Securing Flash with open source Blitzableiter #BlackHatUSABy Sean Kerner | July 29, 2010
LAS VEGAS. I've written my fair share of stories about Flash insecurity over the years. I've also written about new tools to secure Flash.
At Black Hat, Felix "FX" Lindner launched a new tool called Blitzableiter under the GPLv3 open source license.
The word - Blitzablienter - is a German term for lighting rod. The idea being that the tool takes dangerous lighting and turns it into a harmless Flash file.
The tool integrates with the NoScript plugin for Firefox enabling users to check if a Flash file is doing something malicious. Going a step further, if there is something malicious in the Flash file, the tool will strip that out and provide the user with a safe file.
In my opinion it's a really good idea.
Drivesploit: Drive-by Downloads Deciphered #BlackHatUSABy Sean Kerner | July 28, 2010
LAS VEGAS. A new tool shows how easy it can be to target websites for drive-by downloads in an effort to help build better security.
The Black Hat conference is one that is legendary for its talks that get pulled. Once such pulled talk in 2010 is a talk on the Chinese Cyber Army by Armorize CTO and founder Wayne Huang. Instead of just giving up his speaking slot, Huang delivered a presentation on a new tool called Drivesploit that he developed to help deliver and analyze drive-by exploits.
Drive-by exploits have become increasingly common in recent years and put users at risk simply by visiting an infected website. Huang noted that Google was the victim of one such drive-by attack last year in the so-called Aurora attack.
Open Source javasnoop hacks Java? #BlackHatUSABy Sean Kerner | July 28, 2010
LAS VEGAS. Security researcher Arshan Dabirsjaghi (pic left) now has a new tool out that will enable users to 'hack' Java.
Licensed under the GPLv3 open source license and available at Google Code - Javasnoop is all about testing Java to see if it can be hacked - or so Dabirsjaghi explained in his Black Hat talk today.
"Javasnoop doesn't creat new vulnerabilities," Dabirsjaghi said. "It just gives you a way to exploit vulns that were there before that you just couldn't exploit before."
Google's #BlackHatUSA GiveawayBy Sean Kerner | July 28, 2010
LAS VEGAS. Black Hat is always busy, and this year moreso than any year I can ever remember.
Even the vendor booths are busy this year! The busiest booth by far this afternoon was Google's. (that's a pic of their booth- left)
Google had the most 'interesting' giveaway.
Well maybe not the most interesting item, but the most interesting method of getting the item. In order to get a special Google Black Hat T-shirt, Black Hat attendees have to complete a wood puzzle box (think Rubic's Cube).
Using Dilinger and Scrooge to hack ATMs #BlackHatUSABy Sean Kerner | July 28, 2010
LAS VEGAS. Security researcher Barnaby Jack (pic left) took to the stage at Black Hat and showed how he could 'jackpot' ATMs to get cash.
And guess what? According to Jack, it's Microsoft Windows that bears some of the blame for the way that he can get ATM's to give him cash.
Jack noted that his goal wasn't to necessarily teach people how to defraud ATM's, but rather to highlight insecurities in ATMs.
Jack explained that most ATM's run Microsoft Windows CE on ARM processors and they all tend to have remote updating capabilities. Jack wrote a remote exploitation program called Dilinger to remotely exploit the ATM. Then once the ATM is exploited he has another program called Scrooge which is a root kit for the ATM. With those tools, Jack - much to the delight of the massive Black Hat crowd that gathered to see him - used his tools to exploit a pair of ATMs on stage - Live.
DHS: Cyberspace isn't the Wild West #BlackHatUSABy Sean Kerner | July 28, 2010
LAS VEGAS. Jane Holl Lute (pic left), the deputy secretary of the U.S. Department of Homeland Security took the stage at Black Hat this morning with a key message.
Lute said that cyberspace isn't the wild west and it's not a jungle either.
"What is DHS trying to do?" Lute said. "We're trying to create a safe security resilient place where the American way of life can thrive."
Lute added that the mission of DHS isn't necessarily about more governance
"The goal here is not control, it's confidence."
Lute also face some tough questions from the audience including a question about why anyone should trust the DHS to do their job, when the TSA and other U.S. agencies seem to be lacking. Lute responded that she thinks the U.S. can have security and citizen rights but there needs to be a debate about the balance.
openSUSE 11.0 hits end of lifeBy Sean Kerner | July 26, 2010
What's the life span of a Novell openSUSE Linux release?
In the case of openSUSE 11.0, it's two year and one month (25 months). The openSUSE 11.0 release debuted in June of 2008 and has since been replaced by more recent releases - with the most recent release being the openSUSE 11.3 release earlier this month.
As part of the end of life announcement, openSUSE developers have compiled some really interesting statistics on how the release was updated over its life span in contrast with its predecessor openSUSE 10.3.
