HTML5 vs. Security

22. November, 2013

HTML5 vs. Security” was a talk given by Thomas Röthlisberger of Compass Security AG which gave a nice overview over some of the security problems that HTML5 brings.

Areas covered by the talk:

Together, those technologies allow remote attackers to scan internal networks, access intranet sites and track users.

For example, if you’re visiting a site while connected to a compromised WLAN access point, an attacker might send you a manifest for this site. The manifest then contains the names of some files which exist on the original site plus additional resources. When you’re back in a safe network, the browser will use the saved files when you visit the site again, making the attack permanent.

Another place to save malicious code is the local storage. Or we can use the local storage to attach a permanent ID to the browser / user.

CORS and WebSockets allow to scan the local network for open ports. With Web Workers, thousands of ports can be scanned in the background. Or you can use the technology to build an ad-hoc botnet to crack passwords.

Shell of the Future is a proof of concept that demonstrates how you use the browser of another person to browse the web. This means that the attacker can a) see all the information (session cookies, JavaScript) that the hijacked browser has and b) that the attacker can drive said browser (downloading more resources, scanning the intranet, etc).

In some cases, these vulnerabilities are necessary to make the new feature useful. What you need to be aware:

  • Decline strange/unexpected requests by your browser
  • When you configure your server, make sure you send the correct Access-Control-Allow-Origin headers. Never configure your server to reply with “*”.
  • There is no anonymity if you allow web sites access to the Geolocation API or local storage.

Is Your Life in Danger?

18. November, 2013

No? Do you have a computer? Yes?

Then you should go here: Typhoon Haiyan – Mapping response. People in the Philippines are dying right now.

In a nutshell, the Red Cross has asked OpenStreetMap for help. They need to know which streets are still open, whether bridges and buildings have been damaged.

DigitalGlobe has supplied hi-res satellite images of the area. Things you can do:

  • Find an open job under the link above (click the link; needs an OpenStreeMap account)
  • As a beginner, try to locate an area which only water.
    • Verify that there is nothing on the satellite images (sometimes, it’s hard to spot small islands on the overview map)
    • If you checked the area, mark it as Done with the comment “Not on land”
    • Congrats, you just saved the other, more experienced mappers a few minutes
  • Knowing a damaged building from an undamaged one takes some experience. But you can use the Bing maps to try to locate buildings that haven’t been mapped so far. I mapped all buildings in the jungle on a remote island, for example. That might not help a lot but it’s a low risk task and at least means that other mappers will only have to validate the island instead of locating and selecting all the buildings.
  • Don’t feel like changing the map? Then validate them: Look for things that were missed and add notes what you spotted.

I suggest you use the JOSM editor for this task. Some setup tips:

  1. Enable Remote Control. That way, you can click on a link on the web site (for example, after selecting a job) and the editor will load all the relevant data
  2. Useful plugins:
    1. ​buildings_tools” if you plan to mark buildings
    2. ​contourmerge” if you want to work on the coastline
    3. notes” so you can see and edit notes
    4. ​todo” if you work on something large

To make it easier to spot damaged / assessed buildings, use a custom color scheme: Damaged buildings crisis mapping

Note: The current satellite images are copyrighted. If you don’t want to sign the agreement, you can still help by mapping the pre-disaster images from Bing; that will help people assess the damage by comparing the old maps with the current state.

If you want to work on the current maps, then you need to click a link in the “OSM Tasking Manager” (the job manager). It will present you with the agreement and display a link that you can click to configure JOSM to display those images as background. Make sure you show/hide the correct layers in the layer list (top right corner).

Important note: Satellite images are sometimes shifted or offset. The effect is that all buildings in an area seem to be at the wrong place (= not where they are on the image). Don’t move the buildings! Instead, shift the offset to align the images with reality (yes, it feels odd that an image made by a satellite could be wrong but they sometimes are).


Agile For Prudes

12. November, 2013

The article “WORKING IN A WANNABE-AGILE TEAM” points out a common problem in agile: It really exposes you and most people simply are prude.

Unlike many people want to make you believe, they are aware of their own flaws and how much a certain process humiliates them – it’s a skill everyone adopts at an early age, and therefore almost completely subconscious.

Since there is no way to be agile without looking at the team’s issues, the solution is to offer them something else instead.

In my experience, the easiest foot to get into the door is testing. When customers ask for features, ask “How would you know that it’s working correctly? Can you give me an example?” Yay, acceptance tests for free.

People struggling with a piece of code that fails all the time in interesting ways? “How do you know it’s wrong? What would be right? Maybe we could write a piece of code that makes sure it stays right from now on?” Yay, unit testing.

“Can you write a test?” “You can’t test that!” “…. You wrote software that can’t be tested? Seriously?” “… No, of course you could test it but …”

The best part: It focuses on solutions. When suggesting tests, no one can get into the blame game. Everyone can get involved. Customers, managers, developers, everyone understands tests. And they offer the most value for the least investment.

When people have started testing, they become interested in other things as well: Agile planning. Listening to the customer. That’s when you can start to change the culture – you now have some trust that you can spend.