Real updates are coming soon, I promise.  It has been a busy week but I have a couple draft posts floating around.  In the mean time here is a quick little batch file I threw together years ago (so please excuse the horrible syntax) that might come in handy: up.cmd

Essentially it is a quick way of traversing up a directory structure on the command line in Windows, so you don’t have to keep typing "cd ..\..\..\..\".  Just drop it in your path somewhere (after verifying that this isn’t my clever attempt to get you to install a trojan) and you are good to go.

It has two modes of use.  The first mode you provide one parameter- the number of directories to go up.  For example: "up 3" to go up 3 directories.

C:\Windows\System32\drivers\etc>
C:\Windows\System32\drivers\etc>up 3
C:\Windows>

In the second mode you provide no parameters, instead you just type "up".   It will then provide you with the curious UI option "[S,U]?" which is prompting to Stop or go Up.  If you press "u" it will go up one directory and prompt again.  When you want to stop you hit "s" .  This mode is really useful when you are really deep within a source archive and want to back your way up to some parent directory, but don’t want to count how many directories you want to go up.

C:\Windows\System32\drivers\etc>up
C:\Windows\System32\drivers\etc [S,U]?U
C:\Windows\System32\drivers [S,U]?U
C:\Windows\System32 [S,U]?U
C:\Windows [S,U]?S

C:\Windows>

Hey, lay off me. I wrote this almost a decade ago for myself and usability for the masses wasn’t really my intent (nor robust maintainable code.  I’m not really sure what the heck I was trying to do when I look in the batch file; that’s why comments are a good thing kids).  I just figured I would share this with all of you as you might find it useful.  Also, I keep forgetting to put it on my work machine and they prevent me from reaching my skydrive account while at work, where I have a backup, so now I have a convenient place to download it.

I’ll also post a couple entries of more substance in the near future (probably this weekend) and possibly a couple of PowerShell scripts I am working on, once I finish them and make them presentable (since I don’t have the excuse of being young and lazy like I do with up.cmd).  I’ve decided PowerShell is amazingly cool, but also takes quite a bit to get used to, being very different than any command line shell I have used.  Anyway, I have a slightly buggy netcat clone that I am writing in shell script as well as a couple other little utilities that I will put out where other people can tinker.

~Joshbw

One of the phrases I hear fairly often from the open source community is that “Many eyes make better code” and it confounds me that people actually believe that the quality of code, and thus the quality of the application, is simply a function of how many people view the source code.  Before I give the impression that this is a screed against the concept of open source software, allow me to assert that I don’t have an ideological preference one way or the other towards open source, though I find zealotry of any form to be tiring and frustrating.  For finished apps its great that the application is free, I like free, but it really delivers no value to me if I can change the source code because frankly I am not going to want to modify the source for my word processor (is that term still in use today, or is it an anachronism from the 80s?).  For code that I consume in conjunction with my own code, say a .Net library or a PHP application that I want to use on my website, there is value to me in being able to freely alter the code as well, but only if I don’t have to worry about any restrictive licensing (BSD style license = good, GPL = pain in the ass if used for anything related to work).

That said, I find some of the common open source sentiments silly, the “Many eyes” argument one of the silliest.  Essentially what the “Many eyes” argument suggests is that quite a few more people are doing code reviews than you would have in a closed source application, which for the most part is probably true.  There are two counterarguments that I haven’t seen addressed.  The first is that having many eyes look at source code doesn’t mean a thing by itself, if you don’t qualify the experience and expertise of the many eyes, nor does it mean anything if the analysis isn’t systematic.  Five really sharp closed source developers will be more effective reviewing code than one hundred amateur open source developers.  They are more likely to be scrutinizing the trouble areas, and they are more likely to spot issues in those areas.

Code reviewing is an art.  A reviewer is looking at things line by line, but has to retain knowledge of all the code that impacts a particular line of code.  It’s easy to spot use of a banned API, potential overflow conditions, bad arithmetic or logic formation, etc, but in most cases static code analysis tools are faster and better at spotting those sorts of things.  Where a human has an edge over the tools is seeing larger code pattern flaws, questionable but legal use of certain API, missing validation, and code traversal issues, but as a qualifier, the humans that are good at spotting those problems are a rare breed.  They can focus on many things at once, recall pertinent details from code many pages before, and instinctively spot worrisome code.  It isn’t clear to me that an open source project attracts any more of these experts than the equivelent closed source project, at least on average.  So I believe that open source can summon more eyes for code review, but I haven’t seen evidence that those many eyes actually were thoroughly scrutinizing the risky areas of most OSS applications, nor have I been convinced that most OSS applications have attracted more skilled eyes.