Overall, openSUSE developers reported that the 11.0 release had a 7 percent reduction in the number of security patches when compared to 10.3. The top package fixed in openSUSE 11.0 over its lifespan was Mozilla Firefox with 18 patches, which is 5 more than 10.3 had.
Novell's openSUSE, like all Linux distros, relies on upsteam project for many of its security disclosures, so the reduction in patches for openSUSE 11.0 may well be a good sign for Linux (and open source) overall.
Then again, openSUSE developers noted that the number of CVE identified items that were fixed actually went up by 13 percent - which leads me to believe that perhaps more patches were more efficient at tackling multiple vulnerabilities.
GPLv3 now dominates at Google Code #osconBy Sean Kerner | July 23, 2010
Google's open source programs manager Chris DiBona (pic left) took the stage at OSCON today and he had some interesting things to say, about licensing.
I've heard DiBona speak on open source licensing several times over the years. This time his talk wasn't about licensing specifics, but rather about adoption.
According to data presented by DiBona, the GPLv3 license now represents more than half of the GPL licensed code that Google hosts on its Google Code site.
Just to mix and match some stats here, a year ago I wrote about a Black Duck report that showed the GPLv3 still lagging behind the GPLv2. As with lots of other things, sometimes adoption is just a matter of time.
There is still a vast amount of GPLv2 code out there and I personally suspect that the Linux kernel will never move away from it. That said, what DiBona's data shows is that developers are embracing GPLv3 and using it for their project in growing numbers.
At this point we're three years into the GPLv3 process as Richard Stallman officially released GPLv3 on June 29, 2007. So yeah it's about time that GPLv3 asserts itself as the dominant form of the GPL.
How to make money in open source #osconBy Sean Kerner | July 22, 2010
Marten Mickos (pic left) is perhaps best known as the former CEO of open source database vendor MySQL. Mickos is currently the CEO of open source cloud vendor Eucalyptus and he's trying to mimic the success that MySQL had with his new company.
So how does an open source company make money?
During a keynote at the OSCON conference on Wednesday, Mickos delivered a very simple formula.
"There are some people with lots of time and no interest in spending money and there are other people with lots of money and no interest in spending time," Mickos said. "So we're trying to sell something to those with money and give something to those with time."
Makes good sense to me - there will always be users that won't pay for software for whatever reason. For some users there may not be a need for support and services either. But the fact that there are people that will pay because they have a need, is what continues to enable commercial entities to prosper with open source software.
Open Source users need to 'pick up the poop' #osconBy Sean Kerner | July 22, 2010
Stormy Peters (pic left) is the Executive Director of the GNOME Foundation and she's got a message for open source devs and users : Pick Up the Poop.
No I'm not making that up. That was the title of her OSCON keynote on Wednesday in which she encouraged attendees to fix what's wrong with web services.
Peters explained that she has a 3 year old at home (and little kids are fascinated by the word 'poop'), so that's partially where the title came from.
Fundamentally though in her view it is up to the open source community to see where there is 'poop' - that is things that don't work right or aren't as they should be - in an effort to make them right.
In particular she stressed that in the modern era of online services like Facebook, Twitter and webmail - users need to ensure that they still have their freedom. We all need to make sure that our data and content is portable and that it can be extracted from the online services. She warned open source users to look out for their own freedom to ensure that their content isn't taken away by some kind of online service lock-in.
"Think about your freedom," Peters said. "And help pick up the poop."
Perhaps not the most elegant words ever spoken about software freedom, but it makes sense to me. The price of freedom is vigilance after all.
Why NASA uses Open SourceBy Sean Kerner | July 20, 2010
With Billions of dollars and massive technology needs that are literally out-of-this-world, NASA has a lot of unique computing requirements. As it turns out, some of those requirements can be fulfilled by technology that isn't all that different from what regular enterprises need too.
In order to save the data from distant spacecraft, satellites and other scientific endeavors, NASA is leveraging open source tech (including Ubuntu Linux) and regular enterprise networking components to meet their mission.
I had the privilege of speaking with NASA's CTO for IT Chris Kemp this week around the OpenStack project in which NASA is participating. Kemp told me that NASA's Nebula cloud IT environment was built for science and research and has been optimized for low cost and massive scalability.
He added that NASA is using KVM on Ubuntu's Lucid LTS. Surprisingly to me, he noted that NASA isn't paying Canonical for support either at this point -- NASA is simply using Ubuntu as a freely available operating system (so no money for Shuttleworth and company, yet)
The NASA Nebula open source cloud technology's approach to low cost is in stark contrast to some other NASA efforts.
"Right across the street from where we have Nebula, we have the fastest Intel based supercomputer on the planet," Kemp said. "They have to render in twelve dimensions the network topology of their infiniband network --it's by far the biggest infiniband network ever created. That doesn't create an inexpensive infrastructure."
