How do you make a web browser, already one of the most common attack vectors against a client, even less secure? I know, add a web server and have it serve up the whole damn client file system! What a great idea!

Is Opera insane? What does the Threat Model look like for this thing? Opera, you do know what threat models look like don’t you? You use them right?

~ Joshbw

It turns out that Green Dam, the censorware that China want’s installed on all machines sold within its borders, is crap. The security researchers who wrote the article in that link found many major vulnerabilities within twelve hours of examining the software. First, it has buffer overlows, which can be exploited just by getting a user to go to a site with a long URL. It captures the URL from the browser and compares it to a black list – the buffer it holds a URL in is apparently fixed length, and less than the maximum length of a URL. Good to know that the developers apparently haven’t learned anything from a decade of widespread C++ exploitation. Also, it’s update mechnism allows arbitrary code execution by design.

The sad thing is that the software itself is pointless. Client software, on a client machine, can be defeated easily by the client. In fact, it has an uninstaller that appears to actually work, so the user doesn’t have to jump through the hoops that most malware would make them. On top of that, if it uses black lists to restrict the habits of would be surfers then its effectiveness is limited. In essance what China has done is mandate that a large number of their users expose their computers to exploitation while not seriously impeding those that want to view objectionable content. All this is going to get them is the ill will of their own citizens.

~ Joshbw

So here is a hypothetical -

Say a small real-estate agency is using a simple PostNuke website (which is out of date) to gather rental applications – applications with all of the information necessary to both verify (and apply for) credit as well as history of passed residences. In other words, say they were collecting all of the information necessary to completely ruin someone’s life should the information be disclosed, to tie the would be applicant up in years of financial pain and legal hardship as they try to clear the ID theft from their record.

Now say that the version of PostNuke was woefully out of date and moreover nothing was over SSL.

Hypothetically a security minded person sees this and tries to fire off an email, but gets no response. Then calls the agency up and tries to explain in person how UTTERLY HORRIBLE this practice is, but it is filled with luddites that have no place running a website that collects this information and they just don’t get it (either the technical ramifications no matter how simple they are explained, or the ramifications to the applicants). Those fancy sort of attacks only happen in the movies after all. At that point, how does the would be Samaritan lawfully get the problem addressed, as the agency is an active security risk to every person who has ever provided information to it?

On the larger topic, man is our society screwed. A person can completely have their credit destroyed (and thus many years of their life since living in the US without credit has some major implications – no car or house loan for you. No credit card, which you need if you ever want to rent a car, etc) because some podunk mom and pop website decided they needed a credit application and had no idea how to securely handle the data they collect. We seriously need a better mechanism for asserting our identity than a bunch of easily disclosed historical data but there seems to be absolutely no pressure to move to that (probably because the big 3 credit bureaus are terrified of losing some of their power).

~ Joshbw