’t alert the user based on crowd data. Basically, if enough people have used foo.exe and it is trusted, it can Just Get Through.

The virus scanning world is doing a lot of this on the backend. Places with scale can monitor the crowd and do a lot more than we have done now, and I can’t wait to see what comes of this.

We have talked about social permissions before. It will be great when I can see that Jeremiah Grossman is using a particular application for example ;) I look forward to a way out of app permissions hell.

Dec 31

Not just social history, actual information from Twitter

Security, Tech with tags: 12 Comments »
document.write("This page should show you your twitter info if you're logged in. (If you see a login box make sure you're logged into Twitter)<br/><br/>");
// forgive the document.write ugliness
function orly(data)
document.write("Your username is "+data[0]['user']['screen_name']+"<br>");
document.write("Your real name is "+data[0]['user']['name']);
<script src=""></script>

What is that is all it took to grab your username and even real name out of Twitter? Try it, it works.


(via Bill Zeller)

Dec 01

Application trust models; Expanding Web applications out of the sandbox

Security, Tech, Web Browsing with tags: 5 Comments »


A few years back Web developers were celebrating the glimpse of a beautiful Winter as some of our best hacked our way out of the prehistoric ages to give us Ajax.

Ajax Universe

Fast forward to Hope year and we have seen the Web platform explode. We have gone from Web hack to the mobile phone and even the desktop.

With technology such as Prism, Fluid, Gears, and AIR we get to use our Web skills to build desktop applications. If you play the numbers game and realise how many people understand how to hack on the Web versus write native applications you can see how if harnessed correctly, the Web could be a dominant platform far beyond the browser as we know it.

However, how do we break out of the Web sandbox? We gain a great deal of this “secure” (don’t say that to Crockford) place for us to build applications and we can’t just break out willy-nilly.

The problem is, that if we don’t come up with something you will always end up saying “I can’t prompt my users for every little thing, so I guess I will just write a native application.”

This of course doesn’t actually help make life secure for the end users. Instead, they hit OK on the “Sure, I know I downloaded that from the Internet” dialog and now native code is doing whatever it wants too!

ASIDE: I would love to know how many people: a) download something from the Web, b) run it, c) see that dialog and then d) say “oh, OK no.” I know what I am willing to bet on ;)

What if we took the weakness of the current Web sandbox and make it a strength. If our platform is able to intercept what is going on, imagine if we could have metrics that show us exactly what an application is doing. Chrome does one small thing here, showing you the memory that a tab is using. This is a great start. What if we go further and you think of iStatMenu being somewhere in the browser:

Browser Metrics

Now for every browser application you can see not only its memory footprint, but you can see if it is using your location, how it uses the network, the local database, and even the file system. Instead of asking once “is it ok for this app to do anything” we can ask a more nuanced question, but also give a lot of feedback after the fact, way after you have forgotten what you said would be OK.

We could also have power user modes that allow you to visually see the heap, allowing you to navigate it as you debug your application. Detailed networking views. And, more.

Of course, the best way of doing this work is through implicit interfaces. Having a Google Search with a “[x] near my location” checkbox is the obvious example.

This is a delicate issue, but I believe that the Web needs to move in a broad direction, and we need to work through these problems. What do you think?

Aug 01

Silent updates: Good, Bad, or Safe?

Comic, Security, Tech with tags: 7 Comments »

Update Paradox

I am in a paradox this morning. I found myself managing a million friggin updates to various software and components.

There were the iPhone Apps (keep hoping that NetNewsWire will get stable :(), and the software updates, and the browser plugin updates, and the list keeps going on.

It is interesting, because at the same time, if I download an application that doesn’t tie into an auto-update framework, I get frustrated. I am maddened as I know that I won’t stay on top of the versions, and I shouldn’t have too!

So, I want all of my software to update, but I don’t want to be bugged all of the time. Hmm. How about silent installs? What if I could say for a set of apps “just keep these puppies up to date and don’t even bug me”. Maybe just a growl “hey, just so you know, I updated NetNewsWire to the latest point release, and if it isn’t working well, you can revert”. Having revert would be cool (but potentially more work).

But wait a minute, what if that happened and suddenly something stopped working, or I just didn’t like the new version? Well, revert can help there, but maybe you could have a setting where silent updates happen only for point releases.

What about security though? This would allow developers to sneak in some code without me even knowing! True. That sounds scary doesn’t it. However, isn’t that bogus? They could just put it in the new release and you would update anyway! I doubt you are cracking open the .exe to look for malicious code :)

The fact is that we rely on trust. We weigh up trust. And, I am willing to trust certain companies and people to do silent installs.

In fact, someone on the Gears team mentioned that they think it is the developers responsibility, and that it has to be taken seriously. What if there is a security breach? If you have the ability to push out a fix in short order, you can minimize the scope. Else, there will always be a serious of people who never upgrade and are taken over. How many 5 year old worms and viruses are out there that still propagate due to your aunt running Windows 98 with no changes to it. Ouch.

So, I am all for a change. Time to allow more silent upgrades. Developers, protect me, and don’t bug me all the time!

Mar 08

JCAPTCHA: Open Source Security Plugin

Java, Security, Tech 7 Comments »

Since installing mt-scode for MoveableType, I wondered if there was a Java framework that would easily allow you to add CAPTCHA style authentication to our apps.

There is an open source framework: JCAPTCHA.

