No Such Weblog

The Richter Scales‘ here comes another bubble was a fun video and an excellent mash-up — while it lasted: What was the video’s page on Youtube is now a notice that “This video is no longer available due to a copyright claim by a third party.” On the Richter Scales’ Blog, there are some musings about mash-ups and credit; no word about the takedown, yet.

It’ll be interesting to see what happened, and what will happen next — at 690,575 views in some 10 days, this must be the highest-profile takedown in quite a while; for a change, it’s a piece of art, and a parody.

In my last musings about widget security, I was very brief about the Flickr Interestingness and Hockey widgets. After all, they both just provide the AllowNetworkAccess capability. I had overlooked that there is a shared cookie store on the Mac, shared, that is, at least by Safari and the Dashboard. From a bit of experimenting, it seems like that sharing affects all non-session cookies.Now, what does that mean? A widget with the AllowNetworkAccess privilege can issue HTTP requests anywhere. These HTTP requests will carry the same cookies as a request from a just-started Safari instance. Therefore, any Web application that relies on persistent cookies for authentication (like many Web 2.0 services) can be used by such a Widget without the user’s permission.There are several attack scenarios here: A subverted widget could be a bridgehead behind a corporate firewall, with convenient access to intranet applications. And when a Web 2.0 site serves as the path through which a widget is exploited, then subverting widgets with AllowNetworkAccess might in fact be enough to deploy some rather interesting malware.

… and I show you an unguarded eval().Today’s examples:

• The Facebook Widget accesses about a dozen facebook APIs through JSON. It’s based on the facebook JS Library. And guess what the parseJSON routine in that library really is? This widget runs with the AllowFullAccess configuration option set.
• The Flickr Interestingness widget is another culprit. This one only runs with the AllowInternetPlugins flag; if subverted, it might give an attacker access to, say, the latest Quicktime hole. Don’t think it’s enough to secure your browser.
• The Hockey Widget doesn’t do JSON; instead, it loads some web page and parses an embedded script by, you guess it, feeding it to eval(), after some minor searching and replacing. AllowNetworkAccess is set.

The bad teaching award of the day goes to the AOL Xdrive developer documentation: The Open XDrive Usage Meter of course accesses XDrive through JSON, and of course it uses eval() to parse. It has a sibling Windows Vista sidebar gadget; same problem. By the way, the security model for these gadgets gives access to ActiveX controls that are not marked “safe for scripting”.Questions?

Twitter has been all the rage for a while; I’ll admit that I’ve been a late adopter (I’ve had an account since yesterday). It seems useful as a quick news agregator (with feeds like the NY Times and Heise) — in particular when coupled to a dashboard widget on the Mac.There are two dashboard widgets that let you both post and follow: Twitterlex and Twitgit. In plain English, both of these are huge security risks that create an easy way for an attacker on your network to take over your Mac. Uninstall them till there are new versions.In technical terms, both are relatively simple pieces of JavaScript. Both use JSON to retrieve their data through the Twitter API. Both use eval() to evaluate the JSON data.And that’s a pretty big deal: JSON is short for JavaScript Object Notation. That means that data are encoded in a subset of the JavaScript programming language, the same language that these two widgets are written in. eval(), then, is the simplest way to parse that information: Instead of doing anything fancy, the data are fed to the JavaScript interpreter. Which will do its thing, and duly interpret whatever it is given.And, for these Widgets, there is no sandbox to the rescue: While bad (and unsafe) JavaScript is a matter that affects just the perpetrator when it happens on an ordinary Web page, the sandbox for Dashboad widgets is actually configurable, Needless to say, both widgets are using that configurability: They both have the AllowSystem option set, to enable the widget.system() function. That method is used to execute arbitrary command line utilities, i.e., it grants as full control over the system as the user has — and that often includes control over the /Applications folder.Twitterlex, incidentally, at least has a reason to open the sandbox, using Growl for notifications. Quickly looking through Twidgit, I couldn’t find any there, except that there was probably an example somewhere with the same code in it. Twitterlex makes up for this slight advantage by having an update notification mechanism that calls eval() on data retrieved from some URI on the programmer’s Web server. What’s currently returned from there looks benign; still, this would make for a marvelous backdoor.How realistic are attacks against this kind of code? Very much so. Both widgets check Twitter regularly. Risks — leaving malice on the side of one of the “legitimate” data providers aside for a moment — include a subverted Twitter server (cross-site scripting will be enough, even though Twitter fortunately appears to be quite paranoid about that), a subverted server on the author’s side in the case of Twitterlex, and a man-in-the-middle attack against the data retrieval. The latter is quite easy to launch, as no cryptographic protection is used at all: Either ettercap or a subverted captive portal will do nicely.All this illustrates some security fundamentals: When there are easy, but insecure, options, people will exercise them. If they can use eval() instead of JSON.parse(), they will do that. If they can break out of a sandbox, they”ll do that. In particular if that doesn’t keep the widgets from being installed. And if these two things can be done in one widget to make life more interesting, then that will happen, too.Finally, if the same programming platform can be used locally that is known from the Web, then we’ll see the same programming style (and mistakes), and we’ll see local and Web vulnerabilities blur into each other.

