beastiebytes.com

Nothing to hide? You are boring!

Talking to my friends and random strangers about privacy problems like data collections and data mining, I often have to deal with the 'good guy have nothing to hide.' argument.

Here is my list of answers, add yours in the comments

You are boring!
Everybody makes mistakes, behaves like an idiot, breaks or bends the rules of his community from time to time. In case you never do, you are incredibly boring. I do not want all my stupidity saved on tape for future amusement.

Everything you say or do can and will be used against you (even if it takes some time)
Do you want your insurance company to know that you buy alcohol regularly, smoke two packs of cigarettes each day and ate lots of raw British beef in the 90ies? That your father died of cancer, your mother has diabetes and your girlfriend wants a child? None of this is illegal, but private. I am sure you want it to stay that way.

Really want it? Really need it? Have enough money?
So your car is broken, you commute each day and you hate public transportation? Good to know that you have 8,435$ in the bank, because that is the price the car dealer will quote you. It is called price discrimination, one of the oldest retail strategies. Less privacy will mean price discrimination on steroids, where everyone will charge you the maximum price you would be willing to pay.

Perhaps somebody else has to hide something
Think about journalists. Do you want their sources to be afraid of contacting them? You probably want that conversations between you and your lawyer are confidential. What about politics? Do you want members of the opposition under surveillance?

In the end, you are just consumer ID#3370318/2716057.
You buy only unhealthy stuff in the store because you mostly eat home-grown organic food. You want health insurance? Today, you might be able to talk to someone who will get to know you and evaluate your risks. With unlimited data mining, that decision will be made by an algorithm. The insurance company is aware that there is a possibility that you are in fact a vegetarian, although your credit card shows other shopping habits. They also know that this is not very likely. In the end they do not take the risk.

Gentoo, Rails and mod_fcgid

My friend Marcel asked me about my Gentoo, Rails and mod_fcgid configuration.

Here it is:

Software versions:

apache-2.2.6
mod_fcgid 1.10
rails 1.2.5

Content of the .htaccess file inside the public directory of the rails application:

Options +FollowSymLinks +ExecCGI
RewriteEngine On
RewriteBase /
RewriteRule ^$ index.html [QSA]
RewriteRule ^([^.]+)$ $1.html [QSA]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ dispatch.fcgi [QSA,L]
ErrorDocument 500 "<h2>Application error</h2>Rails application failed to start properly"

Example vhost entry:

<VirtualHost *:80>
    ServerAdmin webmaster@domain.tld
    DocumentRoot "/var/www/www.domain.tld/public/"
    ErrorLog /var/www/www.domain.tld/log/apache.log
    ServerName domain.tld
    Serveralias domain.tld
    <Directory "/var/www/www.domain.tld/public">
      Options ExecCGI FollowSymLinks
      AddHandler fcgid-script .cgi .fcgi .fcg
      AllowOverride all
      Order allow,deny
      Allow from all
    </Directory>
</VirtualHost>

Last things to do:

Make sure that the rails tmp directory is writeable by the webserver.

Do not forget to run apache with mod_fcgid enabled. Edit /etc/conf.d/apache and add ' -D FCGID ' to the APACHE2_OPTS. Then restart the webserver with /etc/init.d/apache2 restart .

I removed dispatch.cgi to be sure that dispatch.fcgi is used.

Onetime Password plugin for rails

Do you blog from friends computers or the internet cafe?

I do not.

I am too much afraid that there is some sort of malware installed that will grab my password. To overcome this problem, I wrote a small onetime password (otp) system for my bewiso content management software.

As the name says, an onetime password can only be used one time; then it is invalid and not usable to unlock your account anymore. While this is great against shoulder surfing, it does not protect you from malware that takes over your current authenticated connection.

There are two scenarios. In the first one, the attacker is able to read and write to your internet connection. This is very easy on public hotspots and doable more or less anywhere between your computer and the computer that you are talking to. You can protect your connection by using encryption and digital certificates to make sure that nobody is able to tamper with your data. That works.

In the second scenario, the malware or attacker has controll over your computer. In this case, the encryption will not help you much, as the attacker is able to read an write data before it gets crypted. Imagine you want to add a new post to your blog and the attacker changes the request from something like https://yourhost/new_article to https://yourhost/delete_all_articles . The result would be that all your post are deleted. Not good.

It is very hard to protect against such a thread, as your blog-server has no way of knowing whether you made the request or if your computer did it without you being aware of it.