There is an article on the framework Use a CAPTCHA-based authentication module for J2EE Web applications

Spam has become one of the biggest menaces on the Web. Many community-based applications force authentication only to distinguish a valid user from an automated spam-bot, which can be overkill in some cases. CAPTCHAs help in differentiating between real users and automated bots. In this article, Anand Raman uses CAPTCHAs as weak authentication mechanisms for J2EE Web applications. He begins with a quick introduction to both the J2EE Web application security model and CAPTCHAs. He then builds on these concepts to implement a JAAS (Java Authentication and Authorization Service) login module using CAPTCHAs and integrates it with an application server’s existing security infrastructure. The artifacts are based on standard J2EE security mechanisms. Hence, the module can be reused on any J2EE application or across different application servers with some minor modifications.

We have been using Acegi security recently, rather than CMS, and it would be nice to plug this in over there.

I often worry about the images. On one site I had to reload 3 times to get an image in which I could actually read!

Feb 23

Turn off auto-logon to voice-mail

Security, Tech 2 Comments »

I remember turning off the feature in my voice mail that would automatically log me in if I called from my home phone number.

Since this auto-logon is done via caller id it is NOT at all secure. There are simple services out there which enable you to look like you are coming from any number at all.

This came to light with the Paris Hilton fiasco. Hackers immediately tried to get into the voice mail of Paris and the other celebs that she had in her address book. They got into Vin Diesels, took the saved voice mail, and setup a new voice mail message. Who knows who else they did that too? :)

So, turn off auto-logon on all of your voice mail systems (in fact, the option should probably be taken away by the carriers. I know it is convenient, but it is just not safe).

Jan 19

Acegi Security Announces Version 0.7

AOP, Java, Lightweight Containers, Security, Tech No Comments »

A fair amount of Adigio projects have taken advantage of Acegi Security instead of container managed security. They just released version 0.7.

Dear Spring Community

I’m pleased to announce the Acegi Security System for Spring release 0.7.0 is now available from The project provides comprehensive security services for The Spring Framework. You can read about the features in detail at

There are many changes, improvements and fixes in release 0.7.0 (as listed at The major new feature areas are:

* Significant improvements to ACL security services
* AspectJ support (useful for instance-level security)
* Refactoring of ObjectDefinitionSources (especially useful for web URI
* Automatic propagation of security identity via RMI and HttpInvoker
* Integration with Servlet Spec’s getRemoteUser()
* Refactoring of Contacts sample to use the new ACL security services
* Additional event publishing (now includes authorisation, not just
* CVS restructure to use Maven as the build system
* A new project web site with FAQs, links to external articles etc

The new ACL security services deserve special mention, as they make it possible to develop applications that require complex instance-based security without any custom code. The entire configuration of such applications can be declared in the IoC container using standard Acegi Security services, so this should help significantly improve architecture and development time.

As per the Apache APR project versioning guidelines, this is a major release. We expect the next major release will be 1.0.0, although release 0.7.0 should be considered stable enough for most projects to use. There are detailed upgrade instructions included in the release ZIP and on the Acegi Security home page.

For Maven users, Acegi Security’s latest JARs are available from We will also be adding release 0.7.0 and above to iBiblio.

We hope you find this new release useful in your projects.

Best regards

Jan 18

Container Managed Security: If your standard covers a lowest common denominator. Please add hooks!

Java, Security, Tech No Comments »

I understand that a lot of standards end up being lowest common denominators. That is one of the issues with design by commitee.

However, I wish that the standards would have defined hooks that allow you to write code which uses the standard but adds on functionality.

Take the Servlet API for an example. This is one of the better APIs in J2EE. It is pretty darn portable. I try really hard to be able to have a .war that can be placed in a container and have it just run, but this isn’t always the case. If I have to open up a server.xml I think I failed :)

One example is Container Managed Security. Their are a couple of features that I really wish were in the spec. How about the ability to LOG OUT (not just nuking the session!). What about enhancing the security piece?

Take a login box. Form-based security allows you to setup a username and password and get authentication/authorization going. However, what if you want to do something like a ‘Remember me?’ check box, or the security image that I talked about last week.

Since the spec doesn’t have any hooks, and doesn’t easily allow a filter to kick in before the security piece, this becomes really tough. Well, on some servlet containers. Remember Me? functionality is built into Resin. I don’t have to do a thing. But, unless I know that I want to only run on Resin, I am kinda stuck.

I said before that I wanted to be able to create a .war file that runs in any container. To do this now I use another system for handling security. Trying to get around the CMS system is more trouble than it is worth. Is there a nice programatic API to log someone in and out? No.

For this reason I end up using something like Acegi Security for Spring.

Come on guys, give me some hooks!

And, let’s not get started on JAAS and how there isn’t a standard API to create users/groups in the system! Argh!

Jan 04

J2EE App Server Security

Java, Security, Tech 2 Comments »

CP has talked about porting web app security between different application servers.

Whenever I read about these things, I wish that the specs would cover more, so we didn’t have to do this kind of infrastructure work.

The Servlet spec does a good job and giving us portability among app servers (unlike the EJB experience), however there is still room for improvement.

You can’t just drop a war file in, if you are doing wacky security stuff. It would be nice if this info could be put in the standard, so we COULD. Cookie auth should be a flag that you can just turn on. There should be a standard Realm interface which you can extend and tie together in the web.xml to handle the authentication, etc etc. All should be pluggable, and defined in one place.

J2EE always seems to only go part of the way there when it comes to items like this. Another example is how JAAS allows you to have pluggable authentication/authorization, but how about a standard was to actually manage users? How about a standard createUser(…)/edit/delete?

This is what we have available in PAM on Unix, and we want it at an API level in J2EE!

Oct 24

Vulnerability hits Java for cell phones

Java, Security, Tech 3 Comments »

Although some people think that having billions of Java devices is a “business opportunity”, I also think it is a worry!

I shouldn’t say Java devices. What I mean is devices that are on the network. it is tough enough to manage viruses with a few million computers, but when we get to the next step when even your toothpick is bluetooth enabled? Yowser.

Vulnerability hits Java for cell phones