Via TechCrunch: Deutsche Grammophon will open an MP3-based online music store this week.

The store will offer 24,000 albums and box sets encoded in a delectable 320 kbps (over the more standard 128-192 kbps). Six hundred of these albums are no longer available on CDs.

That’s truly excellent news, in particular if you consider that Deutsche Grammophon is a label that has many brilliant “historic” recordings in its portfolio — some Furtwängler, anyone? It will be interesting to see what unavailable albums this Web shop will make available again, legally.Later: The Shop indeed looks promising. Unfortunately, while Costa Rica and the Philippines are covered, customers from the smaller EU country that I live in have no chance to buy any music there. The joys of living in a smalltiny country.

It’s major upgrade season again. As usual, I used yum to upgrade to the next major release (8, ever so tastefully codenamed “Werewolf”) of Fedora. As usual, things went mostly smoothly, with a few glitches:

• During the upgrade process, yum stalled. After I killed it, the next iteration would fail during the “transaction check”: My system had both the fc7 and fc8 versions of certain packages installed, and yum somehow was not able to figure out how to deal with the obvious conflicts between these. So I had to go through things by hand, throwing out all versions of the packages in question (rpm -e –nodeps), and then using yum to explicitly install them. That should have been automatic.
• Of course, the UI theme has changed a bit again. Fortunately not too much.
• My Thinkpad’s hotkeys (Fn-F4 for suspend, Fn-F5 to turn bluetooth on or off) are suddenly routed through ACPI, so I had to make sure Fn-F4 is treated like a lid closure, and I had to drop in a trivial script to toggle bluetooth when Fn-F5 is detected. That, too, should just work out of the box, without me having to mess around with scripts. (Then again, being in full control of my ACPI setup also means that my machine doesn’t suspend when the plug is pulled…)

Most remarkably, it appears as though the ever-flaky Suspend/Resume survived the upgrade. We’ll see how reliably.Later: The fun didn’t last long. For whatever reason, the T43 decided to become a rather expensive paperweight shortly after it was all done, by not showing any useful signs of life after a reboot. I ripped out the power cord and the battery, I removed the hard drive, I removed the memory extension — no change; I couldn’t even get the startup message to display. I’m now back to my more than 4 years old R40 and Fedora Core 4 (which happened to still sit around on that machine, in an abandoned version of my home directory). Meanwhile, I’m contemplating the quality of IBM’s warranty services (which I’ll exercise again this Monday), and possible successors to the T43. Top candidates right now: T61, X61t (or X60t), or the black MacBook.(I’m fortunate enough to have made a full backup of my home directory earlier today, so at least that’s no reason for worries.)

A close friend recently gave me Vernor Vinge’s “Rainbows End”; in case you wonder about the spelling, there’s a chapter called “the missing apostrophe”. The book’s subtitle is “a novel with one foot in the future”, and as with most science-fiction, the foot in the present is the one that matters most.Vinge introduces his reader to a not-too-distant future (2025). To build it, he does not need to break any laws of physics — (almost) all he describes is built on some plausible and incremental advances over today’s technological state of the art, and then some choices that societies might make (or rather, are making) about dealing with it. This world is, in some ways, post-apocalyptic: The next big California quake is a thing of the past, and (though the reader isn’t bothered with the details) it’s a great success that no major city has been lost for five years. 9/11 is really just a prelude to this world. Weapons of mass destruction are available to “anyone who has a bad hair day”, and so this future is one of surveillance and an almost almighty security apparatus. Constraints on technology paired with surveillance are not just a matter of the Great Powers, though: Ubiquitous wearable computing comes with the possibility to subvert others’ wearable computers; and there is broad and wide information sharing and use. Forget privacy. Also, right holders’ wildest dreams seem to have come true: Microroyalty payments are built into the infrastructures.How does one live in that society? Writes Vinge:

In the modern world, success came from having the largest possible educated population and providing those hundreds of millions of creative people with credible freedom.

