Basic Web Security For The Average User

~ Steve ~ 1 Comment

The Web has been around long enough that Web applications are a part of most everyone’s daily life. Even when a user is on a mobile device they could be interacting with Web services. Sadly there are still many applications and services out there which are lacking what should be the minimum security. Luckily there are some work around users can do to try and protect themselves when applications have less than stellar security practices.

Secure Socket Layer (SSL)

What is it?

SSL keeps the Web traffic between you and the originating server encrypted meaning its harder for someone else to see the data while it is in transit. If SSL is not in use the the Web traffic is viewable by anyone on the wire.

Can I increase my safety?

The best defense is diligence. Whenever you are going to be entering data, login or after you have logged in it’s best to make sure you see ‘https:’ at the start of the url.

For Firefox and Chrome users the EFF provides an extension called HTTPSEverywhere which attempts to keep your browsing over SSL where possible.

Cookie Flags

What is it?

Cookies are utilized to help identify and store small bits of information on the client side (your browser). Over the years there has been a few flags added to cookies that help keep them from getting to the wrong people as easily. These flags are Secure and HttpOnly. Secure tells the browser that it should only pass the cookie to the server if the connection is using SSL. If it isn’t using ng SSL the cookie does not get sent with the request. HttpOnly keeps the cookie out of the hands of javascript only giving it back to the originating server directly over HTTP/HTTPS requests.

Can I increase my safety?

Right now I’m not aware of any extensions which force cookies to be HttpOnly on the browser side. If you are aware of a good mitigation please comment.

Cross Site Scripting (XSS)

What is it?

OWASP defines XSS like so:

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

(Source)

Can I increase my safety?

By installing NoScript or something similar and utilizing Google Safe Browsing you can lessen the chance of successful XSS attacks but it is far from a silver bullet. There is work being done to to attempt to make XSS attacks much harder but it’s not currently in use.

Cross Site Request Forgery

What is it?

Cross site request forgeries happen when a browser on one page makes a request to a different site to attempt to do something on behalf of the user. There are many cases where this vulnerability is used by developers as functionality but that doesn’t make it any less dangerous.

Can I increase my safety?

Wikipedia has a good page on the subject:

Browser extensions such as RequestPolicy (for Mozilla Firefox) can prevent CSRF by providing a default-deny policy for cross-site requests. However, this can significantly interfere with the normal operation of many websites. The CsFire extension (also for Firefox) can mitigate the impact of CSRF with less impact on normal browsing, by removing authentication information from cross-site requests. The NoScript extension mitigates CSRF threats by distinguishing trusted from untrusted sites, and removing payloads from POST requests sent by untrusted sites to trusted ones.

(Source)

Password Hashing

What is it?

When an application stores passwords it should do so in a way that it doesn’t actually know the password you’ve entered. It may sound odd but it’s pretty trivial to do this for application developers. Yet sometimes they forget to implement this hashing (or the application is ancient and never was updated to do this).

Can I increase my safety?

The best defense a user can do to protect against disclosure is to use different passwords for each site. Understandably this can sound scary: people feel like they have to remember too many passwords already. Thankfully there are applications which can help generate and, store and remember these passwords and let you remember just one. Here are a few popular choices:

External References

What is it?

It’s very common for Web applications to include javascript, images or css from other locations. The reason for this is either to increase performance by using the browser’s cache, utilization of a content delivery system, including ads/analytics or, in some cases, laziness. The problem for the user comes when the remote content becomes unsafe or the content acts in ways the user is not OK with.

It can also cause problems for the application including the content. For more information see my previous post over trusting others to host your content.

Can I increase my safety?

Being that, in most cases, the external references are required for the application to work it is quite hard to fully add protection in the browser but there are still some things that can help.

One more thing…

While not specifically related to the bare minimum of remote web application security it’s important to keep your browser and extensions/plugins updated with the latest patches and supported versions. This can help protect against sites which are hosting browser based exploits for one reason or another (of course, don’t purposely go visit such a site!). For plugins, Mozilla provides a great plugin check page which seems to work for Chrome to some degree as well. Go check your versions!