Because of this problem, I wrote some additional code for the plugin that enables you to exclude some of the actions in your controller from being available during an onetime password session.

If you add something like
include OnetimepasswordSystem
before_filter :no_otp_session, :except => [:logout,:index]
to your controller, it will prevent all actions except 'logout' and 'index' to be available during an otp session.

Get version 0.1 of my plugin here: onetimepassword plugin v0.1

In case you have problems using the plugin, please contact me or use the comment system.

btw: I am aware that requests that change anything on a server, should be in the 'post' format and that there should be some protection against csrf in place, but this is out of the scope of this article.

7 reasons why computer security is hard

1. Constant changes

There are new attacks and new vulnerabilities every day.
It is necessary to keep software up to date. If your software vendor issues a patch or an update, make sure to apply it as quick as possible. In case of mission critical systems, it is crucial to test the updates first to avoid bad surprises.
Sometimes security problems are known in public before there is a fix or workaround. You will have to evaluate how risky it is to keep a software or system in use.
Not only the bad guys get smarter, you do too. As you learn more about security you will constantly reconsider your security actions and adjust them to avoid being an easy target.

2. Snake oil

It is not possible for my mother to know about downsides of personal firewalls and home-brew encryption algorithms. The media runs advertisements for security products, is therefore biased when it comes to an evaluation.
Many 'security' products are 'broken', hours after they are available to the public. Not only because of errors during the implementation, often because of the design itself.
Take anti virus scanners for example. If your system is already infected, the notice of your virus scanner that everything is ok is not very trustworthy.

3. Find a good trade off

Applying security is always a trade off. Most of the time you loose comfort and gain additional security. Take email for example: You need a connection to your mailserver and you need a program to process the mails you receive. This increases your attack surface, but as benefit you are able to read email.
If you run your normal desktop computer, it is a good practice to not install every funny gadget like a new moon calendar. This means less "pimp my desktop"... but at least you do not increase your attack surface.

4. Users

Most of the times humans are the weak chain in a security system. Bad guys do not need to find a technical problem on a computer system, if the person in front of it is willing to execute commands on the attackers behalf. This can be done via email, on the phone or even by just sending an unlabeled CD-ROM.
It is very hard to defend against such attacks as they target the natural instincts of the human beings like fear, guilt or the human want to help other people.

5. Real person?

It is next to impossible for a computer to decide whether it is talking to a real human or to an other program. If the online system of your bank receives a request from your computer, it is not able to tell if you actually ordered a transaction or if some bad software did. When a firewall sees a connection to a webserver, it is not able to tell if you are surfing the web or if a program is sending data pretending to be legitimate traffic.

6. Doing it wrong is easy

A security consultant needs to identify all ways to break into your system and fix them properly. The criminal only needs to find one mistake and you are in trouble.
There are many ways to limit the impact of a security compromise, but in the end it comes down to: The bad guys do have it much easier.

7. You have to trust someone

How do you know that you do not run an operating system with a build in backdoor? Sure that there is no keylogger in your new computer? Is your mobile phone really switched off? Is your new database server realy unbreakable?
At the end of the day you need to make a trade off and decide whom to trust.
One benefit of open source software or algorithms is that you (or someone you pay) can look into the program code and try to find hidden backdoors or security problems. This is no guarantee to find all problems, but at least you have a chance.

Depressed now? Don't be. By applying good security practices and constant work, you can avoid to be low hanging fruit to the attackers.

A rails application in less than 10 hours.

I was a bit bored and thought about the idea of writing an useful and production ready web application with 'ruby on rails' in less then 10 hours. When I say production ready, I mean that the code is more or less readable and there is a set of tests in place to validate functionality. In the end it took me a few hours more to make this application available online, but I still think that the ruby on rails framework provides an excellent starting point for fast and clean development.

The basic steps:

Generation of the rails skeleton
Installation of plugins (acts_as_authenticated,classic_pagination)
Generation of the user model and the account controller
Some modifications to make the email signup notification work
Code to prevent cross site request forgeries (csrf)
Tests for the basic functionalities
Create two models 'requests' and 'question' (request has many questions) (answers are saved inside questions table)
Check that the models are protected against mass assignment
Tests for the two controllers (account and lazyrequest)
Observer and notifier for the request model to send mails on creation of a request
Coding...
Testing...
Coding...
Nice layout
Manual testing
Kleinkram (german: small stuff)
Upload to beastiebytes.com

Todo list:

more information for the user
displayed information needs to be more visible
more and nicer widgets to create questions
already filled in question set or templates
gettext
better gui to create requests

Roadmap:

transform into survey tool

The result is available here: http://lazykid.beastiebytes.com

Fail save

While working with the excellent writertopia authorization plugin I made some small changes to let it fail more secure in certain situations.