Will Mozilla's $3,000 bug bounty make Firefox secure?By Sean Kerner | July 19, 2010
Mozilla is increasing the amount it pays security researchers for bugs from $500 up to $3,000. I personally think that's a very good thing.
There has long been a debate about whether or not vendors should pay for security flaws. In my view, the flaws are going to be discovered whether or not a vendor is paying for them. The question is how they will be disclosed and whether or not those flaws will end up putting millions of users at risk - or not.
By paying for flaws, what Mozilla is doing is providing an economic model for both security researchers and for itself. For security researchers, a $3,000 payment is not an unreasonable sum in my view and it's more than the $1,337 that Google pays. HP's TippingPoint also pays for security flaws as well though they seem to have a floating scale on payments as far as I can tell.
I've already seen some chatter on Twitter and other places where security researchers (among them noted Apple hacker Charlie Miller) have commented on Mozilla's new bug bounty increase. The general sentiment of the chatter is that researchers will turn their attention more-so now to Firefox, since it literally pays for them to do so.
Are Mozilla Firefox add-ons insecure?By Sean Kerner | July 15, 2010
One of the greatest features of the Mozilla Firefox open source web browser is its incredible extensibility by way of add-ons.
Yet as events this week have shown -- yet again - Mozilla's add-on security model is far from secure.
This week Mozilla pulled the Mozilla Sniffer from its add-ons site - as the tool intercepted login data
submitted to any website, and then sent that data to a remote location.
How does such a malicious piece of software end up in a Mozilla public repository, available for any Firefox user to install?!
In a blog post, Mozilla defends itself noting that the add-on was in an experimental
state, and all users that installed it should have seen a warning
indicating it is unreviewed.
"Unreviewed add-ons are scanned for known
viruses, trojans, and other malware, but some types of malicious
behavior can only be detected in a code review," Mozilla stated.
Basic malware scans will not pick up the types of attacks that are most common on the web today, namely cross site scripting and information disclosure types of attacks. As such, I for one am worried, as this isn't the first time bad add-on have made it onto the Mozilla add-on site either. A similar issue was reported in February as well.
Firefox 4 to get App TabsBy Sean Kerner | July 13, 2010
Firefox 4 is set to get an amazing new tab feature that I think will change the way users think about tabs.
It's called the 'App Tab' and it's currently in the Firefox 4 Beta 2 nightlies (so no, it's not generally available, yet).
The basic idea is that there are many web applications (think Gmail) where you want to not just 'bookmark' the site but have a dedicated tab. With the App Tab, the app (say Gmail) gets its own dedicated tab which stays at the far left of the tab strip, making it easily accessible to users. (click the image above for my test case with Gmail as an App Tab).
Yes I know, it sounds like a simple idea, but it's brilliant isn't it?
I use multiple websites (Gmail, Twitter, Facebook etc) that I revisit multiple times over the course of the day. Having to find those open tabs on my current Firefox 3.6.6 tab strip is sometimes a challenge. With App Tabs, that's no longer the case and it makes for an dramatically improved browser experience.
As this is an under-development feature, it's not fully baked in the nightlies and not yet a publicly available feature for all, but it's one that I personally think will make the next Firefox 4 Beta an interesting experience for testers.
SCO appeals -- againBy Sean Kerner | July 09, 2010
A month ago, many of my peers at other technology sites declared SCO to finally be dead. They had just lost yet another court decision in their UNIX copyrights case against Novell and it looked (to some), like they no longer had any room to maneuver.
I wrote on this blog that I wasn't so sure that was the case. As it turns out, I was right.
The good folks at Groklaw had posted a new SCO appeal. That's right, not dead -- but rather an appeal.
SCO isn't dead (yet).
The practical reality of the U.S. Judicial system -- as far as I can tell in this case -- is that as long as SCO has the will, legal team and money to keep going -- they will keep going.
Much like the Terminator, SCO is a relentless machine that knows no sympathy or remorse and will just keep going until they get what they want. If they had time travel capabilities perhaps they'd go back in time to ensure their victory (like Skynet), but thankfully that's not an option for them, otherwise they'd likely use it.
Mozilla Public License rewrite deletes NetscapeBy Sean Kerner | July 08, 2010
From the 'Firefox 4 Isn't Enough To Keep Us Busy' files:
Mozilla is perhaps best known today for its Firefox web browser. Underlying that browser however is the open source license that enables its development community to thrive. The Mozilla Public License (MPL) has remained nearly untouched since 1999 and now at long last is undergoing a process of evolution.
It's a process that will at long last sever some of the last legal language links that Mozilla had with Netscape too.