Durham World Beer Fest: Not Worth It

~ Steve ~ Leave a comment

Such a huge let down I left at 2pm. The lines at the 12-4pm were atrocious. Think about a bunch of 8 year olds crowding around an ice cream truck and you are pretty much are spot on. You just need to add purposeful line cutting and lots of college shirts. On my first attempt at a pour I was already pushed out of the way, ignored and line cut.

You may be thinking this must have been another hipster beer thing. Not even close. If there is a tag line to this event it should be ‘WOOOOOOOOO!’ because that is a lot of what you will hear when not hearing frat talk or girls yapping about cute guys.

Learn Something New

I learned a few important things:

No one picks up the ‘for more information’ telephone line. The voice mail for the line will be full. It is useless.

Either beer festivals are not for me or people who like beer do not attend beer festivals. I’m not sure which. I wanted to try a number of drinks from many different breweries but the frustration of simply finding the end of the line is a mood killer. Mix that with the pushing and seriously stupid frat/sorority talk and it’s just no fun. And don’t try asking someone if they are in line because they probably can’t hear you.

Beer festivals are for cheap beer swillers looking for a cheap way to drink. For them this is a serious deal! They can drink and drink without paying any more than the cover charge. Their lack of self awareness allows them to enjoy pushing their way to the next drink. For someone looking to taste different beers and find some new favorites you’re likely just in between jerks and their drinks.

These events are over sold. Granted, they probably are in legal limits for the venue but it’s not comfortable. It’s not even ‘just a bit annoying’ . It’s down right frustrating every time you venture back into the hot, loud and busting at the seams tents to get two ounces and some shoves.

There must be a suspension of general friendliness at these festivals. Since it’s so crowded the etiquette seems to be it’s fine to walk into people as it’s their fault for not moving out of line for you. Also, it’s cool to block lines and talk in groups making tents even worse.

Nice Acts

One brewery filled my cup before two big guys who cut in front of me. It was a breath of fresh air.

A lady bumping into me while i stood outside the tents said ‘excuse me’. That was friendly of her.

Better Option

In this case I should have bought a few new beers and tried them with friends. I would have gotten more beer, paid a lot less money and avoided much frustration.

Thoughts

It has me wondering if maybe beer isn’t for me (assuming thisnis actually the beer crowd and people who enjoy beer are just an Internet thing).

Needless to say I will be stay away from these events for a while. But if you are thinking of going to a beer festival be very wary. Do research to make sure it’s your crowd. Make sure they say the max capacity of attendance. If they don’t say the audience limit they are probably hiding something. Do the math and make sure you will break even or come out ahead in the ticket price/drinks. Lastly, be prepared to push back.

Proprietary Content Provider Woes

~ Steve ~ Leave a comment

I am a fan of technology and comics so when Sony started providing comics through their Playstation Store service I decided to give it a go. It wasn’t bad for an early go and I enjoyed the ability to download and read comics on a whim.

Yesterday I received an email from Sony which was blank. Well, actually it was an HTML only email which my mail client did not render (as I block HTML email) including a email opened tracking image (http://links.sony.mkt3395.com/open/log/.*) via MarkMonitor. The email had the subject of “PSP (PlayStation Portable) comic content service closure announcement”. I followed the more information link and read up what the plan was.

Question: Why are you closing the Comic store for PSP?
Answer: We stopped providing new content to the Comic Store last summer to focus on bringing the comic service to other Sony devices. Our focus now is to bring more  digital entertainment services to our products.

Q: What happens in January when the re-download service for Comic Store is no longer available, will I be able to access my previously downloaded comic content?
A: From mid-January you will not be able to access previously downloaded content from the Comic Store however, to avoid losing your downloaded content you can back it up on your PC using the Media Go application

(Source)

My first thought was “Great, all my purchases are now dead.” but I decided to avoid being so negative so quickly and clicked for more information on Media Go. Maybe they have a plan for us consumers.

Plans?

Media Go can backup the comics that one purchased but it requires either Windows and/or Sony devices. That puts me totally out of luck. My understanding is that the format of the comics are proprietary so I’d probably be out of luck even if I could back them up without purchasing something to run Sony’s proprietary software. My saving grace is that I didn’t spend a ton of money on getting comics from Sony else I’d be really upset.