With this plugin you are able to query and set permissions for users and optional additionally in relation to certain models. To quote their website: "This plugin provides a flexible way to add authorization to Rails." This is true.

You can write code like

do_something if current_user.is_moderator_of? forum_obj

do_something if current_user.is_registered?

There is no need to write a specific method called 'is_moderator_of?'. The plugin does its magic and queries the database to get the needed information.

In the first example it would ask if the current_user has a role called 'moderator' and if this role is connected to the forum object. In the second example, the plugin would just check if the current_user has a role called 'registered'.

The problem comes now:

If I call

current_user.is_ROLENAME_of? authorizable_obj

it evaluates to true in case authorizable_obj equals nil and the current_user has at least one role named ROLENAME.

In my opinion it should evaluate to false as this is more restrictive and prevents unwanted authorization in case the programmer did not make sure to test if authorizable_obj.nil?.

This all goes down to the problem that by the way 'has_role?' is called, it can not differentiate between no authorizable_obj parameter at all and an authorizable_obj which equals nil.

Going from the problem backwards to the use of the api, I would change the the code like this:

The 'has_role?' method inside object_roles_table.rb from

def has_role?( role_name, authorizable_obj = nil )
if authorizable_obj.nil?
# If we ask a general role question, return true if any role is defined.
    self.roles.find_by_name( role_name ) ? true : false
else
    role = get_role( role_name, authorizable_obj )
    role ? self.roles.exists?( role.id ) : false
end
end

to:

def has_role?( role_name, authorizable_obj = -1 )
return false if authorizable_obj.nil?
if authorizable_obj == -1
# If we ask a general role question, return true if any role is defined.
    self.roles.find_by_name( role_name ) ? true : false
else
    role = get_role( role_name, authorizable_obj )
    role ? self.roles.exists?( role.id ) : false
end
end

In identity.rb change

def is_role?( role_name, authorizable_object )
if authorizable_object.nil?
    return self.has_role?(role_name)
elsif authorizable_object.respond_to?(:accepts_role?)
    return self.has_role?(role_name, authorizable_object)
end
false
end

to:

def is_role?( role_name, authorizable_object )
if authorizable_object.nil?
    return self.has_role?(role_name,nil)
elsif authorizable_object == -1
    return self.has_role?(role_name)
elsif authorizable_object.respond_to?(:accepts_role?)
    return self.has_role?(role_name, authorizable_object)
end
false
end

And in 'method_missing' the initialisation of authorizable_obj needs to be changed from

def method_missing( method_sym, *args )
method_name = method_sym.to_s
authorizable_object = args.empty? ? nil : args[0]
...
...

to

def method_missing( method_sym, *args )
method_name = method_sym.to_s
authorizable_object = args.empty? ? -1 : args[0]
...
...

In case it is not obvious, I use -1 to show has_role? that there was no parameter supplied, as it seems more likely that the parameter is nil by accident. I sent my suggestions to writertopia and expect to hear from them in a few days.

If you have any comments or spotted an error, or unwanted side effect, please use the comment system.

Test driven development is your friend

Since I started programming in ruby, I tried to force myself to do test driven development. The pain of writing the test first and the actual code later prevents me from over engineering and makes me focus better on the actual problem I want to solve.

Knowing about the great benefits of test driven development, I completely ignored them when I needed a file upload functionality in my new bewiso interface based on ruby on rails. The first test I wrote did not work and after I found out that there was an unpatched bug related to testing file uploads, I removed my test and forgot about the issue.

This turned out to be a big mistake. One month later, I manually tested my file upload to check if my layout would look nice with an embedded picture. The upload failed and ruby complained with this error message:

undefined method `original_filename' for "#<File:0xb71f0cb8>":String

After a bit of reading I found out that the uploaded file is supposed to be available as 'File' object or as 'StringIO' object if the file is bigger than xy.
The string object was not expected. As I did a rails update some days ago and had a new version of actionpack in use, I started looking into lib/action_controller/cgi_ext/cgi_methods.rb and lib/action_controller/cgi_process.rb but could not find any obvious problems. After reading the changelog of actionpack and getting more and more frustrated I found the line that caused all my trouble by accident.

before_filter :validate_utf_params , inside my application controller. This calls a method that goes through my params and makes sure that there are no wired utf8 characters inside the data. It crashed my params object as I did not expect to find something different than a string.