That point is pretty irrelevant with my second counter argument: code review is not the key to robust applications but rather just one component.  They key to robust applications is project organization.  Regardless of whether a project is closed or open source, to be secure, to be stable and robust, the entire development process needs to be structured and thorough.  During design time features need to be decided upon, experts in given areas (UI, database design, network design) need to spec out their given areas, developers need to create development specs to reflect the design specs, and then security reviews need to be done on the design.  Also during design time coding guidelines need to be established and key project, development, and test managers need to be established (even if it is open source, you need specific goto people to oversee things).  During development code needs to be reviewed to ensure the coding guidelines are being followed, that the implementation reflects the design and if not (for a good reason) the design documents need to be updated.  Testing needs to start as features are initially implemented, not once code complete is called.  Testers need to be systematic and need to act as a further sanity check that the implementation matches the intended design.  They also need clear areas of test assigned to them to ensure even coverage and no unnecessarily redundant effort at the expense of untested code.  Through each phase, design, development, and test, there needs to be security checks.  If the first security work is done when the first beta is produced the application is going to be full of vulnerabilities.

A thorough, organized development effort is what makes good code.  Some open source projects have this, for example the linux kernel, the apache web server, and arguably the mozilla/firefox teams now, though in this latter case it is very clear this wasn’t always so.  Most people forget that when Mozilla 1.0 finally released, despite being several years behind schedule, it was an utter failure, so much so that the Pheonix (then firebird, then firefox) team forked the project just to try and makes something that didn’t suck.

A great deal of open source projects do not get this, they don’t get that they need to be as organized and managed as any closed source project.  Its obvious that coding standards either didn’t exist, were incredibly loose, or just weren’t enforced on many open source projects. For example just download any PHP application; phpBB, Wordpress, phpNuke, etc all have very unprofessional code.  There are very few comments, if any, in the code, extensive use of nested arithmetic in function calls, little data validation and error checking, use of tertiary operators for complex assignments (they are meant for simple assignments), etc.  I can only imagine that if coding standards weren’t followed the rest of the development process similarly lacked hallmarks of a well run project.

There are many closed source applications that similarly lack this organization.  Many small companies aren’t organized a whole lot differently that small open source projects.  Developers hate the bureaucratic pain in the ass steps that a rigidly run project makes them perform. At small companies it is common for the devs to just not follow those steps, because no one is there to force them to.  I commonly hear “Why do I have to write a document describing what my code is going to do when I could just write the code and show you” concerning developer specs.  They don’t realize or care that it is a lot easier to read an english description of something and figure out how it works than it is to look at the code, even for the most competent coders.  Its also a lot quicker to write and correct an english (or chosen spoken language) outline than to implement everything and make changes after the fact.

Even very large companies aren’t guaranteed to run projects well.  I think it is pretty clear that both Adobe and Apple haven’t embraced comprehensive reform of their entire development practices which is necessary to produce secure code (or really, quality code at all) with their given patch record and response.  Vista would have been released much earlier if the project wasn’t horribly managed for the first three years, though I think it is a testament to Brian Valentine that he managed to undo all the damage Jim Allchin (whom, incidentally, I believe to be undead) did to the project and release a reasonably sound and secure solution.  MS should lament loosing him to Amazon.

If you ask me what makes secure, robust software, it isn’t many eyes or many people working on a project.  It isn’t a function of how many people are on the project at all.  It comes from a commitment to those who manage a project or company.  If executives of a company are absolutely committed to the security and quality of their company’s products, as is the case with the SDL at microsoft, then the company will produce secure, quality software.  If the executives waver at all, it will cascade through the whole company.  Likewise, on open source projects, the ultimate quality of the project comes down to who is running the project, how much power and say they have, and if they have an equal commitment.  Open or closed source, if you are working on software the way you influence security and quality is to influence those in charge to be committed to such goals.

I don’t have reason to use Visio very often, pretty much restricting it to creating a flowchart to dump into Word or PowerPoint or when creating models during Threat Modeling.  I use it on average maybe once every two months or so; obviously I am not a Visio expert by any means but I suspect most people in a similar position to me are much the same way.

 Thus it came as a bit of a surprise when I found out it can create maps of websites almost painlessly.  Selecting “New->Web Diagram->Web Site Map” will allow you to enter a web address and send Visio out to spider the targetted website starting at that location.  Depending on the complexity of the website this can take thirty seconds to several minutes, but once Visio is done spidering the website it will create a purdy little diagram showing all of the interrelationships between web resources.  In addition to normal pages served up it also spits out various included resources, such as .js and .css files that the website utilizes (this is configurable).

The creation of the map isn’t flawless; it doesn’t accept credentials for form authentication but if the site is foolishly only protected by HTTP authentication it will accept credentials for that.  Visio doesn’t try to brute force or even intelligently guess the presence of files or folders but rather just follows references in the pages served up. AJAX confuses the spider somewhat.  Dynamically created URLs (like Wiki produces) can confuse it. 