What Would Have Been Better

Sony’s focusing on ‘providing content’ to their other devices. That’s all well and good but I own one of their devices and the comics were some of the content. A better solution for customers would have been to make a deal with another provider of digital comics to allow for continued access to already purchased content. Even if it is proprietary to proprietary (like ComiXology) it would still be continued easy access.

Sony Says Thank You

“We apologise to fans for the change and thank you for your support of the Comic Store for PSP,” said SCEE’s Mayumi Donovan.

(Source)

I guess some companies are not ready to provide content. I hope they learn from this mistake as I have. In the future I’ll be much more cautions on who I allow be a paid content provider by looking at how they handled the end of previous content distribution.

Humble Indie Bundle 6

~ Steve ~ Leave a comment

A few years back I learned about the Humble Indie Bundle from a coworker. “Name your price, help charity and download” he said. My initial reaction at the time was to read about the package and nicely say “good for you for supporting them.” Why? Because I wasn’t sure what price to select for the games. I had been so desensitized to the general commercial distribution channels that the idea of picking my own price sounded to good to be true. I thought “sure, it goes to charity and indie developers but the games must not be that great if I can pay 10$ and walk away with 5+ games.

Fast forward. When the time was told a new bundle was released I decided to give it a shot. Worst case I’m out 20$ or so. I paid, downloaded and played. Then played followed by playing some more. I believe I played Bastion the most out of all of that bundle but I had a lot of fun with many of the games. It was obvious I had been missing out.

When 6 was released I didn’t hesitate. I bought the bundle the first day it went up. I even bought a second giftable bundle. I’ve not been disappointed.

There is one more awesome feature: The games run on Linux and Mac’s as well as the commonly supported Windows. For people like me who spend most of the time in Linux (because I like it) it’s so nice to play in the same OS I live.

So far I’ve spent the most time in SPAZ. It’s my kind of game for sure. In some ways it reminds me of Solar Winds which was one of my favorite games from my childhood though I’d say SPAZ is more action oriented. Torchlight is a close second followed by Dustforce. I’ve yet to try the latest 4 additions to the bundle (seriously, more AFTER you buy!) but can’t wait to try Jamestown, Wizorb and Gratuitous Space Battles as they all look right right up my alley.

TL;DR
The Humble Indie Bundle 6 is worth the cost and you can help charity at the same time. What’s not to like?

Victory In Beer

~ Steve ~ Leave a comment

Ever since I was introduced to craft beers (which is not all that long ago) I’ve been sampling many different styles from many different breweries. One night as opened up a Hop Devil I looked at my growing bottle cap selection and noticed one cap design more than any other: Victory!

As it turns out over the last few months I’ve been enjoying a decent amount of Victory beers compared to other breweries. Some of them have become high on my list while others are simply me giving another brewery+style a try. Here are the ones I’ve really enjoyed:

Moonglow Weizenbock

I really like this beer. It is decently high ABV and only available in the fall (seasonal) but it tastes great. Add on top of that it doesn’t cost an arm and a leg and it’s an easy winner. On BA it has ‘exceptional’ and ‘word-class’ review.

Donnybrook Stout

I do like stouts but tend to go more for milk, mocha and espresso stouts. Donnybrook is a great stout when you don’t want to get hit with the normal craft high ABV as it clocks in around 3.7%. It’s true it’s not the most memorable dry stout but it’s plentiful, light and enjoyable.

Prima Pils

Unlike a lot of my friends I don’t drink much lager but this is a US made pilsener I could enjoy! It seems slightly hoppier than other pilseners I’ve had without running away from the origin style. Again, BA gives it ‘exceptional’ and ‘world-class’.

Whirlwind Witbier

Probably the first Victory beer I tried. Very true to style and fits really well on hot summer days. The spiciness and banana flavors are what keep me coming back and it looks like I’m not the only fan.

There are two another things that they all have which makes me like Victory: price and availability. Not to say that good beer isn’t worth paying extra for but it is nice to not get sticker shock from beer. And it’s availability is pretty good. True, it won’t be hanging out at many general grocery stores but it seems common in bottle shops. I’ve even been able to buy them in singles (big plus as I like to get different styles in one pack).