Back in 2008, Mozilla's Mitchell Baker told me that it was about time that the MPL get some attention. Strangely, it's now that the first alpha release of the next MPL is now making the rounds, as Mozilla developers work on Firefox 4 and the leadership of Mozilla itself is in transition. I guess they just weren't busy enough...
What makes the MPL important in my opinion isn't just the fact that it's one of the key licenses under which Firefox is developed, but the fact that the MPL is also a widely used license by others. No, it doesn't have the same wide usage as the GPL in terms of project numbers, but it's still a major force to be reckoned with.
Alot has changed in the last decade, patents are a bigger issue, web/cloud based delivery is increasingly becoming the norm and mashing things up is the way that most applications are built today.
The first draft of the new MPL is still quite early and it's obvious to me that there is alot of work yet to be done. Among the goals of the new MPL is to make the language simpler and to be able to provide a template for others to use the MPL without (much if any) modification.
Among the changes that I noticed is the fact that in the new MPL 2.0 draft, the name 'Netscape' is now being deleted from the license. For example section 11.1 of the current MPL states:
"Netscape Communications Corporation (\Netscape") may publish revised and/or Mozilla Foundation is the license steward."
That's a change that's a long time coming and shows the age of the MPL. When it was last modified, Netscape (the birthplace of Mozilla) was still a thriving concern. Netscape is now dead and gone and at long last its successor is moving on now too.
What is the most clicked Firefox button?By Sean Kerner | July 02, 2010
From the 'What Do You Click?' files:
Which button in the open source Firefox web browser is the one most clicked by users on Windows, Mac and Linux?
The answer to that question and more has been addressed in a new Mozilla Firefox Main Window Usage Study. The study data was collected on an opt-in basis from nearly 10,000 users of the Mozilla Test Pilot addon which surveys Firefox usage.
Mozilla developers aren't just looking to gather statistics for statistics sake either, the goal is to gain a better understanding of browser usage in an effort to provide a better experience in the upcoming Firefox 4 browser. In an effort to help visualize and display the data, Mozilla developers have also overlaid the study's data as a heatmap on top of a Firefox browser. A Heatmap graph visually indicates how active certain areas of a map - in this case a web browser - are in terms of usage.
So which button is the most clicked?
By a landslide the 'Back' button was the most clicked of all navigation buttons which include the Back, Forward, Reload, Stop, and Home buttons. Across Windows, Mac and Linux 93.1 percent of users clicked the button at least once over the course of a five-day period. In total the study reported that users clicked on the back button 66 times over the course of five days.
Novell openSUSE 11.3 Linux nears release with RC2By Sean Kerner | July 02, 2010
After months of development, eight milestone releases and two release candidates, openSUSE 11.3 is almost done.
Novell's community Linux developers today released openSUSE 11.3 RC2 which is supposed to be the final development milestone ahead of openSUSE hitting general availability.
Currently openSUSE 11.3 is set for official release on July 15th.
Yeaah it does seem like openSUSE is a little late, after the Ubuntu Lucid and Fedora 13 releases, but that's not really the case. As Linux is a moving target and considering the new open source projects in openSUSE 11.3, it might be better to think of this distro as being early among its peers.
For one, openSUSE 11.3 will include the Btrfs filesystem as a real feature and not just as a tech preview. With openSUSE 11.3, users will be able to enable Btrfs right from the installer and that's something that no other major distro currently does by default as a fully supported feature.
At the kernel level, openSUSE 11.3 will have the recent Linux 2.6.34 kernel which packs in all kinds of new hardware enablements.
Firefox Sync 1.4 improves UIBy Sean Kerner | July 01, 2010
Firefox Sync (formerly known as Mozilla Weave) is being upgraded to version 1.4 this week, in preparation for inclusion into Firefox 4 later this year.
Sync is a browser bookmark/tab/history synchronization add-on for Firefox 3.6.x now, but the plan moving forward is to integrate it directly into Firefox 4.
With Firefox Sync 1.4, developers are trying to make UI better, by providing easily identifiable names for sync'ed browsers. Sure that sounds like a simple thing, but trust me, when you've got multiple machines it used to get real confusing really fast.
The other thing that I noticed after installing Firefox Sync 1.4 is how the setup and management has changed. With Sync 1.3 and its predecessors, there was a button at the bottom of the browser for setup and to access Sync. Now in 1.4 that button is gone (by default), which left me wondering what I was supposed to do.
Turns out the Sync menu/config is now all listed (by default) under the 'Tools' menu. Again a simple change and one that makes Sync a bit more integrated I suppose, though it was annoying to me personally on the first run after browser reboot.
Firefox Sync is also the key technology behind the Firefox Home app which Mozilla submitted this week to the Apple iPhone app store. It's not clear to me if Firefox Home will be updated in lock-step with Firefox Sync, though seeing how the two products are so closely related, I'd be surprised if there wasn't a shared roadmap.