Lesson learned; write tests even for obvious stuff. If I had followed my own procedures with care I would have found this problem immediately after I checked in the utf8 stuff.

Html2Pdf with OpenOffice

There is an easy way to make use of the OpenOffice features via commandline.

Recently I was in need for a robust and fast way to convert html files to pdf.
Main requirement was the ability to run under win32 and linux systems. Rendering of embedded images and usage of css.
First I used html2pdf from (www.tufat.com [http://www.tufat.com/s_html2ps_html2pdf.htm]), but ran into problems as the process used too much memory and processing power caused by many tables inside the html.

Here is how to do it with OpenOffice:

1. Start OpenOffice
2. Go to: 'Tools' -> 'Macros' -> 'Organize Dialogs..'
3. Create a new library called 'Converter' by selecting the 'Library' tab, pressing new and entering the name ('Convert').
4. Select the 'Modules' tab. There you can find your new library under the 'My Macros' menu item. Select it and press 'New' to    create a new module. Call it 'Convert'.
5. If you are on the right track, an editor window should be open now. In case there is any default text inside. Delete it.
6. Now enter the following code into the editor and press the save button when you are done.

Sub HtmlToPDF( cFile )
   cURL = ConvertToURL( cFile )
   oDoc = StarDesktop. loadComponentFromURL(cURL,"_blank",0,DimArray())
   cFile = Left( cFile, Len( cFile ) ) + ".pdf"
   cURL = ConvertToURL( cFile )
   oDoc.storeToURL( cURL, Array(_
            MakePropertyValue( "FilterName", "writer_pdf_Export" ),_
            )
   oDoc.close( True )
End Sub

Function MakePropertyValue( Optional cName As String, Optional uValue ) As com.sun.star.beans.PropertyValue
   Dim oPropertyValue As New com.sun.star.beans.PropertyValue
   If Not IsMissing( cName ) Then
      oPropertyValue.Name = cName
   EndIf
   If Not IsMissing( uValue ) Then
      oPropertyValue.Value = uValue
   EndIf
   MakePropertyValue() = oPropertyValue
End Function

7. Ok. Close OpenOffice now. You are nearly done.
8. Download an example webpage. Lets call it 'test.html'
9. Test your macro by executing the following on your command prompt:
$ oowriter -invisible "macro:///Converter.Convert.HtmlToPDF(file:///tmp/test.html)"
10. Be happy with your new pdf at /tmp/test.html.pdf

If you run into problems, have questions or know a better or more easy way, please use the comment system.

Security consulting

A secure IT infrastructure is crucial for the core business of most modern companies. The benefits of the internet have the side effect of being exposed to various threats like viruses, worms or targeted attacks. I can offer you security consulting with a strong focus on web applications and general information security.

I found security problems in many different software products like web applications, kernel modules or normal consumer software like ebook reader or video player. While working for an ISP, I had a chance to see how many companies have malicious software in their network although they had firewalls and anti virus products installed. Sometimes there are only few steps necessary to avoid being low hanging fruit for attackers.

If you need a security geek to check your new software or need a second opinion about your network, please contact me. In case I do not feel qualified for the specific task I can help you find the right people to fulfill your needs.

Application development

Content management systems, community software, isp management solutions, time tracking...

Since I started programming on my dads Commodore 64, I came in contact with many programming languages, concepts and frameworks.

Although a major part of my work was in the area of web development (perl, php, ruby and java), I have also experience in writing software like database filesystems in c, smart card programming or j2me for mobile devices.

If you have an interesting project and need help, please contact me.

Services

Application development

From web message boards to highly complex isp management suites.

Security consulting with focus on web applications

Is your webserver running insecure code? Is your webcoder able to explain cross site request forgeries to you? Let me check your software.

Seminars and teaching

See your network through the eyes of an attacker or let us train your staff about the security problems surrounding them.

Support for open source software

Get your servers up to date and minimize updating intervals.

Contact data

If you prefere typing try web2007@beastiebytes.com or contact my jabber accout sven57@jabber.ccc.de

Get me on my cell phone by calling +49 177 7824828

Sven Tantau

Drostestrasse 3

53819 Neunkirchen

USt-Id-Nr.: DE203610693

Welcome

Welcome to beastiebytes.com

My name is Sven Tantau and my websites are about:

writing and breaking software
digital and analog security
linux and open source software
digital self defense in the modern world
some personal issues

If you are in need for a freelance developer with focus on web applications and security, please contact me via email.