There is one beer from Victory I don’t really seem to get.

HopDevil

It has glowing reviews all around yet for me it’s seems very mild. Listed as an IPA, yet called an APA sometimes, Hop Devil doesn’t have the hop bitterness I think of when IPA comes to mind. I think more in line with Sierra Nevada’s Torpedo or Dogfish Head’s 90 Minute IPA.  HopDevil isn’t bad, I just don’t see why so many people like it specifically. But that’s OK, I don’t have to love everything.

Trusting Others To Host Content In Your Web Apps

~ Steve ~ Leave a comment

One of the things I tend to warn other developers about is the inclusion of third party content into their applications. No, I’m not talking about pulling in serialized data from trusted sources. I’m talking about simply adding “stuff on the site”. This isn’t anything ground breaking. In fact, it’s pretty obvious stuff. The news that Google was identifying The Verge as a malware host is a pretty good and well publicized example of what can go wrong. Keep in mind I’m going based on public information.

If you are unaware of The Verge here is how they define who they are:

The Verge was founded in 2011 in partnership with Vox Media, and covers the intersection of technology, science, art, and culture. Its mission is to offer in-depth reporting and long-form feature stories, breaking news coverage, product information, and community content in a unified and cohesive manner. The site is powered by Vox Media’s Chorus platform, a modern media stack built for web-native news in the 21st century.

(Source)

Visiting

When most general users go to a website the probably don’t realize that they may be making requests out to many locations. In the case of The Verge’s main page they are making request out to the following domains for images and javascript.

  • http://www.google-analytics.com
  • ajax.googleapis.com
  • apis.google.com
  • ad.doubleclick.net
  • platform.twitter.com
  • cdn0.sbnation.com
  • cdn1.sbnation.com
  • ox-d.sbnation.com
  • tags.crwdcntrl.net
  • fonts.sbnation.com
  • bs.serving-sys.com
  • cdn3.sbnation.com
  • http://www.facebook.com
  • p.typekit.net
  • edge.quantserve.com
  • aperture.displaymarketplace.com
  • static.chartbeat.com

The more technical the reader is the more likely they are to understand that a visit to a website is probably going to include many requests to many different sites. The above list of domains are pretty normal. Facebook, Twitter and Google for social networking. Ad companies to show ads. Tracking companies for analytics. And the use of a CDN (content delivery network) is a pretty common practice for web applications which encounter high load. Nothing to see here, right?

Maybe a little

By including these domains there is an amount of trust given. If any of those third party sites encounter a security issue then the site doing the including could be affected. In this case it was sbnation.com’s reputation which was causing an issue. At one point Google’s Safe Browsing system identified malware being hosted on sbnation.com which means it is going to flag a requests to the domain as a possible problem. In fact, here is what Google Safe Browsing had for sbnation.com:

What happened when Google visited this site?
Of the 8071 pages we tested on the site over the past 90 days, 3 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-09-17, and the last time suspicious content was found on this site was on 2012-09-16.
Malicious software includes 8 trojan(s), 2 exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

Malicious software is hosted on 1 domain(s), including 63.143.*.0/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including u******.net/.

This site was hosted on 26 network(s) including AS29791 (VOXEL), AS36089 (OPENX), AS11855 (INTERNAP).

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, sbnation.com appeared to function as an intermediary for the infection of 3 site(s) including ml****.com/, fa******.com/, f*******es.com/.

(Source – Asterisks added)

Because sbnation.com had a malware associated with it recently The Verge, who was using sbnation as a CDN, had it’s threat level raised. It’s even pretty obvious via the red warning that Chrome was giving users. “www.theverge.com contains content from cdn0.sbnation.com, a site known to distribute malware”. If you are interested in what the errors looked like to users check out the thread that was going on the verge’s forums.

Was the situation dangerous?

I have a feeling in the above case it probably wasn’t. The cdn is probably used in a lot of different sites and the content in use is likely uploaded by the first party but, to be honest, I didn’t look into it as it’s an example of what can go wrong and not the the meat of the post. But it still isn’t the best position to be in. If users want to be protected then having a system like Safe Browsing warn them that a third party  host in use by the first party has been noted as distributing malware is probably a fair result.