The society that we encounter in this book, then, is focusing on all things creative and playful — though some of that gets across as shallow, in particular to Robert Gu, one of the book’s main characters, who has “lost his marbles” when returning from a decade of Alzheimer after application of a successful cure; meaning that he’s lost both his world-class poetic talent and the ability to hit people where it hurts them most. In the cast of characters, Robert is joined by his grand-daughter Miri, his son Bob, and his dauther-in-law Alice — along with the somewhat obscure (but key) Rabbit, and a number of security aparatchiks.With the novel’s always interesting and at times scarily plausible future society as a backdrop, these players engage into a tangled game of manipulation, hacks, and adventures, with nothing less at stake than freedom of thought. That story itself makes for an amusing and good read. It’s merely serving as a tool, though, to explore the consequences of technological and social choices that we face today.Overall, an excellent book, and a thought-provoking read.Update 2007-11-29: The book is available as a free download now. (via BoingBoing)

The year is almost over, and Richard Ishida reminds us that it’s great circle mapper time again.Here we go…

In Privacy versus cross-context aggregation, Wendy Seltzer points to stories by David Weinberger and Ethan Zuckerman about facebook’s latest marketing coup: When facebook users go shopping online (e.g., with Blockbuster) then their shopping behavior is pushed to facebook and used for advertising. From Weinberger’s description:

The new ad infrastructure enables Facebook to extend their reach onto other companies’ sites. For example, if you rent a copy of “Biodome” from Blockbuster.com, Blockbuster will look for a Facebook cookie on your computer. If it finds one, it will send a ping to Facebook. The Blockbuster site will pop up a “toast” (= popup) asking if you want to let your friends at Facebook know that you rented “Biodome.” If you say yes, next time you log into Facebook, Facebook will ask you to confirm that you want to let your friends know of your recent rental. If you say yes, that becomes an event that’s propagated in the news feed going to your friends.

While, technically, Blockbuster can’t look for a facebook cookie, it can give facebook the opportunity to look for it itself, and in the process hand off information about the purchase. That can be done through redirects, frames, or any other number of techniques. Some of these techniques involve JavaScript, some don’t. Ultimately, what we have here is the return of the 1990s third-party cookie, but on steroids, and used not just to track users’ page views, but to link business information across vendors.(Not having either a facebook or a Blockbuster acocunt, I don’t know what the precise technique used is; I’d be curious to learn more about that. If anyone feels like drilling down further, tamper data and Firebug are among the tools of choice.)The more general point, though, is independent of the precise mechanism used to pass on the data: Today’s Web is an environment in which applications have lots of opportunities to communicate among each other, to aggregate data, and to mash-up information from different sources. What is useful infrastructure in a Web 2.0 application becomes a privacy threat when used maliciously.Enabling social processes becomes key: How can we make sure Web applications’ data flows become comprehensible to users — both from an infrastructure and a usability perspective? And how can we make sure Web application providers need to state their intentions transparently, providing levers for social and regulatory enforcement? These questions bring us back all the way to P3P; using P3P policies as a trigger for cookie handling in IE6 demonstrated how to use technical capabilities as a lever to enable at least some social transparency of business behavior.Maybe we need another generation of simple policy languages that enable a similar tie-in, but for a broader set of use cases: Placing Cookies in HTTP headers is hardly the main concern any more. Forget cookies if you can get client side SQL and client-side global data storage. Forget web bugs for data leaks if Javascript can submit() forms cross-domain (and xforms have the same feature, but declaratively). And forget forms if events can cause the user’s every keypress and mouse click to trigger an XMLHttpRequest() object to phone home (soon cross-domain). In today’s environment, the ping attribute on links almost comes as a relief, as it enables easier spotting of tracking techniques — along with easier tracking. If, as a community, we want to use technical levers to entice Web application providers to behave in a socially transparent and responsible way, then we need to take a comprehensive approach, start to understand what technical control points we still have, and how we can use them.Meanwhile, our best chance to holding sites honest are the kind of public shaming that facebook is experiencing, law enforcement, and regulation (where applicable) — if anybody notices what’s going on, that is.

Earlier this week, I submitted personal comments on ICANN’s Nominating Committee Review process (report here). My main points: The confidentiality of the Nominating Committee’s proceedings is actually a good thing, and should be preserved, even though we know it comes at a cost. Likewise, the unaccountability of individual members of the nominating committee is important. The chair is critical for the committee’s success or failure. While the review report’s recommendation to have the chair-elect serve on every given committee is a good one, its recommendations on the Associate Chair and Administrative Director would be positively damaging.Besides this, there are a number of places where the report seems to recommend fixing issues where none exist; I recommend not doing that.As far as the Nominating Committee’s overall credibility in the community is concerned, I can only hope that, as more people experience its processes first-hand, understanding and acceptance will grow.