There are certainly more thorough tools for crawling websites to create a profile for them but regardless Visio has its strengths.  It is very effective at verifying that the presentation layer isn’t exposing access to protected resources.  It is quick and simple to use.  Most usefully though, it creates a better visual map of a website than pretty much any other tool I have played with, and this is greatly valuable to me.  Just glancing at the Visio output gives me a quick relationship between unprotected resources on the website and reaffirms the path of navigation through the site.  I think the hierarchical display is most useful to designers of websites to reaffirm relationships of resources, but for me as a penetration tester it gives me a very early and easy to generate view of the website, as well as provide me with a quick list of early targets to try and compromise.  It is by no means the only scanner I will run on a website when doing anything more than a cursory glance, its flaws are pretty big and it is far from thorough, but for quick 1000′ views of a sites publically discoverable pages in a couple minutes it is a good tool.

 I wonder what else Visio can do that I don’t know about.

~Joshbw

It looks like everything is up and running now, more or less.  I am still tweaking the theme a bit and working on some lingering browser compatibility issues.  I’m kicking myself for starting by modifying an existing theme rather than just beginning entirely from scratch, as at least a couple of issues were the result of style issues I missed when editing the original theme.  I’ve decided that I really don’t like the fact that I can’t override user defined functions in PHP as that would have made things much easier.  Now I have to compulsively look at the change lists during each update to see if I have to merge changes, which is a pain in the butt.

So obviously I have decided to roll my own blog rather than use a blogging host such as Blogger or Spaces.  I saw benefits going both routes.  With a blog host security becomes their problem rather than mine, and considering the frequent patches pushed out for all of the existing blogging software (Wordpress, Moveable Type, etc) this is a major consideration.  Hopefully I have locked things down enough that even if a zero day that grants admin functionality is released other preventative measures will still protect the admin controls (that whole defense in depth concept).  Granted that will be little condolence when some new XSS is found in the blogging software and a billion comment spam bots post attack messages with just commenter permissions.  The other major benefit of a bloghost comes from the fact that while they may have millions of users of their software they have very few users on the actual physical machines.  With my shared server cheapo LAMP host I can’t say the same for this site, as dozens of other random net users have shell accounts on the box and are hosting their questionable code.  I like Dreamhost, as they tend to offer pretty good service with gobs of storage and bandwidth at very cutthroat prices, plus they have a pyramid scheme where you make money off of people you refer (hence the presence of the "Hosted by Dreamhost" links… just hoping to milk some folk looking for a cheap but relatively good LAMP host), but even if they are great as a shared server host it doesn’t change the fact that they are ultimately a shared server host.  I don’t exactly keep anything I value sitting on their hard drives because of that, so I was a little leery of investing time in a blog hosted on servers I don’t have a great sense of security concerning.

That said, hosted blogs have several drawbacks.  Many are designed around the idea of a social experience, e.g MySpace, Facebook, etc, and I think the focus on social components in those cases detracts from them as specifically blogs.  Then you have your dedicated blog hosts that skip much of the social stuff, Wordpress.com, Typepad, Blogspot, etc.  In the case of Wordpress.com and Typepad it seemed that I would be just as much at the mercy of the respective wordpad and moveable type flaws as if I hosted my own blog, but without the benefit of being able to take my own measures to lock things down.  Blogspot is such a pit of malware that Google de-lists it regularly, which given the fact that Google freaking owns it isn’t a stellar endorsement.

Finally, with any of the hosted solutions I don’t have much control over things.  The level of customization is limited and usually requires people to jump around hoops (in the case of myspace it seems that every user must embed some music, make copious use of blink tags and scrolling text, and have an animated background, which I sort of got over in 1994 back when all of those things were all the rage).  When it comes down to it I find it easier just to fire up textpad and edit the layout directly in the source rather than muck around with some style editor or play with layout templates and modules.  I like that I am the only one that gets a say over whether my site has ads (none at the moment, but when I am a super Internet star that may change), where those ads are, how big they are, etc.  In the end being able to control everything about my site trumped being responsible for its maintenance.  And here I thought it would be nice to leave that sort of thing for when I was doing my real paying job. 

So watch out, I have complete control of the layout, free to completely abuse rounded corners and segregated content panels.  I also have my resolution set to 1920×1200 so the site may not be sympathetic to you folks rocking the 1024×768 (come one guys, my 12" tablet PC has a better resolution than that).  Tweaks are likely to trickle in throughout the month as I decide to ad or remove stuff, or finally decide to install safari in a VM and see how bad the browser mangles it (Apple security is so abysmal these days that I won’t run their stuff on my host OS).

Anyway, any early wayward readers that have stumbled upon the site, feel free to use the comment thread to leave feedback on its design.  I haven’t spent a great deal of time testing its layout. 

~ Joshbw