Is including remote content really about trust?

Yeah, it kind of is. Let’s say there is a web application that allows you to get feedback on your site simply. All you need to do is drop in a small bit of javascript referencing the service and you will be set! Your all done and can have a drink to pre celebrate the great feedback you’ll get. But what if the developers create a terrible bug in the javascript you are including or, worse, something happens to the server that is hosting the javascript you now include? By adding in content from the third party you are trusting their security level matches or surpasses your own. You are also trusting that any third parties they are using meet or exceed your security level as well. If any/all third parties do not meet or exceed your standards then your users/visitors and brand (if applicable) could take a hit.

Nexus 7: The Tablet I Didn’t Know I Wanted

~ Steve ~ 1 Comment

When it became obvious I was going to be getting a tablet a number of years ago I knew exactly what I wanted. It had to be 10-ish”, Android based and have a keyboard dock. My reasoning for the dock was so I could get some “real work done” in a pinch and that would require some decently fast typing I wasn’t sure I could do with my thumbs. At the time I went with the Asus Transformer and, I have to admit, liked the device a lot. I also learned that what I thought I wanted in a tablet was not totally accurate.

Break it down

10 > 7

There was a few reasons I thought that a 10″ tablet would be much better than a 7″. The first being that there would be more screen to view. That means more widgets, bigger videos, more room to enjoy games, etc.. While I get most of my comics in physical form the thought of reading a comic on a 7″ screen seemed unnecessarily frustrating. The next reason was due to what, at the time, was a sizable screen on a phone. I had this thought that a 7″ wasn’t a drastic enough difference from my phones screen size. Lastly, I had the mindset that the 7″ tablets are the 10″ tablets cheaper versions. It sort of makes sense. In other areas of tech the smaller version has less space/power/upgrades/something.

Android!

I wanted an Android based device. I had just mourned a move from WebOS to an Android phone. I liked the Android phone quite a bit and figured it would do well in tablet form. The more open nature of Android was a big factor as I much rather use open of Free. Add to that I could use the same apps and it was a no brainer. Of course having many of my other friends walking around with Android devices didn’t hurt either.

Get things done

When I said “get real work done” what I really mean is not simple nor short. “Real work” constituted things that I didn’t see as being very easy to do with a soft keyboard. Not impossible, but not an enjoyable experience. For instance writing a blog post or going through some code would be work while responding to an email or reading a book wouldn’t.

Where I went wrong

10 != 7

10″ and 7″ really are in different categories as Ava from HeelsAndTech points out. What I slowly started to figure out was that portability was a huge want for me when it comes to tablet usage. Of course a 10″ is portable but a 7″ is easier to keep with you day after day. Keeping a 10″ tablet with me day after day was like keeping a very light textbook along. A 7″ tablet is similar to carrying a light paperback.

Android?

Nope, spot on with this one.

Work

But way off here. I usually don’t think of myself as a consumer but somewhere in between producer and consumer. I’m creating code, writing documents, editing images, recording music, etc… My faulty assumption was that I would want to do most of these things from my tablet. In reality I grabbed the tablet when I wanted to read the feeds without being tied to a desk or watch a movie on a treadmill (probably not the safest thing…). These were times when I was done creating for the moment and ready to walk away from the desk.

But I wasn’t unhappy

My Transformer didn’t cause any problems. It had great battery life. It’s screen was nice. But something happened that inched me over the line: seemingly no official word on the original Transformer getting Jelly Bean, the newest version of Android. It is true I could root the device and throw another ROM on there but when it comes to my tablet I want to keep it simple. It got me thinking more about if it was already time to replace my Transformer with another device which had a better chance for a longer life span.

Nexus 7

I waited a little bit and it wasn’t long that I started to see friends slowly getting their hands on Nexus 7‘s and still liking them weeks after purchase. It got me thinking about if an official Google device would likely get better lifespan than 3rd party devices which rebuild, add on and push their own ROM’s out. After a coworker brought Nexus 7 over so I could test out the tablet I was pretty much sold.

So far it hasn’t been perfect but total perfection is not what I was expecting. The issues have been minor and I believe are more on the server side than client side. For instance I was looking at Google Play Magazines and it was stuck trying to log in.

In general it’s a solid and speedy device with a good feel. I’m glad I picked one up when I did.

Update

The issue I had with Google Play Magazines I also had with Google Currents. This seems to happen if you accidentally hit the account you want to use twice on first run. Here is how I fixed it on my tablet (using paraphrased wording):

  • go to Settings->Applications
  • find Google Magazines/Google Currents
  • View the application information
  • Touch Force Stop and the warning that pops up after about the application possibly misbehaving
  • Touch Clear Data
  • Touch Home and reopen the app.

You should no be back to the original “select the account to use” screen. Be careful to only click your account once. The Nexus screen is very sensitive!

“Security? That’s the OS’s/Networks Job!”

~ Steve ~ Leave a comment

I spend a good amount of my time doing software development. I’m one of those guys that has a bad habit of starting projects, getting half or three fourths of the way through and then coming up with another project to do (leaving the original out on in the cold). Needless to say I end up playing with a lot of tools and libraries to help with projects but I’ve started to notice a pattern. The assumption that behind the firewall everyone is friends.

In a more recent project I was working on it became apparent that a queuing system of some kind was going to be needed. Instead of running out and picking the most popular flavor of the month I figured the best move would be to give a few different systems used for queuing a run and see how they worked out. In general I was impressed with their abilities but found the security lacking greatly in a number of them.

Applications

Please be aware I’m not trying to discount any of these applications.The two I tried directly I really liked from a development point of view.

Redis

One of the earlier ones I checked out was Redis. It was blazing fast but the security model is interesting.

Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.

(Source)

To make matters even more interesting it has support for a single password passed plainly over the wire. Granted, it’s possible to use an SSL proxy as the guide points out but with one user non-repudiation could be a serious problem (especially if logs go back to NAT’d addresses). In effect the security model of Redis seems to require a single tenant, well logged (at network, host and app level) and heavily ACL’d environment. With cloud hosting I’m not so sure how well one could ensure this is the case at all times. Granted, if it’s a single developer running his own infrastructure or a very small company/group/team then it could be possible that the model would work well enough. Honestly I couldn’t get over the fact I’d have to tell friends who wanted to play with the project they’d have to make a special environment before installing.

Beanstalk

I didn’t end up trying beanstalk but did notice it had similar pitfalls. As Kurt Seifried points out in his blog:

The major downside to beanstalkd is that it doesn’t provide any encryption of network traffic or authentication capabilities, so any client with access to a running instance of a beanstalkd server will have access to all the queues in that running instance. This can be gotten around by wrapping beanstalkd in SSL (using stunnel or a similar service) to secure communications and limiting access to beanstalkd queues based on either IP address or by requiring SSL client authentication.

(Source)

So again, if you want to use the service you must either setup extra hoops and/or have an incredibly locked down infrastructure.

ZeroMQ

ZeroMQ is really cool. But you end up with similar problems of network ACL’s providing all of your protection unless you write your own authentication and authorization mechanisms.

What security features does ØMQ support?

None at the moment. ØMQ does not deal with security by design but concentrates on getting your bytes over the network as fast as possible. Solutions exist for security at the transport layer which are well understood and have had many man-years of development invested in them, such as IPsec or OpenVPN.

(Source)

Granted zmq is a bit lower level and used as a building block instead of a solution so it is understandable why some things are pushed back upon the developer to implement as needed.

But Who Cares?

It’s more about being aware.

  • Can anyone promise that network ACL’s won’t be modified to enable a shiny new application?
  • Can you be sure that the other side of the SSL connection will remain safe  and trustworthy?
  • Is any data making it’s way through which can have an effect on process inside the firewall guaranteed safe (example)?
  • If the hosts are multi tenant or in the cloud are you sure everyone who has access to the VM’s or networks are trustworthy?

You and/or the developers of these apps wouldn’t have come up with some kind of security solution if it was OK for any random Joe to play with the service. If someone is able to interact with a service which is “soft on the inside” then it’s likely that service would be an early target.

Simple Examples

For example, let’s imagine an attacker gets access to the service because he is able to take control of an approved host. If the service on the other side is Redis then the attacker could sit and gain information painlessly before copying work from that point forward. If it is a zmq port then an attacker could attach another process to it and get either a copy of everything (SUB, ”) or a subset of data (PULL). Beanstalk probably has similar abilities. The security on the other side of the connection, whether inside or outside the firewall, ends up being as important as the security on the inside as the level of access to the service is more or less the same. All or nothing.

Using an SSL tunnel and only allowing specific hosts may constitue as defense in depth on paper it doesn’t seem to be enough. Maybe I’m to paranoid but if there was authentication and basic authorization in or around the service an intruder would need to gain further information or perform more attacks to gain access.

App.Net, Good, Bad and the Unfocused Problem

~ Steve ~ Leave a comment

When I first heard of app.net I was somewhat skeptical. The idea of a pay to join social site did make sense to me but I wasn’t so sure it would make sense to many other people. After seeing a few people from other social networks state they had backed the project I figured I might as well join in (hi kids!) and, so far, I’m glad I did.

The Good

Quality

One thing I’ve noticed on other social networks is the lack of real conversations. It’s a bunch of people all yelling to get attention in your feed. The conversations on app.net have been pretty good in terms of quality. Granted, a lot of the talk is either somewhat technical/geek talk or about app.net itself but it still beats out many other social networks in my opinion.

It’s big, but small

The service is still small enough that, if you so wish, you can watch the global feed to jump into conversations and meet new people. It’s sort of like the Asheville, NC of social networks.

I’m not the product.

Do  I have to say anything more about that one? It’s just plain nice being the customer.

The Bad

Where is ___?

Like all new social networks your friends are probably not on it. At least not yet. There is no promise they ever will be on it. It’s a gamble but then again so was joining any other social network in the first few years of their creation.

It’s a social network.

I have to throw this in there for good measure. It’s a social network. Some people will be annoying, unfriendly, loud, etc… Luckily mute is built directly in to the web interface and API allowing you to keep some of the higher offenders from bugging you. The good news is that I have not encountered much of this yet with one exception …

The Unfocused Problem

This is the exception and, in my opinion, is the biggest problem at the moment. For those who are not on ADN this may sound like an odd issue as it’s not uncommon for people to flood their followers on other services with random posts that mean very little. There has been a lot of talk on ADN about cross posting from other services which I call unfocused posts. In general I don’t think cross posting is a problem unless it’s excessive or makes references to things that do not exist in the current service. For instance, if someone posts a retweet/repost from Twitter to ADN referencing a user who is only on Twitter.

Why is this happening?

I think it’s happening for one of two reasons: “This is how it works” and “I paid for it…”

This is how it works.

This is a social problem for social networks (ha!). It’s the assumption that social networks should list all your social network traffic so everyone can see it. A good example would be FourSquare on Twitter. If someone is interested in your FourSquare check in’s they are likely your friend on FourSquare but yet people flood Twitter with FourSquare posts.

I paid for it…

This is more specific to ADN. Since it’s a pay to post service there is probably more of a need to post. If someone joined up and then decides it’s not yet worth their attention I tend to believe they have a higher probability of cross posting from a service they are using actively. The thought process being “I paid for the account, I might as well use it.”

Solutions

One solution which is being worked on is filtering via annotations. I can see that being very helpful as long as the applications which enable cross posting end up filling out annotations and clients (including ADN’s web interface) allow for filtering based on these annotations. ADN will probably end up providing the client functionality web side in some form or another and some of the applications doing cross posting will probably fill out annotations properly but cross posts may still find a way through.

Here is a possible example of an innocent cross post which wouldn’t have annotations attached:

  1. User has a mobile microblogging client installed
  2. User has it set up to post to Twitter, Facebook and ADN
  3. User sends a “tweet” to a friend on Twitter
  4. Result is three posts (one on each service). Only twitter has the proper user context.

In this case I don’t think the client would really know that the user only exists on Twitter and that it should add annotations for ADN. It’s simply a post with a user reference.

In my off time I’ve been trying to come up with a stop gap solution via time based thresholds which I’ll bring up in a later post in greater detail.

Conclusion

If you are a geek of any kind it’s probably worth your time and money. The community is small and growing, the impact one user can have is still pretty high and, over a bit of time, you can probably make some more quality tech friends and contacts.